Last year, we identified a number of areas which we thought would dominate 2015 including cybersecurity, surveillance, big data, and the reform of data protection law. Broadly (and slightly smugly) we were right. Many of these will continue to be significant in the year ahead, probably even more so, and developments over the last year have thrown some previously background issues into sharper focus.
EU/US data exports
EU data protection law prohibits the transfer of personal data to countries or territories outside the EEA unless they are considered to provide adequate protection. One of the ways certain US organisations used to be able to demonstrate an adequate level of protection was by signing up to the Safe Harbor principles, a self-certification standard operated by the US Department of Commerce and enforced by the FTC. In October 2015, a shock judgment from the Court of Justice of the European Union effectively ended data transfers under Safe Harbor and, indirectly, cast doubt on other data transfer mechanisms to the USA.
The two fundamental issues the EU has with transferring EU personal data to the US are the lack of judicial redress for EU citizens and the failure of protections afforded to US citizens in respect of their privacy to apply to EU citizens. The fact that there is no mechanism to assess whether access to EU data for intelligence purposes is necessary and proportionate is a major stumbling block.
At the time of writing, the situation is uncertain. Data export mechanisms like Binding Corporate Rules (BCRs) and Model Contract Clauses, remain valid but the German regulators have already said they will not be approving BCRs until there is more clarity around their validity. The UK's ICO has urged organisations not to rush into alternative solutions until more is known about whether a new version of Safe Harbor (popularly known as Safe Harbor 2.0) will be agreed. While the ICO has said he will not be changing his enforcement policies for now, the Article 29 Working Party (comprised of European data protection regulators) has said it will begin active enforcement against unlawful transfers of data after 31 January 2016.
The EC is frantically trying to agree Safe Harbor 2.0 with the USA and is aiming to reach agreement in early 2016. Some hope is held out by the Judicial Redress Bill, currently before the Senate. If adopted, it would extend privacy protections given to US citizens under the Privacy Act 1974 to EU citizens. The EC is also watching other privacy developments in the USA.
Whether or not Safe Harbor 2.0 is agreed, the issue of how to export EU personal data to the US is likely to dominate the first half of the year at the very least.
Surveillance vs privacy
This brings us on to (or sits side by side with) the continuing struggle to find a balance between privacy and security.
Investigatory powers to intercept communications, acquire communications data and interfere with equipment have been dealt with under a patchwork of laws in the UK. These include the Regulation of Investigatory Powers Act (RIPA) and had included the Data Retention Directive until that legislation was declared invalid by the Court of Justice of the European Union in 2014 in the wake of the mass surveillance scandal. Attempts to introduce further powers, even before the demise of the Data Retention Directive under the so called ‘snoopers’ charter’ failed after Nick Clegg withdrew his support in April 2013. The government introduced stop-gap legislation in the form of the Data Retention and Investigatory Powers Act 2014 (DRIPA) but needs to bring in more permanent legislation before the powers under DRIPA expire, or the July High Court decision striking down s1 is enforced (potentially on 31 March 2016 although a CJEU reference is pending).
In November 2015, the government published the draft Investigatory Powers Bill (DIP). This is intended to overhaul RIPA, take the place of ‘stop gap’ provisions introduced following the striking down of the Data Retention Directive by the CJEU, and consolidate the legal framework.
DIP covers interception of communications (i.e. of the contents of communications in the course of transmission); acquisition of communications data (data relating to “who, where, when, how and with whom” of a communication but not of its contents); and equipment interference to obtain data (in other words, hacking).
There has been a mixed reaction to the Bill. A number of politicians (including Labour’s Andy Burnham) have said it is proportionate, particularly as some of the more controversial elements such as a ban on encryption were dropped. Privacy campaigners, much of the media and some politicians are very much against the new proposals and businesses are also concerned about the new requirements.
DIP appears to bypass both the current and any future data protection regime. In addition, different treatment of UK personal data to non-UK (including other EU citizens) data under bulk interception and equipment interference warrants, appears to include elements which were similar to those leading to the striking down of Safe Harbor.
Beyond the privacy implications for individuals, telecoms operators and internet service providers are likely to be most affected from a commercial perspective and the government has committed to helping fund the cost of increased data retention requirements, estimated to be around £175m over the next decade.
