There were some important developments in the privacy, technology and intellectual property sectors in 2016. The introduction of a new way to transfer data between the EU and the US, known as the ‘Privacy Shield’, now fills the void created by the invalidation of the previous ‘Safe Harbor’ regime. In a similar vein, preparation for the adoption of the new European General Data Protection Regulation is on-going and affecting thousands of businesses. Brexit will force many UK and Irish businesses to re-examine their IT and commercial contracts. 2016 also saw new laws and court rulings from Europe impacting the areas of e-signatures, the digital economy and the resale of software.
Key topics in 2016 include:
In July 2016, the European Commission adopted the replacement for the EU-US Safe Harbor scheme, the so-called ‘Privacy Shield’. This is the new, EU-approved mechanism for the transfer of personal data between the EU and the US. The Shield framework seeks to protect the fundamental rights of individuals whose data is transferred to the US and to provide legal certainty for businesses. While businesses can self-certify with the US Department of Commerce, the Shield imposes greater obligations on them and provides for stronger monitoring of and enforcement against participating companies by US authorities. In addition, EU concerns over US surveillance have been addressed through commitments and written assurances made by US authorities and by reforms in US surveillance laws.
General Data Protection Regulation
The European General Data Protection Regulation (GDPR) will replace the current EU Data Protection Directive in May 2018. The GDPR will comprehensively regulate data protection throughout the EU, with the exception of data processed for law enforcement purposes. It builds upon familiar concepts and rules in the existing EU Data Protection Directive, but in many ways it goes further, having a wider scope, raising standards and increasing sanctions. As the GDPR will capture both data and companies that previously fell outside the realm of EU data protection regulation, and impose extremely high potential fines, many businesses have spent 2016 busily preparing for the introduction of the GDPR and making their internal processes compliant.
In July 2016, a new EU Regulation establishing electronic identification and trust services for electronic transactions kicked in. This Regulation, known as eIDAS, repealed the existing EU Directive for electronic signatures that had been in force in Ireland since 2000 through the Electronic Commerce Act. The new Regulation directly applies across all EU Member States and does not require national law to implement it. It aims to provide a harmonised regulatory environment and encourage user convenience, trust, and confidence in digital transactions and interactions.
The United Kingdom’s vote in June 2016 to leave the European Union dominated news headlines for much of the year. The UK and remaining Member States of the EU will soon commence a series of complex negotiations to determine the terms of the UK’s formal withdrawal. While the exact nature of the UK’s future relationship with Europe remains uncertain, businesses need to develop a legal strategy to manage the inevitable disruption resulting from the UK’s intention to trigger Article 50 and leave the EU. For example, Brexit will affect three key provisions in most IT and commercial contracts: termination, governing law and data protection.
There was an important European case in 2016 in the context of software. The CJEU was asked to determine whether a resale of used copies of computer programmes was lawful. The defendants in the case argued that the principle of exhaustion of the distribution right permitted them to re-sell a copy of a program on a non-original material medium, such as a floppy disk. The CJEU confirmed that the lawful initial acquirer of a copy of software, accompanied by an unlimited user licence, can resell that copy and his licence to a new licensee. However, this does not apply if the original material medium of the copy which was initially delivered to him has been damaged, destroyed or lost. In other words, the initial acquirer cannot provide his backup copy of that program to a new licensee without the permission of the original rights holder.
What’s on the horizon for 2017?
2017 is set to be another big year for technology, data protection and intellectual property law. The EU will continue to implement its Digital Single Market Strategy and proposals banning geo-blocking of content will be in the legislative pipeline. We are also likely to see organisations continue preparing for the implementation of the European General Data Protection Regulation and seeking professional guidance on GDPR compliance. Given the increasing interest around the Internet of Things, and in particular the privacy and security challenges inherent in IoT devices, we expect it will be a busy year for EU data protection authorities seeking to balance the interests and rights of businesses and consumers.