I t is hard to believe that 8 months have already passed since the text of the General Data Protection Regulation ('GDPR') was finally agreed. While all eyes are on 25th May 2018 and the commencement of the GDPR, data protection developments continued apace throughout the year on multiple fronts. As the year draws to a close, we look back on some of the most significant developments in 2016.
The Court of Justice of the European Union ('CJEU') invalidated the Safe Harbor regime in its judgment on 6th October 2015. However, the ramifications of the decision rolled on throughout 2016 and will continue well into 2017 and beyond.
While the Privacy Shield was finally agreed in February, it was July before it was approved by EU Member States. Inevitably, by October, proceedings had already been lodged by Digital Rights Ireland with the General Court of the European Union - the lower court of the Court of Justice - seeking an application under Article 263 of the Lisbon Treaty for an annulment of the Privacy Shield decision. The first annual review of Privacy Shield by the European Commission, the Federal Trade Commission and the US Department of Commerce is due to take place in mid-2017.
In July 2016, the High Court hearing in the case of the Data Protection Commissioner v Schrems & Facebook kicked off with several amicus curiae ('friends of the Court', or additional parties) seeking to be admitted to the proceedings. At the heart of the case is whether or not the Standard Contractual Clauses approved by the EU Commission should be invalidated for the same reasons that the Safe Harbor perished. The High Court trial is scheduled for February 2017 and it is largely expected to lead to another referral to the CJEU later in the year.
In January 2016, Digital Rights Ireland reported that it had instructed its lawyers to serve legal papers on the Irish government, challenging whether the Office of the Irish Data Protection Commissioner was truly an independent data protection authority under EU law. It was reported that proceedings were eventually served in October.
While the ODPC is not a party to those proceedings, there was no shortage of other litigation during the year. In January, April and November, the ODPC brought prosecutions against several companies for various SMS and email marketing offences under the e-Privacy Regulations. In May, the Nowak v DPC case was referred to the CJEU by the Supreme Court to determine...