With the year drawing to a close, it seems an opportune time to take stock of some of the key globally relevant data protection developments in 2015 and extract a few trends which are set to continue in 2016.
1. SAFE HARBOR – CROSS-BORDER DATA TRANSFERS TOP THE REGULATOR PRIORITY LIST
The Schrems decision of the European Court of Justice invalidating the European Commission’s 2000 Safe Harbor adequacy decision must be the 2015 event that shook up the privacy world the most. Not only did the decision eradicate the legal basis for the majority of data transfers from the EU to the U.S. Rather, the judgment has implications way beyond the EU and the U.S. and has created immense uncertainty as regards the validity of cross-border data transfers mechanisms in general. 31 January 2016 is the date by which we can expect much-needed clarifications from EU regulators regarding the validity of existing transfer tools such Binding Corporate Rules and Model Clauses. On the flipside, as of that date (at least some) national regulators in the EU are likely to step up enforcement of cross-border transfer requirements. No doubt, cross-border data transfers will be a top priority for regulators in 2016. We will continue to cover all major events in our special Safe Harbor Magazine.
2. GENERAL DATA PROTECTION REGULATION (“GDPR”) – A NEW GOLD STANDARD FOR PRIVACY
The agreement of the final compromise text of the GDPR on 15 December is probably the most eagerly anticipated privacy development this year. With this major hurdle taken, the GDPR is now very likely to come into force in early 2018. It will create one set of data protection rules for the whole of the EU and – with its wide extraterritorial scope – will also apply to various data processing activities of businesses not established in the EU to the extent they target EU data subjects. While two years might seem like a long time, businesses would be wise to start preparing for the new European privacy requirements sooner rather than later. If you missed them, here you can find our initial analysis of the GDPR text and our game plan for your organisation. As of January, we will start sharing with you in our GDPR Magazine and our webinar series more detailed analysis of the GDPR requirements as well as practical step-by-step guidance to assist businesses becoming GDPR compliant.
3. WELTIMMO – WIDE TERRITORIAL SCOPE OF DATA PROTECTION LAWS
Maybe less prominent but nonetheless significant is the European Court of Justice’s Weltimmo judgment handed down on 1 October (analysed here). This ruling will particularly affect all those businesses that operate across multiple EU Member States without having formal undertakings in those countries (i.e., online businesses). Essentially, the Court set the bar for the applicability of national Member State law very low. Businesses that target different national markets within the EU without being formally registered or otherwise established in those markets are at risk of having to comply with the national data protection laws of each such Member State. The ruling casts some serious doubt on the frequently implemented country-of-origin principle and requires multinationals operating across multiple EU countries to rethink their EU data protection strategy.
4. DATA RETENTION LEGISLATION – THE SEEMINGLY INSOLVABLE CONFLICT BETWEEN DATA PRIVACY AND NATIONAL SECURITY
Data retention laws are currently repealed, enacted and controversially debated around the globe. They require telecommunications providers to retain certain communications data (i.e., traffic, location and subscriber data) for certain periods of time and making that data available to law enforcement and security agencies upon request. While advocates of those laws argue that they are necessary for purposes of investigation, detection and prosecution of serious crime, opponents see them as disproportionately restricting the fundamental right to privacy. This conflict between privacy and national security seems somewhat unsolvable and is so much more than a legal issue. In Europe, we can expect in 2016 another important ruling from the European Court of Justice on the compatibility of data retention laws with the right to privacy (as reported here). While the judgment will not solve the dilemma at a political level nor provide all the answers, it will hopefully provide some measure for assessing the validity of national data retention laws.
WHERE DOES THIS LEAVE US FOR 2016?
These are just a few examples of globally significant privacy developments and trends. There is so much more, such as the increase in countries implementing mandatory data breach reporting obligations, accountability becoming a legal obligation in more and more jurisdictions, greater powers of, and cooperation amongst, privacy regulators, and the list could go on. These trends are set to continue in 2016. Businesses will need to respond. Privacy needs to be seen as a critical compliance issue which requires global rather than local solutions. Solutions need to be well planned and thought-through.