With the Privacy Shield, the Umbrella Agreement and the GDPR capturing significant attention, it would be easy to overlook some of the other important developments that have taken place in the data protection sphere. We have rounded up some of the main stories.
Next UK Information Commissioner announced
Pending the formal approval process, Elizabeth Denham (Information and Privacy Commissioner, British Columbia, Canada) is scheduled to take over from Christopher Graham as the UK’s next Information Commissioner. Minister for Data Protection Baroness Neville-Rolfe, has commended Ms. Denham on her proactive approach to enforcing data protection law, and acknowledged her “track record of working with business and other stakeholders”. Ms. Denham’s appointment should take place in June as Mr. Graham’s term of office ends 28 June.
Court of Justice of the European Union to decide whether IP addresses are ‘personal data’
The Court of Justice of the European Union (“CJEU”) is currently hearing arguments on whether IP addresses constitute personal data under Article 2(a) of the European Data Protection Directive. The outcome could have significant ramifications for web advertisers, market researchers, and other online businesses that rely on IP addresses to track internet usage.
Case C-582/14 is being brought against the German Federal Government to challenge its storage of IP addresses of those who access the government website. The case, which was referred to the CJEU by the German Federal Court of Justice, seeks clarification on whether the definition of “Personal Data” should be interpreted to mean that an IP address constitutes personal data if a third party (i.e., an internet service provider) possesses additional data to identify the end user. The argument is that taken together, the time, date and IP address can make it possible to identify the end user. If the CJEU agrees, it could mean internet businesses have to change their business models as they can no longer track internet usage.
The decision could also have wider implications under German law, as it would mean that IP addresses cannot be stored without the users’ consent – as is currently stipulated under the German Telemedia Act. Under section 15(1) of the Act, a service provider may collect and process personal data only to the extent necessary for the “establishment, content or amendment of a contractual relationship” with the recipient. Further, with the final text of the GDPR yet to be finalised, there is scope that this decision could impact the way the IP addresses are interpreted.
First lawsuits filed for non-compliance with Russia’s “right to be forgotten” law
Russia has seen its first filing of lawsuits alleging non-compliance with the “right to be forgotten” law. The lawsuits, which were accepted by a Russian District Court, are against Google Inc. (Case No. 2-338/2016) and Yandex, a Russian search engine (Case No. 2-339/2016).
Russia’s controversial bill was signed by President Putin in July 2015 and came into force 1 January 2016. The law requires search engine operators that disseminate advertisements targeted at consumers in Russia to remove website links to personal information if, for example, the information is inaccurate or was unlawfully released. Financial penalties can be imposed on providers who fail to comply with the requirements; around $1,300 may be fined for the failure to remove links to personal information at the individual’s request, and up to around $13,000 for failure to implement court rulings to remove such links. With Russia’s data protection authority, the Roskomnadzor, also stepping up its data localization audit checks, it is clear that data protection is of increasing concern for businesses operating in Russia.