I’ll start the year off with a bit of a general overview of some interesting developments in the area of technology law – specifically in Europe, but with wide-ranging effect – and there certainly have been some in both the closing months of 2015 and already in 2016. I’m hoping I’ll get around to writing about these issues in more depth in the coming months. There have been developments in the realm of employer surveillance of employees; the fallout from the disintegration of the Safe Harbour program continues to plague multinational data-driven companies; and these developments, along with others, such as the future of the so-called ‘Right to be Forgotten’, remains to be seen, with the final touches being put on large scale reform of data protection law in the EU.
To start, many of you may have read the rather ominous sounding news headlines that an “EU court allows employers to read all employee e-mails”…. However, don’t start panicking just yet, as this really isn’t The State of the (European) Union – Technology Lawwhat happened. As Steve Peers writes,
“This is wrong on two counts: it’s not a judgment of an EU court, but of the separate European Court of Human Rights; and the ruling does not allow employers to read all employee e-mails without limitation.”
The ruling in question here was Barbulescu v Romania, a judgment of the European Court of Human Rights (ECtHR) and not one of the Court of Justice of the European Union (CJEU). The ECtHR only has jurisdiction to interpret the European Convention on Human Rights (ECHR) and its protocols, and this particular case concerns the ‘right to privacy’ under Article 8 of the ECHR, which can be limited on certain grounds according to Article 8(2).
The judgment in this case did not say that an employer can access your private communications simply if it is done on company devices, but rather in this case the employer specifically had an absolute ban on employee’s use of work equipment for private reasons. Barbulescu’s boss suspected that he was going against this policy and sending private messages on work devices. After warning Barbulescu, and Barbulescu denying the allegations, the employer provided him with a transcript of his Yahoo Messenger communications, which included personal communications. Barbalescu attempted to sue his employer, with the case ending up in the ECtHR. “So Barbulescu definitely does not give employers carte blanche to put their employees under surveillance.” There are some serious issues with parts of the judgment, but the important take-away for most non-lawyers, is that this has not broadly legalised employee surveillance.
There are also a few other interesting legal developments in the technology world, amongst them progress towards a new data protection regime in the EU, as well as the need to patch the hole where ‘Safe Harbour’ used to allow EU-US data transfers. In December just passed, EU representatives managed to agree the text of the new General Data Protection Regulation (GDPR). This will be a comprehensive redrafting of EU Data Protection law. The GDPR has been updated and modernised to reflect the changing needs and priorities in a digitising European Union, and an EU ‘Regulation’ such as this will be directly applicable (without the need for Member States to implement it), and thus hopefully more effective in harmonising EU Data Protection policy than the previous Directive. Notable changes include significant new penalties of fines of up to 4pc of total annual worldwide turnover, a strengthened notion of consent, and increased compliance and accountability requirements on data controllers.
Since the invalidation of the ‘Safe Harbour’ system in the fallout of Maximilain Schrems’ cases against Facebook and the Irish Data Protection Commissioner, large data-driven organisations have scrambled to introduce new measures to legitimise the transfer of personal data from the EU to the US. How well this is going remains to be seen, and national data protection regulators seem to still be allowing the companies some time to get their plans in order. The Article 29 Working Party, a collective group of EU data protection regulators, have stated that enforcement will be expected by the end of January 2016, and are pushing for a resolution by this time.
“If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”
Europäischer Gerichtshof: Safe-Harbor-Abkommen ist ungültig – Karikatur Schwarwel
That’s all for now, but no doubt 2016 will continue to leave me a great deal of interesting and controversial developments to try to get around to writing about.
Header Image (c) Mopik