2016 was a year of seismic changes in the global data protection and privacy landscape. Here, we look back at the top ten events and issues that shaped 2016, and are poised to shape the year ahead as well.
Year In Review
1. GDPR Adoption
On April 14, the European Parliament voted to adopt the long-awaited EU General Data Protection Regulation (GDPR), formally completing adoption of the GDPR. The GDPR was published in the Official Journal of the EU on May 25, 2016, giving companies and Member States until the May 25, 2018 effective date to implement the Regulation fully. In the wake of its adoption, businesses should have planning under way for implementation of the significantly expanded Regulation by evaluating whether they are subject to the expanded jurisdiction, and if so, completing an internal gap analysis of current data protection practices as compared with the new requirements and rights under the Regulation. Some of the key aspects to consider include data breach response planning under the new 72-hour notice requirement, reviewing existing data protection notices and consents for the more robust obligations, identifying current profiling activities and existing data protection and retention policies and procedures, ensuring privacy impact assessments are carried out where required, and evaluating whether there is an obligation to appoint a data protection officer. Despite the time until the effective date, the extensive preparation necessary to comply presents a challenge as companies around the world refocus resources to develop compliance plans.
2. Political Cyber Warfare
There is a new front in geopolitical battles. (more…)
On 11 April 2016, the European Commission consulted on Directive 2002/58/EC on privacy and electronic communications (the “ePrivacy Directive”), seeking input from a wide range of businesses, organizations and individuals on the effectiveness of the ePrivacy Directive and their views for its revision. The European Commission’s review is a key element of its Digital Single Market Strategy, which aims to reinforce trust and security in digital services in the EU.
The European Commission released the results of this consultation on 19 December 2016. The consultation received 421 replies from stakeholders in all Member States and outside the EU, which included 162 replies from citizens; 186 contributions from industry actors; 40 public authorities, including competent authorities which enforce the ePrivacy Directive at national level; 33 contributions from civil society associations. The largest number of respondents came from Germany (25.9%), UK (14.3%), Belgium (10%) and France (7.1%).
On 15 December 2016 the Article 29 Working Party (“WP29”) released draft guidelines and FAQs on key provisions in the EU’s General Data Protection Regulation (“GDPR”). The guidelines cover the right to data portability, data protection officers and the lead supervisory authority. The WP29 has invited comments from stakeholders on the draft guidelines and FAQs. The deadline for comments is January 31, 2017. Although this invitation for comment is directed at the new guidance, some members of the WP29 have expressed interest in comments on additional issues for the WP29 2017 work plan, for which guidance has not been issued.
As part of a housekeeping effort, the U.S. Copyright Office issued a final rule that changes the designated agent mechanism protecting online service providers from certain copyright infringement liability under the Digital Millennium Copyright Act (“DMCA”). Companies will now have to re-register every three years, and existing registrations will cease to be valid by the end of next year.
On October 25, 2016 the European Commission (the “Commission“) adopted its 2017 Work Programme (the “Work Programme”) which sets out what the Commission intends to do over the next 12 months. The Work Programme is the third to be presented under Jean-Claude Junker’s presidency of the Commission and will also be the first Work Programme to be adopted following consultation with the European Parliament (the “Parliament“) and the European Council (the “Council“).
Members of the UK House of Lords have amended the Investigatory Powers Bill to make privacy a fundamental concern by inserting the following in clause 1 –
“This Act sets out the extent to which certain investigatory powers may be used to interfere with privacy.”
The amendment, proposed by Lord Janvrin, a member of the UK parliament’s Intelligence and Security Committee (“ISC“), was approved on Tuesday 11 October 2016, after a debate in which many members highlighted the need for safeguards against disproportionate use of the Bill by public authorities.
Artificial intelligence has been hailed for the promise of breakthrough innovations but also the object of concern by such notable voices as Bill Gates, Stephen Hawkins, and Elon Musk. To explore the issues presented, the White House conducted a review of the opportunities, risks, and regulatory implications of artificial intelligence. Last week, the White House released a comprehensive report, Preparing for the Future of Artificial Intelligence, reflecting a culmination of its review, including public comment and several public workshops that were co-hosted by the White House Office of Science and Technology Policy with the National Economic Council, as well as non-profit and academic organizations.
On July 7, Russian President Vladimir Putin signed a law amending existing anti-terrorism legislation that could affect U.S. telecom and internet service companies operating in Russia. It will require that telecommunications operators and internet service providers (“ISPs”) retain up to 6 months of data, including personal data and communications content, as well as metadata, for periods up to 3 years. Further, if any encryption is used to protect the data, the telecommunication or internet service provider must provide the Russian authorities the decryption technology.
On June 30, 2016, President Obama signed the FOIA Improvement Act of 2016 (the Act). The Act adds provisions to the Freedom of Information Act (FOIA) that may assist requesters, as well as lead to increased disclosure. However, business records currently protected by existing interpretations of FOIA exemptions should continue to be protected despite these changes. The flagship change enacts the Obama Administration’s “presumption of openness” by codifying an already-existing executive branch policy that restricts an agency’s discretionary power to withhold documents to situations where disclosure would result in foreseeable harm. Other changes include a 25-year sunset provision for protection of privileged pre-decisional inter- or intra-agency memoranda under exemption 5; procedural changes intended to streamline requests and reduce delay; and increased emphasis on FOIA’s alternative dispute resolution services to assist requesters.