“2016 is set to be an important year in data protection when the much anticipated European General Data Protection Regulation finally passes into EU law – the biggest shake up in this area since 1995. Businesses and European regulators will then have two years to get ready for the significant changes that lie ahead.
Organisations will also need to ensure that they are up to date and compliant with the new framework for transatlantic data flows, the EU/US Privacy Shield, following the demise of Safe Harbor last year, as well as various case law developments.”
Emily Jones, Partner, Osborne Clarke
Q2 2016 – General Data Protection Regulation (GDPR)
The European Parliament and EU Council reached political agreement on a compromise GDPR text in December 2015, which was approved by the European Parliament on 14 April 2016. The GDPR introduces fundamental changes to data protection law, including the harmonisation of regimes across the EU, significant increase in fines (up to EUR 20 million or 4% of worldwide turnover) and extension of the regime to non-EU businesses that operate in the EU.
The GDPR still needs to be formally approved by the Council and published in the EU Official Journal before taking effect. We expect it to be passed into EU law in the second quarter of 2016 and to become effective in Member States two years later. In the meantime, businesses and European institutions will have to start taking preparatory steps.
The Article 29 Working Party (which is formed of representatives from each Member State’s data protection authority and the European Commission) has set out an action plan for the implementation of the GDPR, which has four priorities for 2016:
- setting up a new European Data Protection Board (EDPB);
- preparing a one-stop shop (so that businesses can deal with a single regulator) and ensuring consistency;
- issuing guidance for data controllers and data processors; and
- on-going communications around the EDPB and GDPR.
Q2 2016 – Data Protection Directive
As part of the European data protection reform package (which includes the GDPR) the European Council has also agreed on the text of a revised Data Protection Directive, which has been approved by the European Parliament.
The Data Protection Directive will govern the processing of personal data to prevent, investigate, detect or prosecute criminal offences or enforce criminal penalties, and the free movement of such data. The timeline for adoption of the new Data Protection Directive is expected to follow that of the GDPR.
Q2 2016 – Information Commissioner’s Office (ICO) issues new guidance on encryption
On 3 March 2016, the ICO issued new guidance on encryption.
Organisations will be expected to review and consider whether they should take additional measures to comply with the guidance in the coming months, as part of their overall approach to ensuring compliance with the security requirements set out in the Data Protection Act 1998 (DPA).
Whilst the DPA does not specifically require personal data to be encrypted, the ICO takes the view that organisations should consider encryption, alongside other technical measures to keep personal data safe. Where a lack of encryption has led to a loss of data, the ICO may take regulatory action.
Q2 2016 – ICO issues new guidance on direct marketing
On 24 March 2016 the ICO published revised guidance on direct marketing, focusing on the rules in the DPA and the Privacy Electronic Communications Regulations 2003. The guidance has been updated to provide more information about third party consents, the meaning of freely given consent, and also marketing by not-for-profit organisations.
Q2 2016 – ICO consultation on revised privacy notices
On 2 February 2016 the ICO published a new privacy notices code of practice.
The new code has been drafted with the digital world and GDPR in mind. The DPA requires that data controllers tell individuals how their personal data will be processed and the focus of the revised code is how to communicate that privacy information to individuals in a “clear and engaging way”. It also covers best practice for obtaining individuals’ consent, particularly in a third party marketing context.
The ICO is currently consulting on the new code of practice. We expect it to publish its response to that consultation in the second quarter of 2016.
Q2 2016 – ePrivacy Directive
On 12 April 2016 a consultation was launched on revisions to the existing ePrivacy Directive, which contains rules on direct marketing using electronic means, as well as specific measures governing telecommunications providers.
Revisions are needed to implement the European Commission’s Digital Single Market strategy, and to ensure that the ePrivacy Directive aligns with the new GDPR.
During the 12 week consultation, which closes on 5 July 2016, the European Commission will hold workshops with telecoms and other groups impacted by the legislation.
A new draft ePrivacy Directive is expected to be published by the end of 2016.
Q2/Q3 2016 – EU/US Privacy Shield
Following the Court of Justice of the EU’s decision in October 2015 in Schrems v Data Protection Commissioner, declaring Safe Harbor invalid, on 2 February 2016 the European Commission announced its intention to establish a new framework for transatlantic data flows – the EU/US Privacy Shield.
On 29 February 2016 the European Commission published the legal text of the EU/US Privacy Shield, together with a draft “adequacy decision”. Following the release of details of the arrangements, on 13 April 2016 the Article 29 Working Party adopted an opinion on the EU/US Privacy Shield, raising concerns about a number of aspects of the proposed new framework, and how it will interact with the GDPR. The Article 29 Working Party’s opinion is not binding, but its views will be taken into account by the European Commission.
A committee representing all of the Member States will also need to consider the proposals before any “adequacy decision” is submitted for adoption by the European Commission. Once it has been finalised and adopted, businesses will be able to rely on the EU/US Privacy Shield for transatlantic transfers of personal data.
For more information on the EU/US Privacy Shield see here.
Q3 2016 – Google v Vidal-Hall
In March 2015 the English Court of Appeal in the case of Google v Vidal-Hall held that damages are available for distress caused by a data protection law breach, even if no financial loss has been suffered.
Google has appealed the decision to the Supreme Court. The date for the Supreme Court hearing is yet to be confirmed, but is expected to be during autumn 2016. The outcome of this case could have a significant impact on the frequency and size of claims brought by individuals for breaches of the DPA.
Q3/Q4 2016 – Investigatory Powers Bill
The Investigatory Powers Bill is currently proceeding through Parliament. The Bill replaces large parts of the Regulation of Investigatory Powers Act 2000 (RIPA), and aims to consolidate existing powers in one place under the RIPA and other existing legislation in relation to the interception of communications and the acquisition of data about communications. If (as appears likely) the Bill is approved, we expect it to pass into law before the end of 2016.