It remains to be seen, however, whether the Bill passes and, whether it survives more or less in its current form. Its progress through Parliament next year is likely to be difficult given its controversial nature. While many of the powers proposed are not new, the (relatively) greater level of transparency will lead to greater scrutiny and the controversial new elements like the requirement communications providers to retain data on web histories, are also likely to be hotly debated. The recent horrific attacks in Paris which came shortly after DIP was published may well serve to strengthen the government's position that the powers provided for in DIP are necessary to keep the country safe.
It is hard to overestimate how much we will be hearing about cybersecurity next year. With cyber attacks becoming ever more frequent and increasingly damaging, protection is vital for everyone from individuals, to small businesses, to international groups and to governments who warn that terrorists and criminals have increasing capacity to cause havoc and worse.
The European Commission is expected to publish the final version of the Network Information Security Directive (NISD) imminently. NISD is set to impact on a wide range of organisations including e-commerce platforms, social networks, search engines, cloud computing services, app stores and energy suppliers. It will require organisations falling within the definition of "market operators" to take appropriate technical and organisational measures to manage risks posed to the security of networks and information systems and report "significant cyber security incidents" to regulators which member states will be required to set up. It has been the definition of "market operators" which has proved the most controversial element of this legislation but while the European Parliament suggested online companies would not be required to report cyber incidents and nor would government bodies, leaked documents suggest that that digital platforms will now be covered but their obligations will be less onerous than those placed on critical infrastructure and services sectors like transport, finance and energy.
Alongside legislative initiatives, there are countless government and industry initiatives, particularly in finance and banking, to find cybersecurity solutions, to insure against cyberattack, and to prepare breach response plans and the government recently announced it would double investment in cybersecurity to £1.9bn in the next five years. This, of course, represents an opportunity for solution providers and we are likely to see an increasingly crowded marketplace in this space.
EU data protection law reform
We know we've been talking about the new EC General Data Protection Regulation (GDPR) which is intended to overhaul and consolidate European data protection law for years now but 2016 really does look like the year it will be agreed. There will be a two year implementation period during which organisations will certainly need to get on top of the new requirements.
We expect issues arising from the new Regulation to focus on the cost of compliance (and of non-compliance), increased administrative requirements, data exports and breach reporting requirements. Of particular interest will be the position on the 'one stop shop'. Original proposals suggested there would be a single regulator responsible for each organisation based on where they had their main establishment, even where they were established in multiple Member States but this concept has proved controversial and has evolved during the negotiations of the GDPR. Recent CJEU decisions in Google Spain and Weltimmo have very much moved away from the concept of a single regulator so this will certainly be a key area of focus next year. For more on the GDPR, visit our Global Data Hub.
The scramble to harness the power of Big Data in the public and private sector will continue in 2016 as will the tension with privacy. The government published a report on how to utilise Big Data in government, particularly in relation to fraud and tax evasion, and has continued to work on its Open Data project with the Treasury publishing a consultation on data sharing and open data in the banking sector in February. The European Data Protection Supervisor has just published an Opinion on Big Data and the FCA is also looking closely at this area. Surveys have shown very different attitudes across countries to sharing data, in particular whether people would be incentivised to 'sell' their data or would pay to protect it. Opinion is divided on whether the benefits of Big Data outweigh the potential compromises on privacy but that is not putting off the businesses which stand to gain by exploiting its potential.
Freedom of information
In July 2015, the government launched a cross-party review of the Freedom of Information Act 2000 (FOIA). On seeing the composition of the Independent Commission on Freedom of Information, the media complained of a "stitch up" and are hugely concerned that rights under the FOIA will be curtailed. The Commission published a call for evidence which focused on the balance struck by the FOIA between the need for transparency and protection of sensitive information which closed at the end of November 2015. In response, the ICO has broadly said that, at least as far as his own areas of competence go, no change is necessary. We will be hearing a lot more about this in 2016.
Brexit and the Human Rights Act
At this point we should probably raise the spectre of Brexit although this is more likely to feature as a threat or opportunity (depending on your point of view) in 2017. 2016 may also see the end of the Human Rights Act which has had a huge bearing on privacy and data protection law in the UK.
As technology develops, issues around data protection and cybersecurity will continue to be important across a wide range of sectors and not just in the tech space. Crucially, most of the major legislation governing data protection and cybersecurity both at a national and an EU level is either in the process of being revised or is being reviewed and this will almost certainly inform the debate next year.