Today’s date marks Data Protection Day 2016 – a day aimed at raising awareness and promoting best practices for privacy and data protection. At the beginning of this month, we looked at some high level developments expected over the coming year: new EU laws; new EU case law; and a potential for a new transatlantic data transfer agreement. Along with these developments, there are many more items likely to be high on the data protection agenda for 2016:
1. A continuing emphasis on human rights
Judgments by the CJEU – the EU’s most senior court – have continued to focus on human rights, particularly in cases relating to data protection issues. This was seen, for example, in perhaps the most ground-breaking data protection case since Google Spain, the Safe Harbor case of Schrems. This trend towards a human rights-style judgment, which was similarly evident in Google Spain, is likely to continue as a feature of CJEU judgments on data protection and privacy-related issues.
We have also seen an increase in the prominence of privacy-related decisions of the European Court of Human Rights (“ECtHR”). While the privacy decisions of the ECtHR do not generally carry the same weight as CJEU decisions, there may still be a persuasive impact over the longer term. Most recently, the case of Barbulsecu saw the issue of employee monitoring and privacy in the workplace come under the microscope. Despite the more limited impact of the ECtHR’s judgments, Barculsecu generated headlines across Europe.
2. Cross-border challenges
Over the past 18 months, we have posted updates on the Microsoft case, which relates to a request by the US government for email content based in Dublin. This on-going saga has seen numerous technology companies, together with the Irish government, filing papers with the US courts. The case remains in front of the US Court of Appeals, with its judgment eagerly awaited early this year. The judgment in this case is likely to be one of the most significant of the coming year. Whatever the result, we may yet see an appeal to the US Supreme Court, although grounds for such an appeal are often narrow.
The most notable data protection case of 2015 was undoubtedly that of Schrems. In the wake of the CJEU’s invalidation of Safe Harbor, both EU regulators and the European Commissionmoved to offer guidance and clarification. With the compliance deadline of 31 January 2016 looming, EU regulators are preparing to meet on 2 February. The outcome of this meeting is likely to indicate their longer term approach towards investigation and enforcement in the context of EU-US data transfers. In any event, EU and US authorities are continuing efforts to finalise a new transatlantic data transfer agreement, which, if agreed, is likely to feature prominently in 2016.
3. Emerging Technologies
2016 promises to be another year of emerging technologies, both in terms of hardware and software. In the past 6 months, various Irish and European bodies have published papers and developed guidance on drones, including the Irish Data Protection Commissioner, the European Parliament and the Article 29 Working Party (“WP29”). With their increasing popularity, we are likely to see further focus on the privacy and data protection aspects of drones over the next 12 months.
The ‘Internet of Things’ – the global network of smart devices – also continues to grow. This poses new and interesting challenges across various areas, including data protection. We expect to see EU regulators publish further opinions on these new and emerging technologies, particularly in the context of privacy and data protection.
4. Data Retention
Since the CJEU’s 2014 judgment in Digital Rights Ireland, which found the Data Retention Directive invalid, EU Member States have been grappling with the absence of data retention rules at EU level. Although some guidance was published at EU level, including word from the European Commission, many Member States, such as the UK, experienced challenges to retention laws at local level. Questions from the UK case have since been referred to the CJEU and may yet be joined by a parallel reference from the Swedish courts in the case of Tele2 Sverige. In Ireland, the case of Digital Rights Ireland has been referred back to the High Court and further progress is awaited. Given these moves at both Irish and EU level, we are likely to soon have further clarity on the extent and legality of data retention obligations.