EU developments: trade secrets and data protection

• On 14 April the European Parliament voted to approve the new Trade Secrets Directive aimed at harmonising the definition and protection of trade secrets and undisclosed know-how across Europe. The Council is expected to approve the Directive this month and it could take effect in June this year, with Member States then having a two year window in which to implement its provisions. For further details, see our January briefing (but note that the numbering of the Articles has since changed).
   
• The European Parliament also approved the new General Data Protection Regulation on 14 April 2016;  the text is available here. It will apply from 25 May 2018. The Regulation is directly applicable in all EU member states and supersedes and replaces the previous European data protection directive and any national data protection regulations based on it (ie, the Data Protection Act 1998 in the UK). Our February briefing on the General Data Protection Regulation is available here.

Employers will need to consider the implications for their processing of employee data and prepare for compliance in 2018. The Information Commissioner's Office has published guidance in the form of a 12 step checklist, available here. Some of the key recommendations from an employment law perspective include reviewing mechanisms for obtaining and recording employees' consent to data processing and other grounds for processing employee data, privacy notices, procedures for handling subject access requests, data retention policies – all of these are likely to need adjusting in view of new requirements in the Regulation. Although the deadline is two years away, it is advisable to start preparing now given the amount of work to do (and the significantly increased potential fines for breach). These preparations may also need to fit into plans for any updates to IT systems given the importance of being able to locate, retrieve and delete data in light of data subjects' more extensive rights and that they will be more informed about those rights under the Regulation.

• We have previously reported on the proposal for an EU-US Privacy Shield providing a new framework to facilitate the transfer of EU personal data to the US, following the ECJ ruling that the old Safe Harbour framework was invalid. The Article 29 Working Party (ie, the EU data protection regulators) has now assessed the documentation to make sure that an essentially equivalent level of protection is maintained when personal data is processed subject to the provisions of the Privacy Shield. It has concluded that, while there are significant improvements compared to the Safe Harbour decision, it still has strong concerns on both the commercial aspects and the access by public authorities to data transferred under the Privacy Shield. It has urged the Commission to resolve these concerns and improve the clarity of the documents before approving them. Unfortunately, this leaves data controllers with continuing uncertainty in the meantime. The Working Party's statement is available here. Our Data Protection Update discusses the documentation supporting the proposed new EU-US Privacy Shield.

Please contact Christine Young if would like to discuss the employment aspects of these developments further.