New data protection fee exemptions considered in UK

The UK government has opened a consultation on exemptions to paying a data protection fee, giving businesses the opportunity to lobby for new exemptions to be introduced.

Businesses that are responsible for processing personal data (i.e. controllers) are required to pay a data protection fee to the Information Commissioner’s Office (ICO). These fees are: £40 for micro organisations; £60 for small and medium organisations (SMEs); and £2,900 for larger organisations. These fees apply unless the controller is legally exempt.

The government has launched a consultation on whether the list of exemptions should be expanded. As the government is required under the General Data Protection Regulation (GDPR) to ensure the ICO receives an adequate level of funding, it says that it will take into account of the impact of any changes on the ICO’s resources.

Current exemptions

The Data Protection (Charges and Information) Regulations 2018 (the Regulations) require controllers who are processing personal information to pay a charge to the ICO, unless they are exempt. More than 500,000 organisations are currently registered. The Schedule to the Data Protection (Charges and Information) Regulations 2018 provides a number of exemptions for individuals and organisations from paying charges to the Information Commissioner in relation to one or more of the following:

(i) business purposes:

  • Staff administration (including payroll)
  • Advertising, marketing and public relations (in connection with their own business activity)
  • Accounts and records (except in relation to processing of personal data by or obtained from a credit reference agency)

(ii) Other exemptions – processing for the purposes of:

  • Judicial functions
  • Personal, family or household affairs (including recreational purposes)
  • Some not-for-profit organisations
  • Controllers processing personal data only for maintaining a public register (such as the Electoral Roll)
  • Controllers that do not process personal data by automated means, or with the intention that the data will be processed by automated means

(iii) Exemptions granting a reduction in fees (tier 1 fee £40):

  • Small occupational pension schemes
  • Charities


The Department for Digital, Culture, Media and Sport has now asked businesses whether the list of exemptions should be expanded and which exemptions are considered to be appropriate and should be retained and those that aren’t. The deadline for providing responses to the consultation is 1 August 2018.


It will be interesting to see what responses are triggered by this consultation, and what changes will be made as a result. Of course, there is merit in reviewing the exemptions to ensure that they are still current and appropriately apply to businesses that should benefit from them. We will be watching with a close eye.

EU’s GDPR applied to promotion marketing

The European Union’s General Data Protection Regulation (GDPR) is underway, and companies and organizations around the world are analyzing its effects on how they collect, use, store and disclose data. U.S.-based sponsors of sweepstakes, contests, instant win games and other promotions opening entry to or targeting Europeans need to be mindful of the GDPR rules since they are processing personal data by collecting the entries’ contact information, sending marketing communications and contacting the winners. To learn more on how U.S. marketers can address this legal development, click here.

Digital token ruled a security under the Howey Test, for now

With the plaintiffs’ bar setting its sights on initial coin offerings, a body of precedent will soon develop analyzing digital tokens under U.S. securities laws. Last week, United States Magistrate Judge Andrea M. Simonton began developing that body of law in Rensel v. Centra Tech, Inc., No. 17-CV-24500, 2018 BL 227097 (S.D. Fla. June 25, 2018). Although Judge Simonton’s opinion does not tackle many of crypto’s most-pressing questions, it serves as a guidepost for future actors in an industry desperate for clarity. To read more, click here.

European Data Protection Board replaces Article 29 Working Party

On 25 May 2018 the European Data Protection Board (EDPB) formally replaced the Article 29 Working Party as the European advisory committee on data protection issues. In addition to taking over Article 29 Working Party’s responsibilities in issuing guidelines, recommendations and statements of best practice, the EDPB, which operates as an independent body of the European Union with its own separate legal personality, also takes on a far broader set of responsibilities:

  • examining – on its own initiative or on the request of one of its members or the European Commission (Commission) – any question covering the application of the GDPR;
  • advising the Commission on any issue related to data protection in the EU, including on any proposed amendment of the General Data Protection Regulation (GDPR) and any EU legislative proposal;
  • advising the Commission on the format and procedures for the exchange of information in the framework of the Binding Corporate Rules;
  • providing the Commission with an opinion on the assessment of the adequacy of the level of protection in a third country;
  • providing opinions on draft decisions of the supervisory authorities; and
  • issuing binding decisions in certain instances, mostly about dispute resolution among supervisory authorities.

