December 31, 2015

This issue is remarkable for the fact that it is almost completely dominated by articles covering two themes: predictions and the fall-out from Schrems.


I am very grateful to all those who responded to my call for predictions and have been amazed that so many have come up with contributions that are fresh and perceptive. The future has been around for a long time so it is hard to say anything new about it. But I think 2015 was one of those years when attitudes shifted under the weight of events so it is not altogether surprising that the view forward changed more than might normally be explained by the passage of time.

Schrems and Safe Harbour

As for Schrems, I believe that the range of articles we have here will be a useful tool and point of reference. The articles from Dr Julia Hörnle and Natasha Simmons are the bedrock but I confess that I found the pieces from Paul Bernal and Brad Smith the most thought-provoking, not least because it is clear that the views of the committed privacy defender and the Microsoft president and chief legal officer have so much in common.

I confess that I have come round to the view that the decision in Schrems was right, but unfortunate. The reality was that the EU Commission was responding to the concerns about Safe Harbour/Harbor; one cannot be sure that they would have ended up with much in the way of an improved Safe Harbour/Harbor but the Commission did seem to understand the Snowden-related concerns. If the Commissioners failed to end up with a decent deal, there were mechanisms in place for them to be called to account. The ongoing reality is that data protection authorities through the EU will struggle to find the resources to take account of the ruling – and, if they do find those resources, it is likely to be at the expense of other responsibilities.

In his article, Paul Bernal states that the business models of Facebook, Google and others are based on systems that are essentially at odds with the principles upon which data protection is based. Brad Smith talks about the dangers of relying on ‘Band-Aids for issues that require changes that are more substantial’. I agree with both of those statements which is why I think that the most unfortunate aspect of the Schrems ruling is that the cybersky has not fallen down following the ruling – data is flowing across the Atlantic just as it was before and, to borrow Brad Smith’s metaphor, we haven’t even got to the Band-Aid stage, the wound is still bleeding. So, despite the leading court in the CJEU making it clear that the arrangement cannot be relied on, only in Germany has anyone made a move that suggests that it is not OK to rely on it – most data protection authorities seem to share the ICO’s position, which I can paraphrase wildly as ‘let’s pretend that ruling never happened and hope it all sorts out in the wash’. Perhaps the New Year and the January ‘deadline’ will change things but it seems to me more likely that the online megacorps will carry on regardless, because that’s what people want, and respect for court judgments will be the poorer for that.

Data Protection Reform

This issue will hit many desks as tech lawyers grapple with the detail of the new Directive and Regulation. I anticipate that our next issue will focus on the reform and pick out aspects of concern. I would be delighted to be presented with suggestions for articles on aspects that we might cover: the new roles for data protection officers, consent and ‘the teenager issue’ spring to mind. I also wonder whether it can really be true that the changes that are part of the reform will have no effect for two years; it seems to me that they are likely to be taken into account long before that, even where that might create some conflict with the existing rules. (I never understood the need for a two-year pause before implementation – it’s excessive delaying such improvements as there are.)

I found the final changes to the GDPR very depressing. The idea that a carefully considered and widely debated package could be subject to any fundamental change at the trilogue stage is undemocratic (because it closes the door on debate) and, perhaps more important for tech lawyers, will lead to a series of embarrassing messes. The afore-mentioned ‘teenager issue’ has got lots of coverage and the compromise which was reached has rightly been condemned, but I am starting to see a range of criticism, much of which focuses on the late changes. According to Joel Harrison’s tweet, the final version of the GDPR ‘allows for fines for non-intentional, non-negligent violation, even with DP seal – none of COM, EP and Council texts did that’  – a quite extraordinary and indefensible change. I think those final changes are the product of a situation with which tech lawyers are becoming increasingly familiar: big politics now cares about IT and Internet issues because they are central to economies and citizens’ lives but few (if any) big politicians have the necessary level of understanding to make sensible contributions to IT and Internet-related law.