After all of the 2016 drama, the start of a brand new year is a welcome development in itself – a clean sheet for a script yet to be written. However, 2017 will not be without challenges and the same applies to the world of privacy and data protection. Many of the big issues that arose during 2016 will need to be addressed in 2017. New questions will no doubt emerge.
GDPR planning under way
2016 ended with the publication of much sought after guidelines by the Article 29 Working Party on some critical new aspects of the EU General Data Protection Regulation (GDPR): the right to data portability, the role of data protection officers and how to identify the right lead supervisory authority. The Working Party happened to pick those three issues but the choice of possible topics was tremendously wide. The reason for that is that the GDPR remains unexplored in many respects. There are new concepts to interpret, revised principles and rights to calibrate, unprecedented obligations for controllers and processors and, above all, a relentless technological evolution that will test the strict nature of many of the GDPR rules.
But whilst we contemplate these uncharted waters, the clock is ticking and the deadline for compliance with this complex framework is barely a year away. This means that in the same way that regulators are already focusing on what the GDPR means for them, organisations should press ahead with their GDPR planning even if there are question marks about its full meaning and impact. Prioritisation of key issues for each organisation – likely to include transparency about data activities, contractual arrangements with others involved in those activities, cybersecurity and internal policies and procedures for day-to-day compliance – is essential now and for many global operators, the GDPR will become the main point of reference for their privacy and data protection strategy this year.
Innovative solutions for e-privacy
Another crucial area of focus for organisations – and not just those in the telecoms and tech industries – will be the changes to the EU e-Privacy framework. It has now become clear that the European Commission wishes to extend the level of control that individuals will have over their own data under the GDPR to the digital economy. Those who were hoping that the consent requirements for cookies and tracking technologies would fade away will be disappointed. The new e-privacy Regulation will introduce revised and complex rules affecting end users’ terminal equipment and how data is collected in that context.
Given the crucial importance of user tracking for adtech as well as the expected growth of the internet of things, how the notice and consent requirements pan out under the e-privacy Regulation will be critical. At the moment, it seems as if placing cookies on a user’s web browser to serve behavioural or interest-based advertising or product development will be subject to notice and consent. The challenge in this respect will be to agree on what constitutes valid consent considering the very strict conditions placed by the GDPR. More than ever, there is an opportunity for truly innovative and technology-based consent solutions to emerge, and both policy makers and regulators will expect industry players to be proactive on that front.
This is of course easier said than done. Technological advances – from robotics, drones and AI to Blockchain – will continue to progress irrespective of the legal framework, which will need to be interpreted in the light of these advances. Therefore, constant creativity and adaptation will be necessary to ensure that the e-privacy solutions developed are sufficiently scalable as things evolve.
Global data flows under the microscope
Few data privacy topics generated more controversy and work in 2016 than transatlantic data flows. Following the declared inadequacy of Safe Harbor (the Schrems decision), the new Privacy Shield framework came to the rescue. However, the level of scrutiny of the Privacy Shield as a mechanism to secure data exported from the EU to the US has been relentless since day one. While the EU data protection authorities were prepared to give it the benefit of the doubt, various legal challenges were filed with Court of Justice of the European Union seeking its invalidation. In reality, the future of the Privacy Shield will be linked to the direction of travel of the new Trump administration and the extent to which the assurances given by the previous government on data access controls will stand.
Beyond transfers of data to the US, global data flows that are secured through standard contractual mechanisms are also in the spotlight as a result of a case launched by the Irish Data Protection Commissioner. Given that under the GDPR, exporting data from the EU will not be any easier, it is a true business priority to get this issue right. With both the Privacy Shield and standard contractual clauses under pressure, it is a matter of being alert and prepared to move quickly. Organisations are not short of options but Binding Corporate Rules (BCR) or reinforced contractual solutions will continue to be seen as the most solid approaches.
UK – Brexit, privacy and prosperity
And then there is the small matter of Brexit. The big data protection dilemma for the UK government is how different the future UK data protection law can afford to be from the EU framework. If Brexit means complete independence from the EU, in principle the UK could start with an entirely blank canvas as no Brussels-born rules will need to be followed. But at the same time, the more the UK distances itself from the EU’s data protection and e-privacy laws, the trickier it will be for UK companies to be regarded as safe recipients of data originating from Europe. If the US situation is anything to go by, being regarded as an adequate jurisdiction for EU data is a must-have of the digital age. So the UK government should be wary of the temptation to opt for a weaker data protection legal framework.
This will become even more important going forward because the recently passed Investigatory Powers Act creates an unprecedentedly wide set of rules for state access to information. As necessary as those powers may be in today’s dangerous world, it will be equally necessary to ensure that the right to privacy is not unreasonably undermined. Fortunately, the UK Information Commissioner is well positioned to play an influential role in this process – both domestically towards its own government and internationally among other privacy regulators, particularly in Europe.
Let us hope that whatever path Brexit takes, neither the government not UK businesses lose sight of the fact that guaranteeing the right to privacy and data protection is essential for everyone’s prosperity.
Eduardo Ustaran is a partner in the Privacy and Cybersecurity practice of Hogan Lovells and an internationally recognised expert in privacy and data protection law. Email eduardo.ustaran@hoganlovells.com. Twitter @EUstaran.
Image cc by Isengardt on Flickr
Good article thanks. Regarding Brexit, I wonder what merit lies in the benefit of beginning strong preparations on a ‘transfer adequacy’ proposal without delay with the finalising details added at the appropriate time? Might show good faith looking ahead? (Perhaps my question is more political than legal? Tricky times!)