Since we began our tech law blog over 18 months ago, we have covered a wide variety of topics, ranging from 3D printing and driverless cars to online freedom of expression and the US vMicrosoft case. In this week’s post, we take a look back over 4 data protection topics that keep cropping up and examine how they have developed in the past 2 years.
1. Data Retention
Data retention has been a topic on the agenda of many EU Member States since the Digital Rights Ireland case. In this 2014 case, the EU’s highest court declared the EU Data Retention Directive invalid, resulting in uncertainty for the corresponding national laws across the EU. In light of this decision, a number of countries, including the UK, have seen their national data retention laws modified or replaced. More recently, an Opinion from the European Parliament’s Legal Services also shed further light on lessons to be learned from the court’s finding. This Opinion states that Member States should examine their national data retention measures to see whether they comply with the decision of the court, adding that they may repeal existing laws which transposed the terms of the Directive.
Data retention, at national and EU level, looks set to remain an issue for many Member States. The European Commission recently provided clarity on its views on what the Digital Rights Irelanddecision means in the context of existing national retention laws. We will consider this in an upcoming post.
2. Access Requests
The right of individuals to access their data is core to Irish and EU data protection law. It is also one of the rights exercised most frequently by individuals. As a result, controllers of personal data need to be aware of their obligations in this area.
In recent years, both Irish and UK courts have clarified certain aspects of the right of access. However, UK and Irish courts have differed in their views. Differences have arisen both around the circumstances in which an individual can make a request and the extent of the data that needs to be provided in response.
Last year, enforced access requests – in other words, requests made at the insistence of an employer or potential employer – were made illegal. The Irish Data Protection Commissioner has recently expressed her determination to clamp down on these requests.
3. Right to be Forgotten
The ‘right to be forgotten’, which arose out of the Google Spain case, still remains one of the biggest buzzwords in data protection. Since this notable decision, the EU’s collective body of national data protection regulators – the Article 29 Working Party – has issued guidance on how it believes the judgment should be applied. Despite being a high profile legal development, the right to be forgotten largely relies on existing data protection rights.
However, one of the lesser known, but still ground-breaking aspects of the Google Spain decision was the court’s finding that Google Spain’s operations were directly connected with Google, Inc.’s processing of personal data. While Google Spain did not process personal data, it sold advertising in Spain that supported the Google search engine, run by Google, Inc. The court viewed these sales as being made in the context of Google, Inc.’s processing of personal data and consequently sufficient to trigger the application of EU data protection law to Google, Inc. This represents a potential expansion in the reach of EU data protection law. We have since seen the English High Court rely on this ruling to allow a person bring a case against Google Inc. in England, despite that fact that Google Inc. is based in the US.
4. The New Regulation
The new General Data Protection Regulation (“GDPR”) is still working its way through the legislative process. This regulation will replace the current Data Protection Directive, which has been in place since 1995 and has been implemented separately in each Member State’s own national laws. With the introduction of the GDPR – still potentially 2-3 years away – there will no longer be separate, national laws governing data protection. Instead, the GDPR will govern data protection in all 28 Member States.
While still in draft form, one of the core proposals in the GDPR is the ‘one-stop shop’ mechanism. This approach means that an organisation would primarily coordinate with the regulator in the Member State where it has its main operations, with other national regulators having more limited input. Recent months have seen various stakeholders submitting comments on GDPR proposals, such as ‘one-stop-shop’. In particular, EU data protection regulators have expressed their collective view on certain aspects of the current draft, which is currently being reviewed by EU law-making bodies.
Data protection continues to be a rapidly evolving area, and one that is increasingly important to business. In the past couple of years, we have seen increases in data protection-focused court cases, both at national and EU level, as well as more regulatory enforcement. This continues to be the case.
Both the ‘right to be forgotten’ and the GDPR look set to continue being data protection hot topics. Google have recently encountered further difficulty in front of the French data protection regulator (also known as the CNIL) regarding the extent of the ‘right to be forgotten’. The GDPR is expected to near completion in very late 2015 or 2016, coming into force 2 years after that. However, certain sticking points, such as ‘one stop shop’ and the extent of fines are still likely to cause further disagreement.