Privacy can no longer be a low-level, box-checking exercise

Recent court decisions, and legislation, will most likely affect everyone handling data

In the first week of January this year, I began the new year with a prediction.

“Privacy will be a big issue in 2015. In Ireland as well as internationally, three big ‘Ps’ are aligning around the topic, building on developments in 2014: politics, policy and populism.”

As we say farewell to 2015, I would add a fourth P: plus ça change.

Privacy has been a looming issue for years now, if less publicly noticeable in the past, and isn’t about to go away. We are all digital pioneers, grappling with what it means to have our personal information accessible, transferable, analysable and storable in unprecedented ways, following several decades of silicon-driven technological developments, and especially, the growth of the internet.


And yes, digital privacy became a truly dominant international concern this year, whether you wanted it better protected, wanted less regulation and greater access to data, or faced angry customers.

That was thanks to another year of high-profile data breaches (as with the Ashley Madison website), major international court decisions (such as the Schrems case in the European Court of Justice), legislative moves (with the final draft release and start of voting on the long-awaited EU Data Protection Regulation), policy debates (for example, the UK and US mulling over whether to hobble business and public use of strong encryption), and the manipulation of fear (especially following the end-of-year terrorist attacks in Paris and other cities).


Given that none of these conundrums was resolved or concluded, privacy will, of course, again be a headline issue in 2016. I promise.

Curiously, Ireland has been at the very centre of the global privacy (and its twin, security) debate now for several years, and will remain so into 2016, because the country has been, and remains, entangled in a number of pivotal privacy-related court cases both in Europe and the US.

These included the Digital Rights Ireland (DRI) challenge to the validity of the EU Data Retention Directive, which mandated that certain types of call and internet data be retained for up to two years.

The directive was declared excessive and invalid by the European Court of Justice in 2014, and has yet to be replaced – a big task likely to emerge in 2016. Also in the new year, the original DRI challenge to the Irish State on the constitutionality of our own retention law returns to the High Court here, where presumably, it will be ruled invalid, requiring fresh legislation.

Furthermore, that ECJ data retention decision started what I suspect will be a long-running domino effect in other current (and yet to come), peripherally connected cases around the subject of data gathering, data analysis, data transfer outside the EU and data storage.

The DRI case clearly influenced the ECJ's decision in the 2015 case taken by Austrian law student Max Schrems against the Irish Data Protection Commissioner, over the handling of his personal data by Facebook.

Indeed, the court signalled its intention to not only rule on such human and civil rights-affecting cases, but to fast-track them, when, with surprising swiftness, it agreed to consider the Schrems case on referral from the Irish High Court, and then had a ruling just months later in 2015.

Usually this process takes years.

The Schrems decision came in October and invalidated the Safe Harbour agreement used by about 5,000 companies as the legal basis on which they transfer data between EU countries and the US. The judgment has far-reaching implications for individuals, governments and businesses.


The day-to-day operation of many internet services and businesses rely on data transfer, and data exchange is a key part of security operations, legitimate and (as we know from documents leaked by Edward Snowden) illicit.

Looking ahead to 2016, many expect a new Safe Harbour agreement to be hammered out early in the new year, most likely using some supporting structures within the new Data Protection Regulation (finalised now, it seems, in all but the smallest of details, and containing some significant penalties for non compliance and accidental data breaches).

Perhaps. The Schrems decision erects hurdles that cannot be cleared easily, not without some significant policy shifts.

A new Safe Harbour will almost certainly face a referral to the ECJ. And, within the triple play of the DRI decision, the Schrems decision, and the new regulation, plus affiliated decisions such as the ECJ’s “right to be forgotten” ruling, loom many challenges in the form of new operational and compliance demands for businesses. Maybe the subject hasn’t come up much beyond the circle of a few multinationals, but my sense so far is that both SMEs and most multinationals are blissfully building their digital operations on a regulatory floodplain, with wishful thinking and little regard for what lies ahead.

But these court decisions, and legislation, will affect everyone handling data. I suspect that 2016 will be the year in which many of them gradually, and painfully, realise privacy can no longer be a low-level, box-checking exercise, but has to be built into the foundations of a business.