In 2014, we saw some major decisions taken by the Court of Justice of the European Union (“CJEU”) which have had a fundamental effect on data protection issues in Europe.
- In May, the CJEU ruled on what become known as the “right to be forgotten” in the much publicised Google Spain case [Insert Hyperlink]. The decision was seen by many as a simple confirmation of rights that already exist for individuals under the current Data Protection Directive, i.e. to keep data accurate and up to date. It has been suggested that this case pre-empted “the right of erasure” (formerly know as the “right be forgotten”) that is due to form part of the proposed EU Data Protection Regulation. The judgment also determined that search engines were data controllers of personal data that appears in search returns, rather than data processors.
- In April, the CJEU found the EU Data Retention Directive to be invalid. The Directive requires communication service providers to retain a wide range of communications data, for a period of between 6 and 24 months, with the retained data to remain available for the purposes of the investigation, detection and prosecution of serious crime. The decision to declare the Directive invalid came following a referral by the Irish High Court to the CJEU on the matters arising from a dispute between the Irish entity Digital Rights Ireland and the Irish Government.
- A judicial review was sought by Mr Max Schrems of the Irish Data Protection Commissioner’s (“DPC”) decision not to investigate certain complaints made by Mr Schrems against Facebook, particularly in relation to the security of personal information transferred to the US. The Irish High Court referred the question of whether or not the DPC was bound by a European Commission’s decision that US data protection rules on Safe Harbor were adequate. The CJEU ruling is expected in 2015 and will certainly add fuel to the debate which has been ongoing at European level as to the adequacy of the Safe Harbor regime. For those companies that transfer data to and from the US under the Safe Harbor regime, this mechanism is of crucial importance and accordingly this case will be closely watched by industry.
An increased willingness on the part of the Irish High Court to refer complex data protection related issues to the European courts for direction is evident. Furthermore, these decisions of the CJEU are giving us an indication of the future direction of data protection policy at European level.