Europe: Developments in EU laws on trade secrets and data protection

• The Trade Secrets Directive was passed by the Council of Europe on 27 May 2016. It will come into force 20 days after its publication in the EU Official Journal and member states will then have a two year window in which to implement its provisions. It will introduce a harmonised regime for the protection of trade secrets, aimed at encouraging cross border R&D as well as providing more security for confidential information within the EU. Our London office is hosting a seminar on trade secrets and the impact of the Trade Secrets Directive on 1 July 2016. Click here for further information including registration.
• The General Data Protection Regulation has now been approved and published in the EU Official Journal and will come into force on 25 May 2018. New standards for consent, enhanced information rights and greater sanctions for data processors and controllers indicate a potentially significant impact for employers; organisations should take steps now to prepare for the changes. A detailed briefing will be available shortly - please contact us if you would like a copy.

• There have been further developments of concern to employers in relation to cross-border transfer of data. Our last e-bulletin reported on the proposal for an EU-US Privacy Shield providing a new framework to facilitate the transfer of EU personal data to the US, following an ECJ ruling that the old Safe Harbour framework was invalid. The Article 29 Working Party (ie, the EU data protection regulators) has now assessed the proposal and concluded that, while there are significant improvements compared to the Safe Harbour decision, it still has strong concerns on both the commercial aspects and the access by public authorities to data transferred under the Privacy Shield. It has urged the Commission to resolve these concerns and improve the clarity of the documents before approving them. Similar concerns have been expressed by the European Data Protection Supervisor and European Parliament.

Meanwhile, the Irish Data Protection Commissioner has made a referral to the ECJ on the legal status of one of the alternative data transfer mechanisms, the EU's Standard Contractual Clauses. Although the UK Information Commissioner's interim statement post the Safe Harbour decision noted that other transfer mechanisms such as Standard Contractual Clauses and Binding Corporate Rules could still be used, it also commented that the judgment inevitably cast some doubt on their future given that data transferred under them are also liable to be accessed by intelligence services, whether in the US or elsewhere. Unfortunately, this leaves data controllers with continuing uncertainty in the meantime.