Mason Hayes & Curran looks back on how data protection regulations have evolved over recent years and the sticking points that continue to be debated.
Since we began our tech law blog over 18 months ago, we have covered a wide variety of topics, ranging from 3D printing and driverless cars to online freedom of expression and the US vs Microsoft case. This week, we take a look back over four data protection topics that keep cropping up and examine how they have developed in the past two years.
1. Data retention
Data retention has been a topic on the agenda of many EU member states since the Digital Rights Ireland case. In this 2014 case, the EU’s highest court declared the EU Data Retention Directive invalid, resulting in uncertainty for the corresponding national laws across the EU.
In light of this decision, a number of countries, including the UK, have seen their national data retention laws modified or replaced. More recently, an opinion from the European Parliament’s Legal Services also shed further light on lessons to be learned from the court’s finding. This document states that EU member states should examine their national data retention measures to see whether they comply with the decision of the court, adding that they may repeal existing laws which transposed the terms of the directive.
Data retention, at national and EU level, looks set to remain an issue for many EU countries. The European Commission recently provided clarity on its views on what the Digital Rights Ireland decision means in the context of existing national retention laws, which we will explore further in an upcoming post.
2. Access requests
The right of individuals to access their data is core to Irish and EU data protection law. It is also one of the rights exercised most frequently by individuals. As a result, controllers of personal data need to be aware of their obligations in this area.
In recent years, both Irish and UK courts have clarified certain aspects of the right of access. However, UK and Irish courts have differed in their views. Differences have arisen both around the circumstances in which an individual can make a request and the extent of the data that needs to be provided in response.
Last year, enforced access requests (in other words, requests made at the insistence of an employer or potential employer) were made illegal. The Irish Data Protection Commissioner has recently expressed her determination to clamp down on these requests.
3. Right to be forgotten
The ‘right to be forgotten’, which arose out of the Google Spain case, still remains one of the biggest buzzwords in data protection. Since this notable decision, the EU’s collective body of national data protection regulators – the Article 29 Working Party – has issued guidance on how it believes the judgment should be applied.
Despite being a high-profile legal development, the right to be forgotten largely relies on existing data protection rights. However, one of the lesser-known, but still groundbreaking, aspects of the Google Spain decision was the court’s finding that Google Spain’s operations were directly connected with Google Inc’s processing of personal data.
While Google Spain did not process personal data, it sold advertising in Spain that supported the Google search engine, run by Google Inc. The court viewed these sales as being made in the context of Google Inc’s processing of personal data and consequently sufficient to trigger the application of EU data protection law to Google Inc.
This represents a potential expansion in the reach of EU data protection law. We have since seen the English High Court rely on this ruling to allow a person to bring a case against Google Inc in England, despite the fact that Google Inc is based in the US.
4. The new regulation
The new General Data Protection Regulation (GDPR) is still working its way through the legislative process. This regulation will replace the current Data Protection Directive, which has been in place since 1995 and has been implemented separately in each member state’s own national laws.
With the introduction of the GDPR – still potentially two to three years away – there will no longer be separate national laws governing data protection. Instead, the GDPR will govern data protection in all 28 EU member states.
While still in draft form, one of the core proposals in the GDPR is the ‘one-stop shop’ mechanism. This approach means that an organisation would primarily coordinate with the regulator in the member state where it has its main operations, with other national regulators having more limited input.
Recent months have seen various stakeholders submitting comments on GDPR proposals, such as ‘one-stop shop’. In particular, EU data protection regulators have expressed their collective view on certain aspects of the current draft, which is currently being reviewed by EU lawmaking bodies.
Data protection continues to be a rapidly evolving area, and one that is increasingly important to business. In the past couple of years, we have seen increases in data protection focused court cases, both at national and EU level, as well as more regulatory enforcement. This continues to be the case.
Both the ‘right to be forgotten’ and the GDPR look set to continue being data protection hot topics.
Google has recently encountered further difficulty in front of the French data protection regulator (also known as the CNIL) regarding the extent of the ‘right to be forgotten’.
The GDPR is expected to near completion in very late 2015 or 2016, coming into force two years after that. However, certain sticking points, such as ‘one-stop shop’ and the extent of fines are still likely to cause further disagreement.
The content of this article is provided for information purposes only and does not constitute legal or other advice.
Tech Law is a weekly series brought to you by Irish law firm Mason Hayes & Curran, whose legal tech team advises the world’s top social media organisations and emerging start-ups. Check out www.mhc.ie for more.
Main image by IlzeTheBeast via Shutterstock