Bloomsbury Law Online

Author archive

Eduardo Ustaran

Eduardo Ustaran is a partner in the Privacy and Cybersecurity practice of Hogan Lovells and an internationally recognised expert in privacy and data protection law. Email eduardo.ustaran@hoganlovells.com. Twitter @EUstaran

privat

After all of the 2016 drama, the start of a brand new year is a welcome development in itself – a clean sheet for a script yet to be written. However, 2017 will not be without challenges and the same applies to the world of privacy and data protection. Many of the big issues that arose during 2016 will need to be addressed in 2017. New questions will no doubt emerge.

English Language Grunge Flag

For decades, overcoming the limitations of European data protection law to transfer personal data to countries outside the European Union has been a compliance priority for organisations operating internationally. Global data flows are part of the fabric of modern communications and everyday commercial and social interactions. This is especially true of the transatlantic relations between the European Union and the United States. However, countries such as the US that approach the regulation of personal data privacy from a different perspective than countries in Europe face a tough challenge when trying to demonstrate an adequate level of protection according to the European standard.

On 6 October 2015, the Court of Justice of the European Union (CJEU) declared the EU–US Safe Harbor framework invalid as a mechanism to legitimise transfers of personal data from the EU to the US. This decision effectively leaves any organisation that relied on Safe Harbor exposed to claims that such data transfers are unlawful and could have serious implications for transfers of personal data both within multinationals and to global service providers.

Background

Safe Harbor was jointly devised by the European Commission and the US Department of Commerce as a framework that would allow US-based organisations to overcome the restrictions on transfers of personal data from the EU. However, since its adoption, Safe Harbor was fraught with challenges. Although the data protection requirements set out in the Safe Harbor Privacy Principles were meant to match the standards of protection of European law, its self-certification nature and the non-European style of its provisions have attracted much criticism over the years. In particular, the revelations triggered by Edward Snowden in 2013 about the US intelligence surveillance operations led the European Parliament to adopt a resolution seeking its immediate suspension. The European Commission had no choice but to reopen the dialogue with the US government to find a way of strengthening the framework and restoring its credibility.

In recent years, privacy and data protection have become business critical issues whose significance is only set to increase. Due to the combined effect of three factors – the evolution of technology, the realisation of the strategic and commercial value of personal data, and the globalisation of data-reliant activities – we find ourselves at a crucial crossroads. The implications of devising an effective legal framework to regulate the use of personal information are crucial for the future of humanity, our freedoms and our economic wellbeing.

A key functionality of social networking services is the ability of the user to “import” the contact details of existing friends and acquaintances. This functionality is a simple technological solution that relies on the sharing of personal information – which is what online networking is all about – so it is essential to know how to make the most of it in a non-intrusive and responsible way.

Internet cookies have been in the spotlight under EU data privacy law for quite some time. When the European Parliament was formally asked to consider the original draft of the e-privacy directive by the European Commission in August 2000, nobody knew what type of requirements would end up applying to one of the most frequently used tools on the web. However, when in October 2001, the Parliament issued a substantially revised version of the draft directive incorporating a prior consent requirement for the use of cookies, it became clear that this was a sensitive and controversial issue.

It is sometimes difficult to comprehend how, in the not too distant past, anyone could book a hotel without looking at TripAdvisor or could invite someone out for lunch without checking a user review published in Toptable or london- eating. Today, we rely on the collective wisdom of total strangers (although not necessarily to the operator of the website) to make important decisions like where to stay during a holiday abroad or where to take a key client for lunch. This is the spirit of Web 2.0 – the latest reincarnation of e-business and one that is proving very rewarding for a new breed of hugely popular websites.