The UK government has issued the outlines of a new Data Protection Bill. It will be a substantial piece of work because it will replicate the General Data Protection Regulation (GDPR). The GDPR is EU law and is directly effective in all Member States including the UK, on 25th May 2018. The UK Brexit plan requires “replication” rather than “supplementation” because the UK has no intention of cutting itself free of EU “red tape”, if it is in the form of the GDPR.
The UK Brexit plan also, it seems, has set the UK on a race to implementation of its new Data Protection Bill on or before the coming into force of the GDPR. So, it will introduce the Bill to parliament in September next, where there is the narrowest of time slots to do so.
We now know, from the UK Information Commissioner (ICO), that she intends to levy fines equivalent to those provided for in the GDPR, on persons, organisations and companies that breach the new Data Protection law.
Any miscreant Irish company doing business in the UK will be exposed to those fines if the ICO applies the UK Data Protection law, rather than the GDPR. That will be a major problem for cross-border firms doing business with Northern Ireland. Whatever about any [mistaken] assumption those firms may harbour that the Irish Data Protection Commissioner will not apply high fines for GDPR breaches, they can readily believe the ICO will apply those fines.
What are the limits to the fines? There are two categories of fines:
A. Fines up to €10 million or 2% of annual global turnover;
B. Fines up to €20 million or 4% of annual global turnover;
Consider the recent Swedish data breach involving the Swedish Transport Agency and a branch (?) of IBM. On available information they would each have faced a fine from category B if the breach had occurred after 25th May 2018.