October 29, 2015

Case law changes and the GDPR

The CJEU judgment in Case C-362/14 Maximillian Schrems v Data Protection Commissioner came very late in the course of preparation for this issue. But so much was said about it so quickly that it would have been possible to have covered it in an article. I felt that the case was too important for that. It may well change the way in which all EU businesses have to deal with their data. It might be the end of cloud computing as we know it. It might be just a bump in a road.

I decided that, whether Schrems is cataclysmic or a mere inconvenience, or something in-between, needed a bit of mature thought and that only a step back can provide that. I am not sure that even the data protection supervisors meeting in their Article 29 Working Party conclave have managed mature thought – their statement, postponing action until January 2016, smacks of the desperation of a divided or uncertain community even if it might be quite a sensible interim ‘fix’. And, for what it is worth, I am lost as to how the negotiators of a new Safe Harbor/Harbour regime can square the circle of the CJEU’s continuing commitment against wide-ranging surveillance and US commitment to it, arising from its understandable sensitivity about/obsession over (delete as you feel appropriate) about terrorism.

But, while Schrems is the most prominent game-changing judgment of recent months, it is not the only one. This issue sees coverage of Weltimmo which concerns the reach of Member State data protection supervisors, where the CJEU concluded that their reach might (in certain circumstances) stretch beyond the border of their home state. This issue also includes an article warning of the effects on company liability and their insurers of the judgment in Vidal-Hall (which seems like an old judgment already, but the Court of Appeal judgment was as recent as March).

All these changes in the data protection landscape have gone on while we await the final, final version of the data protection reform package. The lot of those charged with the task of finalising the GDPR has not got easier. In fact, while I share the impatience of those wondering how anything can take this long, I note that even those who were previously very impatient have changed their tone a little and seem resigned to yet further delay. The danger must be that, just as the last Directive was decades behind developments in practice, the GDPR will be a decade behind practice and a long way behind the case-law developments. The saving grace may be that data protection principles are (relatively) simple and must be kept that way. But I still feel strongly that this might be a case where the usual practice of postponing direct implementation in Member States for two years should be abandoned and a speedier implementation agreed – lest the law and practice move on round the bend. As it is, we have vast changes in data protection practice being addressed by the courts using old tools.


I am rather reluctant to look too far ahead these days. The old adage of ‘in the long run we are all dead’ has an extra piquancy. But even I have now begun to be excited by the prospect of SCL hosting the next conference for the International Federation of Computer Law Associations in June next year.

The magazine will have a special issue to reflect the event and, while I will be looking for contributions from some of the speakers for that issue, it also gives UK-based organisations an opportunity to contribute on suitable themes. Although we do seem to have reached a stage where everything in IT law is suitable – as the IFCLA strapline has it, ‘IT Law is Global’. There are also opportunities to be an event sponsor – it is an association that not only establishes international credentials but will give the UK profile a boost too.