In its first plenary meeting, which took place on 25 May 2018, the EDPB agreed the final version of Guidelines 2/2018 on the derogations under Article 49 GDPR in the context of international data transfers (Article 49 Guidelines), as well as a set of draft Guidelines 1/2018 on certification in accordance with Articles 42 and 43 GDPR (Certification Guidelines).

Continue Reading

Ireland: New guidelines on restrictions on data subject rights

Article 23 of the General Data Protection Regulation (GDPR) allows EU Member States to restrict the scope of data subjects’ GDPR rights and organisations’ GDPR obligations.

The Irish data protection authority, the Data Protection Commission (DPC), released guidelines (Guidelines) on GDPR Article 23 on 19 June 2018. The Irish Data Protection Act 2018 (the Act) was recently passed by the Irish parliament. The Act fills in the details of the derogations left to EU Member States under GDPR.

The Guidelines’ purpose is to provide advice for the Irish government when drafting regulations that restrict data subjects’ rights and organisations’ obligations.

GDPR Article 23

Any proposed restriction requires a detailed analysis of the following conditions to justify why it is required and how it will apply. Restrictions must:

Continue Reading

EU reaches agreement on rules allowing free flow of non-personal data

You may well remember our blog from last year which outlined the Commission’s proposal for a framework in relation to the free flow of non-personal data in September 2017 (you can view our blog here).

On 19 June 2018, the European Parliament, Council and the European Commission reached a political agreement on the rules that will allow data to be stored and processed everywhere in the EU, without unjustified restrictions.

In addition to supporting the creation of a competitive data economy within the Digital Single Market, these new rules will remove barriers which hinder the free flow of data. Predictions suggest that this could boost Europe’s economy by an estimated growth of up to 4 per cent GDP by 2020. You can find more information on the European Commission’s website.

Key objectives

The new rules on the free flow of non-personal data will:

  • Ensure the free flow of data across borders: this will prohibit data localisation restrictions permitting organisations to be able to store data anywhere in the EU. Also, requiring Member States to communicate to the Commission any remaining or planned data localisation restrictions in “limited specific situations of public sector data processing”.
  • Ensure data availability for regulatory control: allowing public authorities to access data – for scrutiny and supervisory control – despite where it is stored and/or processed in the EU. Also, Member States may sanction users that do not provide access to data stored in another Member State.
  • Encourage creation of codes of conduct for cloud services: to facilitate switching between cloud service providers under clear deadlines. The Commission states that this “will make the market for cloud services more flexible and the data services in the EU more affordable”.

Continue Reading

UK Government publishes technical note on data protection

On 7 June 2018, the UK government published a technical note detailing options for future UK-EU cooperation on data protection, post-Brexit. The technical note is part of a series of papers produced by the UK Brexit negotiation team for discussion with the EU, in order to assist with the development of future EU-UK relations.

The UK government suggests that a new data protection agreement should be executed between the UK and the EU. The agreement would build on the current concept of the “adequacy” of data-sharing laws between the EU and UK after Brexit and enable the Information Commissioner’s Office (ICO) to continue to play an important role in the EU’s data protection decisions. A failure to maintain the flow of information between the UK and the EU is one of many concerns facing multinational companies as the UK prepares to leave the EU.

This blog will look at the key themes put forward in the technical note.

Continue Reading

Supreme Court strikes physical presence requirement for sales tax, with big ramifications for the Internet economy

Reversing a 1992 precedent in Quill v. North Dakota, on June 21, 2018, the U.S. Supreme Court issued a decision in South Dakota v. Wayfair, Inc., holding that physical presence in a state is not necessary to require a remote seller to collect sales tax.  In many respects this decision sets the stage for states to now require the collection of sales tax on e-commerce transactions facilitated by out-of-state sellers, but by striking the physical presence requirement, there is an open question on what constitutes a sufficient nexus for a state to impose a sales tax collection requirement.

