To mark Data Protection Day 2016 this update provides a summary of the two big data protection issues which stole the headlines in 2015: the General Data Protection Regulation and the invalidation of the Safe Harbor data transfer mechanism in Maximillian Schrems v Irish Data Protection Commissioner.

The Schrems Case

2015 saw the apparent demise of Safe Harbor, a pre-approved mechanism for transferring data between the European Union and the United Sates. The privacy activist Max Schrems brought a case against Facebook claiming that his right to privacy had been breached as a result of Facebook transferring his data from the EU to data centres in America for processing.

The Court of Justice of the European Union handed down a landmark ruling finding the Safe Harbor mechanism to be invalid with immediate effect. The Article 29 Working Party approved the use of model clauses and binding corporate rules as an interim alternative to Safe Harbor and set a date of the end of January 2016 for a new mechanism for transatlantic data transfers to be agreed.

By mid-January 2016 it became clear that the deadline for Safe Harbor 2.0 would be exceeded. It was announced that the European DPAs are to meet in Brussels on 2 February 2016 to discuss and ultimately configure a new system for transatlantic data transfers. Further progress came in the form of the US Secretary of Commerce Penny Pritzker submitting a package of proposals alongside a letter setting out US commitment to the oversight of this new package.

Coming to an agreement on Safe Harbor 2.0 will require, to an extent, the alignment EU and US views on privacy rights. The EU recognises privacy as a fundamental right worthy of adequate protections and the US programme of mass surveillance is at odds with this basic human right. The US sees things somewhat differently. Whether or not a new Safe Harbor mechanism is agreed in February 2016, or beyond, EU Data Protection Authorities have now committed to examining complaints about the alternative transfer mechanisms.

Thanks to Schrems we have entered 2016 on uncertain terms with regards to data transfers. However, the Schrems decision has presented the US and the EU with the challenge to create a mechanism which protects individual rights and which is commercially practical.

MacRoberts IPTC partners Valerie Surgenor and David Flint are, this weekend, in the United States addressing the American Bar Association Cyberspace Institute on the aftermath of the Schrems case.

The General Data Protection Regulation ("GDPR")

The GDPR was first put forward by the European Commission in 2012; however, it took almost four years for the Commission, the Council and the Parliament of the European Union to conclude negotiations. The GDPR is undoubtedly the biggest reform to data protection in the European Union for over two decades and has ensured that 2015, when considered alongside the decision in the Schrems case, will be recognised as a landmark year for data protection in Europe.

The GDPR will provide EU citizens with the opportunity to control better their personal data by placing new and uniform obligations on businesses throughout Europe. Having one set of EU data protection rules provides consistency for businesses. Greater harmonisation will have a positive impact on the EU Economy by reducing the compliance burden on businesses which operate across several EU Member States.

The GDPR obligations will have a significant impact on businesses, many of whom will have to change their current practice and appoint an independent Data Protection Officer to ensure compliance. Under the GDPR businesses must: provide individuals with more information as to how their data is processed; adhere to the "right to be forgotten"; and notify the national supervisory authority of serious data breaches.

The GDPR stretches across EU borders affecting non-EU based businesses. Such businesses must also adhere to the obligations and duties set down by the GDPR when offering a services within the EU.

The critical aspect for businesses are the penalties for failure to comply with the GDPR: fines of up to 4% of global sales whilst data controllers and processors will be jointly and severally liable for any breach of the GDPR. With such a significant economic impact faced by those in breach there is a high incentive to comply with the GDPR provisions, which will become applicable no later than two years from now. The impact of the GDPR and the added complications businesses face with cross-border data flows following Schrems results in a large portion of "food for thought" for all businesses for whom data protection is a consideration.

© MacRoberts 2016

Disclaimer

The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.