It’s Data Protection Day 2019.
What a year it’s been for the privacy community.
2018 began with companies completing compliance preparation or ramping up, ahead of the GDPR coming in on 25 May.
Turning to the Irish DPC’s report for the early part of 2018 – and data subject access requests still make up a large proportion of issues on the desk for the Irish regulator (45% of all complaints). It also received 1,200 valid breach notifications during the same period.
There were modest fines across Europe for GDPR breaches and then just one week ago we saw the record GDPR fine imposed on Google for €50m. While the fine itself has caught the headlines, there were many other interesting issues raised in the judgement including what constitutes valid consent, the issue of transparency and information notices, and the one-stop shop mechanism. For an analysis of this case and the key learnings, see our recent post here.
On the same day as the Google fine was handed down, the Irish Supreme court began its hearing of the appeal by Facebook on the case concerning data transfers and standard contractual clauses. The hearing lasted two and a half days and judgment from the Chief Justice Frank Clarke is awaited.
Details emerged last week on a right to be forgotten case taken in the Netherlands where a Dutch surgeon successfully brought an application requiring Google to have search results about her taken down.
And of course Brexit! As we hurtle towards 29 March, we are still without a deal. If no deal can be found, this will affect trade involving personal data and international data transfers with the UK. We don’t believe an adequacy decision ahead of Brexit day will occur, leaving businesses to look for alternative solutions such as SCCs. The Irish government has just published the draft heads of the Brexit ‘No Deal’ Omnibus Bill. The Bill looks to address solutions for a myriad of Brexit related issues including for data protection issues arising from Brexit in the areas of immigration, healthcare and travel.
Our post on the status of UK-Ireland data transfers in the event of a ‘no-deal’ brexit can be read here.
For 2019, we would expect to see more fines and complaints being made under the GDPR. If the build up to 25 May 2018 was the time for businesses to get their house in order, 2019 onwards is likely to tell us just how well they did, with regulatory audits and inspections set to continue.
The Irish DPC will run a consultation process on data protection safeguards applicable to children under the GDPR and we will hopefully see guidance on the area of contractual necessity as a legal basis for data processing in online services.
At a European level, The EDPB will present new guidance and potentially on the area of codes of conduct as provided for under the GDPR. Finally, we will hopefully see sensible solutions in the face of Brexit and the transfer landscape more generally.