Skip to main content
Press Release

GDPR, Safe Harbor and Privacy Shield: Phil Lee on the groundbreaking changes in data legislation



United Kingdom, United States

Privacy, Security & Information partner outlines concerns with the two big developments in data privacy law.

It was announced last week that the General Data Protection Regulation (GDPR) will enter into force on 25 May this year, with a two year implementation period meaning the regulation will become applicable as of 25 May 2018. As Phil Lee, partner in Fieldfisher's Privacy and Information Group, told The Guardian, this law is "absolutely" ground-breaking: "Europe has created the notions of a 'right to be forgotten' and of 'data portability', and created fines for data reaches that are on a scale equivalent to fines for antitrust violations. No other region has done that before."

Phil has been a regular commentator in the national media on the two big developments of recent months in data privacy regulation. On the new EU-US 'Privacy Shield' - designed to replace the Safe Harbour agreement - Phil told the BBC at the time of the deal being struck in early February that it "was almost certain to be challenged by civil liberties groups" - before adding, when the Article 29 Working Party gave its opinion on the pact in April, that the continuing uncertainty affecting international data transfers was causing "transatlantic chaos." Chaos which will, he told City AM, "leave countless US businesses...scratching their heads in wonder as to how they can continue to service their EU customers lawfully."

As time has gone on and the various corners of the media have assessed GDPR, Phil has been asked for his views numerous times - telling the Financial Times that the big social networks will have a tough job on their hands when attempting to comply with the regulation's rules on gaining verifiable parental consent for younger users of their sites: "It has the potential to be a is very, very difficult to do", he said, questioning the legislative requirement (in the GDPR) for companies to take 'reasonable efforts' to verify that teenagers under 16 have parental permission.

Sign up to our email digest

Click to subscribe or manage your email preferences.