Mason Hayes & Curran outlines what you can expect to see happening with data protection in 2016.
Last Thursday, 28 January, marked Data Protection Day 2016 – a day aimed at raising awareness and promoting best practices for privacy and data protection.
At the beginning of 2016, we looked at some high-level developments expected over the coming year, including new EU laws, new EU case law, and a potential for a new transatlantic data transfer agreement.
Along with these developments, there are many more items likely to be high on the data protection agenda for 2016.
1. Continuing emphasis on human rights
Judgments by the CJEU – the EU’s most senior court – have continued to focus on human rights, particularly in cases relating to data protection issues. This was seen, for example, in perhaps the most groundbreaking data protection case since Google Spain, the Safe Harbour case of Max Schrems.
This trend towards a human rights-style judgment, which was similarly evident in Google Spain, is likely to continue as a feature of CJEU judgments on data protection and privacy-related issues.
We have also seen an increase in the prominence of privacy-related decisions of the European Court of Human Rights (ECtHR). While the privacy decisions of the ECtHR do not generally carry the same weight as CJEU decisions, there may still be a persuasive impact over the longer term.
Most recently, the case of Bărbulescu saw the issue of employee monitoring and privacy in the workplace come under the microscope. Despite the more limited impact of the ECtHR’s judgments, the Bărbulescu case generated headlines across Europe.
2. Cross-border challenges
Over the past 18 months, we have posted updates on the Microsoft case, which relates to a request by the US government for email content based in Dublin. This ongoing saga has seen numerous technology companies, together with the Irish Government, filing papers with the US courts. The case remains in front of the US Court of Appeals, with its judgment eagerly awaited early this year.
The judgment in this case is likely to be one of the most significant of the coming year. Whatever the result, we may yet see an appeal to the US Supreme Court, although grounds for such an appeal are often narrow.
The most notable data protection case of 2015 was undoubtedly that of Schrems. In the wake of the CJEU’s invalidation of Safe Harbour, both EU regulators and the European Commission moved to offer guidance and clarification.
With the compliance deadline of 31 January past, EU regulators are preparing to meet on 2 February. The outcome of this meeting is likely to indicate their longer-term approach towards investigation and enforcement in the context of EU-US data transfers.
In any event, EU and US authorities are continuing efforts to finalise a new transatlantic data transfer agreement, which, if agreed, is likely to feature prominently in 2016.
3. Emerging technologies
2016 promises to be another year of emerging technologies, both in terms of hardware and software.
In the past six months, various Irish and European bodies have published papers and developed guidance on drones, including the Irish Data Protection Commissioner, the European Parliament and the Article 29 Working Party (WP29). With their increasing popularity, we are likely to see further focus on the privacy and data protection aspects of drones over the next 12 months.
The ‘internet of things’ – the global network of smart devices – also continues to grow. This poses new and interesting challenges across various areas, including data protection. We expect to see EU regulators publish further opinions on these new and emerging technologies, particularly in the context of privacy and data protection.
4. Data retention
Since the CJEU’s 2014 judgment in the Digital Rights Ireland case (which found the Data Retention Directive invalid) EU member states have been grappling with the absence of data retention rules at EU level. Although some guidance was published at EU level – including word from the European Commission – many EU member states, such as the UK, experienced challenges to retention laws at local level.
Questions from the UK case have since been referred to the CJEU and may yet be joined by a parallel reference from the Swedish courts in the case of Tele2 Sverige.
In Ireland, the case of Digital Rights Ireland has been referred back to the High Court and further progress is awaited. Given these moves at both Irish and EU level, we are likely to soon have further clarity on the extent and legality of data retention obligations.
The content of this article is provided for information purposes only and does not constitute legal or other advice.
Tech Law is a weekly series brought to you by Irish law firm Mason Hayes & Curran, whose legal tech team advises the world’s top social media organisations and emerging start-ups. Check out www.mhc.ie for more.
Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.
Image of man holding up four fingers via Shutterstock