2015 was certainly an eventful year in privacy and data protection law. While we cannot predict what the next 12 months will bring, indications are that developments in 2016 will continue to keep organisations and privacy professionals busy. In the year ahead, there are at least three important items to look out for: new laws, a new data export mechanism and new case law.
- Adapting to a new EU legislative regime
In late December, after years of development and extensive negotiations, a suite of new EU data protection laws were agreed. There are three significant new pieces of law. These are due to be formally adopted early in 2016. Organisations who deal with EU personal data will have two years from formal adoption to consider how to adapt to the new landscape and meet any new compliance challenges.
- The General Data Protection Regulation
While the December 2015 deadline was seen as ambitious, the EU negotiators successfully agreed the text of the new General Data Protection Regulation (the “GDPR”) in time to meet it. The GDPR is a comprehensive redrafting of EU Data Protection law. Although built upon its precursor (the current Data Protection Directive), the GDPR has been updated and modernised to reflect the changing needs and priorities in protecting privacy in an increasingly data-driven world. Some of the notable changes from the Data Protection Directive include significant new penalties (with fines up to the higher of €20 million or 4% of total annual worldwide turnover), a strengthened notion of consent, the development of a ‘one stop shop’ mechanism for the jurisdiction of EU regulators and increased compliance and accountability requirements on data controllers. As the GDPR is a regulation, rather than a directive, Member States will not be required to implement it in local law. This means that the GDPR will apply to all EU Member States from when it comes into force.
- The Network Information Security Directive
Previously known as the Cybersecurity Directive, the Network Information Security Directive (the “NIS Directive”) aims to prevent – and minimise the impact of – interruptions to essential services. Operators of such services (which extend to energy, transport, banking, financial market infrastructures, health, water and digital infrastructure providers) will be affected by the NIS Directive. Such operators will face new network and information security requirements and notification obligations. Digital service providers (online marketplaces, cloud computing services and search engines) will face new notification requirements in relation to security breaches.
- The Law Enforcement Directive
Sitting alongside the GDPR is the Law Enforcement Directive. Matters of processing of personal data by law enforcement authorities in relation to criminal offences and penalties are excluded from the GDPR and dealt with separately, allowing more discretion to national European regimes in their implementation.
- Reaching towards a new Safe Harbor Agreement
After the invalidation of Safe Harbor, many organisations moved to introduce new legitimising measures to facilitate transfer of personal data from the EU to the United States. At the same time, EU and US officials accelerated negotiations for a replacement agreement. The Article 29 Working Party, a collective group of EU data protection regulators, by indicating that enforcement will not begin until the end of January 2016 have created a push for agreement by this time. The responsible EU Commissioner, Věra Jourová, has said she is confident that this is possible, though it is seen as challenging.
- Expecting new EU case law
The EU’s highest court, the Court of Justice of the European Union (the “CJEU”), will no doubt be kept busy with a number of pending cases relating to data protection law.
We may expect a case clarifying the EU approach to national data retention laws. After the invalidation of the Data Retention Directive in 2014 in Digital Rights Ireland, there has been uncertainty relating to such laws. A reference by the Swedish Courts (Case C-203/15 Tele2 Sverige AB) is awaiting judgment by the CJEU, and there have been efforts to join to that case a referral by the English Court of Appeal in relation to the status of the controversial Data Retention and Investigatory Powers Act 2014.
The Austrian courts have referred another interesting question to the CJEU inVerein für Konsumenteninformation (C-191/15) on the interaction of consumer law and data protection law. The question relates to the situation where an online trader targets consumers in a different Member State from the State in which the trader is established (e.g. German based seller targeting consumers in France). The CJEU has been asked whether a term specifying that the data protection law of the State of the trader (German law) applies to the treatment of the (French) consumers’ data is an unfair term.
The year ahead
Whether the year unfolds as expected, or surprises await us, the events of 2015 have demonstrated the undeniable significance that data protection and privacy issues have taken on. With this in mind, organisations, in particular, should keep up to date with the latest news in privacy and data protection.