This is a brief overview of some data protection issues for business to watch out for in 2018. It first appeared in this week’s BEERG weekly newsletter under the heading: #GDPR – 132 Days to go… but there is a lot more ahead.
Note my GDPR countdown clock to the right (or below on Mobiles) of the screen
Derek Mooney writes: No one needs reminding that the General Data Protection Regulation, 2016/679 (GDPR) the EU’s new pan European data protection law comes into force on May 25 – in 132 days, or 94 business days, (from Jan 12) 2018 will be the year of data protection as everyone -regulatory authorities and individual organisations alike – struggles to get used to the new regime.
Will Data Protection Authorities and individual companies be able to source sufficiently experienced Data Protection Officers to oversee the new laws? And if having the GDPR come into effect in 2018 is not a sufficient strain, you can add the issue of what happens to data transfers to the UK post Brexit?
The EU Commission has just produced an initial notice to stakeholders on this issue (Jan 9th). The notice opens saying that there will be “…considerable uncertainties, in particular concerning the content of a possible withdrawal agreement, all stakeholders processing personal data are reminded of legal repercussions, which need to be considered when the United Kingdom becomes a third country.”
The Notice is short on specifics, apart from reminding us that much depends on the final Brexit containing an “adequacy decision” and concludes saying:
As regards the implementation of the GDPR, and in particular the new tools for transfers to third countries (e.g. approved Codes of Conduct and approved certification mechanisms entailing binding commitments by the controllers and processors receiving the data in the third country), the Commission (DG JUST) is working with interested parties and data protection authorities to make the best use of these new instruments. Moreover, the Commission has set up a stakeholder group comprised of industry, civil society and academics, in which this topic will be discussed
Others are preparing for the GD, particularly data privacy activists. Max Schrems, the young Austrian lawyer whose privacy case brought down Safe Harbour, is in the process of trying to set up a data privacy NGO to pursue data privacy claims under the new GDPR, to be called NOYB (None of Your Business). His new group will, if he succeeds in his crowdfunding campaign, use “…best practices from consumer rights groups, privacy activists, hackers, and legal tech initiatives and merge them into a stable European enforcement platform”.
He hopes his new NGO will pursue individual privacy cases in a more effective way under the GDPR, saying that he hopes it will:
“…follow the idea of targeted and strategic litigation to maximize the impact on the future of your right to privacy. When appropriate, noyb will use PR and media initiatives to ensure your right to privacy without even going to court. Finally, noyb is designed to join forces with existing organizations, resources and structures to maximize impact, while avoiding parallel structures.”
2017 saw several national and regional Data Protection Authorities pursue the social media giants, as we reported here during the year and there is no evidence that this trend will halt. Indeed 2018 will see Germany’s pursuit of social media giants step-up a grade with the coming into force on January 1st of its new Network Enforcement Act,(aka “NetzDG”). The law is one of the strictest social media laws about. It obliges social media companies to remove illegal content and to do it speedily. In effect, Germany has introduced a form of social media regulatory system that puts the onus on the social media giants, not the courts, to decide what is illegal content, based on the country’s already clear-cut and tough hate speech laws. Failure to remove the content can, in extreme cases, result in fines of up to €50 million.
2018 may also see clarity on “standard contractual clauses” as the Court of Justice of the European Union (CJEU) addresses the Irish referral on SCCs. The hearing in expected to take place towards the end of 2018 with a decision in early/mid 2019. The Irish Data Protection Commissioner, who had sought the referral, has published material pertinent to the referral on this webpage.
Meanwhile, and finally for today, the EU’s Article 29 Working Party of Data Regulators has produced draft GDPR guidelines on Consent (wp259) and on Transparency (wp260). These are available to download from their webpage.
They have invited interested parties to make comments and observations on these two sets of guidelines, comments should be sent to them by 23 January 2018 at the latest at either of these two email addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and/or firstname.lastname@example.org