Reed Smith has issued a Client Alert analyzing the Wayfair decision, soon to be followed by a webinar diving deeper into open questions following the decision and its implications.


How big is the risk to operate Facebook fan pages in Germany?

On 5 June 2018, the Court of Justice of the European Union (CJEU) handed down its long-awaited Facebook fan page judgement (Case C-210/16), holding that the operator of a fan page on Facebook is jointly responsible with Facebook for processing the data of visitors to the page. Only a day later, the Conference of German Data Protection Authorities (German DPAs) released a statement, titled ‘Time is up for not being responsible’ (Statement, available in German here), arguing that organisations do not meet data protection standards when operating a fan page on Facebook. Marketers in Germany and Europe are now uncertain whether they should take down their Facebook fan pages and any other social media presence. In this blog, we provide you with a first interpretation and a ‘first aid kit’.


Wirtschaftsakademie Schleswig-Holstein GmbH (Wirtschaftsakademie) operates a Facebook fan page and was ordered by the Schleswig-Holstein Data Protection Authority to deactivate the fan page. Neither Facebook Ireland Ltd nor Wirtschaftsakademie had been informing visitors of the functioning of cookies and subsequent processing of their data. Wirtschaftsakademie took this case to court, arguing essentially that it was not responsible for the processing of data by Facebook or cookies installed by Facebook.

CJEU decision

The CJEU ruled that the operator of a fan page hosted on a social network must be considered a ‘data controller’.

The court began by noting that the concept of controller must be defined broadly as an entity that alone or jointly with others determines the purposes and means of the processing of personal data. It observed that, for the European Union, Facebook Ireland must be regarded as controller responsible for the processing of personal data of Facebook users and persons visiting the fan pages hosted on Facebook.

Next, the CJEU stated that the operator of a fan page hosted on Facebook is also a (co-) controller. The operator contributes to the processing of the visitors’ personal data by defining parameters in the creation of the fan page. In particular, the operator can request the processing of demographic data relating to its target audience (for example, age, sex, information on lifestyle and interests) and geographical data that allow the operator to target best the information it offers.

The case has now been referred back to the German Federal Administrative Court, which will decide whether the specific use of Facebook fan pages by Wirtschaftsakademie was compliant.

Continue Reading

Data Protection Act 2018 comes into force

On 23 May 2018, the Data Protection Act 2018 (DPA) received royal assent and became UK law. The DPA implements the EU’s General Data Protection Regulation (GDPR), while providing for certain permitted derogations, additions and UK-specific provisions.

The DPA:

  • Repeals and replaces the previous Data Protection Act 1998 (the 1998 Act) as the primary piece of data protection legislation in the UK
  • Is designed to ensure that UK and EU data protection regimes are aligned post-Brexit
  • Implements the EU Law Enforcement Directive, establishing rules on the processing of personal data by law enforcement agencies and intelligence services

This blog looks at key issues of interest in the DPA relating to liability, compliance and enforcement.

DPA offences

Under the GDPR, EU Member States have the freedom to apply certain exemptions or provide for their own national rules regarding certain types of personal data processing. The DPA creates additional data protection offences and provides additional information about the Information Commissioner’s Office’s (ICO) powers and enforcement abilities.

UK-specific data protection offences include:

  • Knowingly or recklessly obtaining or disclosing personal data without the consent of the data controller, or procuring such disclosure, or retaining data obtained without consent.
  • Selling, or offering to sell, personal data knowingly or recklessly obtained or disclosed.
  • Where an access or data portability request has been received, obstructing the provision of information that an individual would be entitled to receive.
  • Taking steps, knowingly or recklessly, to re-identify information that has been “de-identified” (although this action can be defended when it is justified in the public interest).
  • Knowingly or recklessly processing personal data that has been re-identified (which is a separate offence), without the consent of the controller responsible for the de-identification.

Continue Reading