Data Privacy & Security

End-of-Year Review

With the year drawing to a close, it seems an opportune time to take stock of some of the key globally relevant data protection developments in 2015 and extract a few trends which are set to continue in 2016.

1. Safe Harbor – Cross-border Data Transfers Top The Regulator Priority List

The Schrems decision of the European Court of Justice invalidating the European Commission’s 2000 Safe Harbor adequacy decision must be the 2015 event that shook up the privacy world the most.  Not only did the decision eradicate the legal basis for the majority of data transfers from the EU to the U.S.  Rather, the judgement has implications way beyond the EU and the U.S. and has created immense uncertainty as regards the validity of cross-border data transfers mechanisms in general.  31 January 2016 is the date by which we can expect much-needed clarifications from EU regulators regarding the validity of existing transfer tools such Binding Corporate Rules and Model Clauses.  On the flipside, as of that date (at least some) national regulators in the EU are likely to step up enforcement of cross-border transfer requirements and make them a top priority.  We will continue to cover all major events in our special Safe Harbor Magazine.

2. General Data Protection Regulation (GDPR) – A New Gold Standard For Privacy

The agreement of the final compromise text of the GDPR on 15 December is probably the most eagerly anticipated privacy development this year.  With this major hurdle taken, the GDPR is now very likely to come into force in early 2018.  While two years might seem like a long time, businesses would be wise to start preparing for the new European privacy requirements sooner rather than later.  If you missed them, here you can find our initial GDPR game changer analysis and our GDPR Game Plan for your organisation.  As of January, we will start sharing with you in our EU GDPR Magazine and our webinar series more detailed analysis of the GDPR requirements as well as practical step-by-step guidance to assist businesses becoming GDPR compliant.

3. Weltimmo – Wide Territorial Scope Of Data Protection Laws

Maybe less prominent but nonetheless significant is the European Court of Justice’s Weltimmo judgement handed down on 1st October (analysed here).  This ruling will particularly affect all those businesses that operate across multiple EU Member States without having formal undertakings in those countries (i.e., online businesses).  Essentially, the Court set the bar for the applicability of national Member State law very low.  Businesses that target different national markets within the EU without being formally registered or otherwise established in those markets are at risk of having to comply with the national data protection laws of each such Member State.  The ruling casts some serious doubt on the frequently implemented country-of-origin principle and requires multinationals operating across multiple EU countries to rethink their EU data protection strategy.

4. Data Retention Legislation – The Seemingly Insolvable Conflict Between Data Privacy and National Security

Data retention laws requiring telecommunications providers to retain certain communications data for law enforcement and national security purposes are currently repealed, enacted and controversially debated around the globe.  While advocates of those laws argue that they are necessary for purposes of investigation, detection and prosecution of serious crime, opponents see them as disproportionately restricting the fundamental right to privacy.  In Europe, we can expect in 2016 another important ruling from the European Court of Justice on the compatibility of data retention laws with the right to privacy (as reported here).  

Where Does This Leave Us For 2016?

These are just a few examples of globally significant privacy developments and trends.  There is so much more, such as the increase in countries implementing mandatory data breach reporting obligations, accountability becoming a legal obligation in more and more jurisdictions, greater powers of, and cooperation amongst, privacy regulators, and the list could go on.  These trends are set to continue in 2016. Businesses will need to respond.  Privacy needs to be seen as a critical compliance issue which requires global rather than local solutions.  Solutions need to be well planned and thought-through.

On that note - Happy New Year and we look forward to sharing more developments with you in 2016. 

Contributor - Anna von Dietze