Data Protection Day– What To Watch Out For In 2016
Although there is no day off work to celebrate the occasion, today is the 10th anniversary of Data Protection Day, an event designed to raise aware awareness and promote privacy and data protection best practices.
To mark Data Protection Day 2016, Jennifer O’Sullivan highlights a number of major data protection developments both in Ireland and abroad as well as important cases to look out for in the coming year.
1. The steady stream of CJEU referrals looks set to continue
The past number of years have seen major developments in privacy caselaw before the Court of Justice of the European Union which is having a significant impact on business and on the privacy rights of individuals. This trend shows no signs of slowing and, in breaking news, it was announced today that Digital Rights Ireland (“DRI”) is taking legal action challenging the independence of the Data Protection Commissioner (“DPC”). The High Court will be asked to make a referral to the CJEU for a ruling on whether Ireland has failed to properly implement data protection law by ensuring that DPC is genuinely independent as a regulator.
2. New General Data Protection Regulation:
Heralded as the biggest development in privacy and data protection law in 20 years, 2016 will see the formal adoption of the General Data Protection Regulation which will then have a two year window before it becomes applicable across Europe. The 200 page text agreed at the end of 2015 allows businesses to get a handle on the extent of their new obligations and to begin considering their strategic approach to revising their data practices.
3. Moving on from Schrems– can we expect Safe Harbour 2?
Safe Harbour, a widely used mechanism to lawfully transfer data between the EEA and the US was invalidated at the end of 2015 in the landmark Schrems decisions. This forced organisations to consider alternative mechanisms for a compliant way of doing business with the US and, in the case of multinationals with US entities, to ensure lawful internal sharing of information. European regulators had set a deadline of 31 January 2016 for the implementation of an alternative to Safe Harbour however, no consensus looks likely to be reached shortly, although authorities from the EU and US continue to work to finalise a new data sharing mechanism. The Article 29 Working Group has stated that “if by the end of January 2016 no appropriate solution is found with US authorities, and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include co-ordinated enforcement actions”. Organisations must work to implement solutions to legitimise their transfers of information to the US, including model contracts and binding corporate rules.
4. The Microsoft ongoing battle and cross border requests for information
Microsoft’s litigation is ongoing in relation to their refusal of a request from the US government for access to email content based in their Dublin data centre in the course of a drug prosecution. Critically, if those emails were instead printed documents, US authorities would have needed to make a formal request to the Irish government under mutual assistance treaties to seize evidence held on Irish soil. This case is before the US Court of Appeals and judgment is expected in early 2016. This case is likely to go all the way to the Supreme Court and will have extremely important implications for global cloud computing business and any company or individuals using data centre storage. The decision will determine the reach of the US government in obtaining data held by US companies in jurisdictions outside the US and whether US companies can guarantee the security and privacy of data held in those servers.
5. Civil liability - an increased risk of damages for breaches of Data Protection law?
The UK has seen an increase in litigation where successful claims for compensation are being made on foot of breaches of individuals’ data protection and privacy rights. In the case of Vidal Hall v Google the UK Court of Appeal awarded damages without requiring the individuals making the claims to demonstrate financial loss arising from the breaches by Google of their data protection rights and misuse of their private information. In Ireland, the situation is markedly different with the High Court case of Collins v FBD Insurance holding that the plaintiff was not entitled to compensation in the absence of any damage being proven, including special damages. The Vidal Hall case has been appealed and is due to be heard in the Supreme Court in October later this year. Continuing the trend, the Court of Appeal in December 2015 upheld significant awards against MGN for phone hacking of between £72,500 and £260,250 per plaintiff based on breach of the tort of the misuse of private information. It remains to be seen whether this trend in the UK will now encourage more cases in Ireland and whether the Irish Courts will follow the UK approach.
6. Increasing growth of the Office of the DPC (“ODPC”)
The ODPC in Ireland looks set to continue its trend of expansion and growth with October 2015 seeing the announcement of a further budget increase of almost €1.2 million for the ODPC. The additional funds bring the ODPC’s total budget to over €4.7 million which is a major increase from its €1.89 million budget allocation in 2014. Minister Dara Murphy has stated that, “under Budget 2016, increased resources are being made available to the independent Office of the Data Protection Commissioner, headed up by Helen Dixon, to ensure that Ireland continues to have an excellent regulatory and enforcement regime for data protection, and that we are fully equipped to adapt to the ever-increasing pace of change in the digital economy.” With the ODPC’s last annual report, showing a focus on the multi-national technology section and the recruitment of an investigator with specialist expertise in the insurance sector, Irish organisations can expect to see increased engagement with the ODPC in 2016. It also remains to be seen whether the Schrems decision and now the Digital Rights Ireland action will also impact on the ODPC’s approach in 2016.