Regulatory Timeline: Data Protection and Privacy
Published on 7th Oct 2015
“The data protection law and enforcement landscape continues to evolve and the next six months will be particularly significant, with negotiations of the draft EU General Data Protection Regulation expected to end, drawing to a close three years of debate over the contents of the Regulation.
At the same time regulators in the UK and across Europe are increasing their investigation and enforcement activities, and consumers and employees are also getting to grips with their rights – and becoming more cautious about how their data is collected and used.”
October 2015 – Safe Harbour decision
On 6 October 2015 the ECJ delivered its judgment in the case of Schrems v Data Protection Commissioner. The ECJ had been asked by the Irish High Court to decide whether national data protection authorities are bound by the EU-US agreement which permits companies in the European Economic Area to transfer personal data to ‘safe harbor’ registered US companies, or whether they may conduct their own investigations into the relevant data flows to establish whether personal data is adequately protected.
The ECJ ruled that:
- the Safe Harbor scheme is invalid;
- mass and indiscriminate surveillance by US authorities is a violation of fundamental rights afforded to EU citizens; and
- a data protection regulator may conduct its own investigation; it is not bound by a European Commission decision of adequacy.
The European Commission, in response, has already confirmed that negotiations with the US for a “safer” Safe Harbor Framework will continue. For more information see our article here.
October 2015 – ICO consultation on privacy notices code
The Information Commissioner’s Office (“ICO”) expects to launch a consultation on a revised privacy notices code in autumn 2015. It is expected that the new code will provide advice on the use of graphics or video to convey information instead of traditional written privacy notices.
31 December 2015 – Negotiations of draft EU General Data Protection Regulation expected to be finalised
Wholesale reform to Europe’s data protection laws is the subject of ongoing discussion and negotiation within the European Union’s legislative bodies. Once finalised, it is proposed that the reforms will be introduced in the form of a Regulation, which will take direct effect across all EU Member States after a two-year implementation period.
Trilogue discussions between the European Council, Parliament and Commission started in June 2015 and are expected to complete in December 2015. The ICO has suggested that the two year implementation stage could start in June 2016, meaning the new laws would come into force in 2018.
Early 2016 – ICO privacy seal to be launched
The ICO intends to set up a privacy seal scheme under which certified businesses will be able to display the privacy seal logo to customers to demonstrate their commitment to maintaining good privacy standards.
The ICO is currently setting up the scheme and will be inviting proposals from potential scheme operators in early 2016. The ICO intends to have the scheme implemented before the new EU General Data Protection Regulation comes into force.
31 March 2016 – Development of a ‘Trust Framework’
The Science and Technology Committee of the House of Commons announced that it is working with Digital Catapult and the British Standards Institution on the creation of a ‘Trust Framework’ for the commercial use of personal data. It is also looking at a voluntary code to give the consumer more control over their data. A number of pilot projects are planned during 2015 with the intention that initial stages will be completed by March 2016.
2016 – EU Cyber Security (Network and Information Security) Directive expected to be finalised
A fourth trilogue meeting was held on 29 June 2015 to discuss the proposed Network and Information Security Directive. It was reported that the European Council, Parliament and Commission have reached agreement on the main principles to be included in the draft Directive. EU leaders have called for the ‘rapid adoption’ of the Directive. Once agreed it will need to be implemented in each EU Member State.