Data protection has been evolving consistently since the General Data Protection Regulation (GDPR) came into force on 25 May 2018. This can make it complicated for organisations to stay up to date with the ever-changing landscape. This blog is here to guide you through topical trends to note as we enter GDPR’s fifth year.
GDPR regulates how data is stored, managed, transferred, processed and more. It affects any company that stores or processes personal data within the European Union. Its far-reaching implementation means it also applies to companies outside of the European Economic Area.
GDPR applies not just to the large multinationals and tech giants but to small and medium enterprises (SMEs) too. Here is a rundown of the latest developments within the data protection sphere that organisations should keep an eye on.
1. Upcoming Acts to watch out for
There are many regulations that complement the GDPR but are separate to it. An example is the ePrivacy Regulation which governs electronic communications. This year saw many other new regulations drafted and introduced with implementation on the way. Here is a summary of them.
- Digital Markets Act (Expected late 2022)
The Digital Markets Act (DMA) aims to enable open and fair digital and data markets by fostering competition. It’s intended to regulate market power based on data and address imbalances or abuses of power by the biggest digital companies by imposing obligations on online platform providers, or ‘gatekeepers’, to share or to provide access to data. So, it won’t apply to SMEs. This will overlap with the GDPR as datasets may be shared or combined. For this reason, organisations will have to assess the implications of such data processing carefully under the DMA to comply with the GDPR.
- Digital Services Act (expected 2024)
The Digital Services Act (DSA) will regulate the obligations and accountability of online intermediaries and platforms which we use every day. Its purpose is to protect consumers in their online activities, provide them with more choice and lower costs online, and protect them from illegal content. Organisations will have to provide more certainty in how they offer their services, while having the ability to scale up. The Act will apply to network infrastructure intermediaries, hosting services, online platforms and marketplaces. All organisations will have obligations, but these will differ according to their size and the nature of their service. The larger the provider, the greater the number of obligations.
- Artificial Intelligence Act (expected 2024)
Emerging technologies based on artificial intelligence (AI) offer benefits in many areas today for us all. The increasing use of the Internet of Things or connected and automated vehicles among many other growing technologies, offer many benefits but also pose challenges. In April 2021, the EU Commission released its proposed Regulation ‘Laying Down Harmonised Rules on Artificial Intelligence’, to establish rules on the development, placing on the market, and use of artificial intelligence systems across the EU.
This is the first proposed law in this area globally, with other countries now starting to draft and consider laws relating to AI. Developers, deployers and users of AI will be subject to the new regulation once it enters into law. This provides for a risk-based approach in assessing AI systems and technologies. The regulation will provide a detailed regulatory regime with a new European Artificial Intelligence Board.
- Data Act (expected mid 2024)
The EU Data Act aims to make it easier for organisations and people to access data by removing barriers to sharing of data. At a high level, it looks to make data sharing and use/reuse easier for all by setting standards at an EU-wide level. The EU Data Act will sit in parallel with the GDPR but provides wider rules that apply to all ‘data’, which covers sound, visual or audio-visual recordings.
This means more control for people over all of their data, not just personal data, as governed by the GDPR. For example, it should help customers to effectively switch between services. Organisations, particularly smaller businesses, will be able to get access to data which they create. The Act focuses on making clear who can create value from data and under what conditions. Along with the Data Governance Act, the EU Data Act aims to make the EU a leader in a data-driven society.
2. International transfers
International transfers have been of topic of interest and importance since the landmark Schrems II Decision in 2020. As we come into GDPR’s fifth year, its importance still rings true. The Schrems decision governs transfers of personal data to countries located outside the EEA that don’t offer a protection equivalent to that of the EU. An interesting move forward in March of 2022 was made regarding the Privacy Shield which allowed a free flow of personal data between the EU and United States (US). Two years ago, it was deemed inadequate by the infamous Schrems decision and drastically altered how transfers of personal data are conducted specifically to the US. Various news outlets have reported that a new Privacy Shield is on its way.
The EU Commission and President Joe Biden are eager for political alliance given recent global developments such as the Ukraine war. Although a new agreement will be announced soon with further details, it is likely still months away.
As of now, there is little update on what the new agreement will entail. It will have to provide adequate protections for data subjects addressing the sticky subject of US surveillance laws. However, organisations still need to conduct Transfer Impact Assessments for transfers of personal data. It is important to note the recent case surrounding Google Analytics which wherein French and Austrian DPAs ruled that the transfer of EU personal data from the EU to the US through the use of the Google Analytics cookie is unlawful. You can read more on this case here.
Keeping a Records of Processing Activities (ROPA) is one of the first and most important steps organisations should take when assessing what personal data they process. This is an obligation under Article 30 of the GDPR. Conducting ROPAs allows you to make an inventory of the data processing your company conducts and offers an overview of what you do with the concerned personal data.
The obligation to create ROPAs is not only imposed on the controller and their representative, but also directly on the processor and their representatives. There is an exemption to this: organisations with fewer than 250 employees don’t need to keep a record if the processing is not likely to infringe upon the data subject’s rights and freedoms.
In January, the Data Protection Commission of Ireland announced an enforcement sweep which would include ROPAs. If organisations fail to comply to Article 30, they are subject to fines of up to €10 million or 2 per cent of their annual turnover. Organisations must ensure their ROPA is up to date and accurate.
4. Regulatory action
Finally, a trend to watch – affecting large multinationals and SMEs alike – is regulatory action such as fines. Data Protection Authorities across Europe doubling down on regulatory action and large fines were a feature of 2021. (WhatsApp’s €225 million penalty comes to mind.) This year is no different: large fines have been issued across sectors be it to Google, national banks, or start-ups. Any company is susceptible to these regulatory actions for noncompliance and breaches.
Regulators are focusing on key areas of the GDPR such as:
- Lack of legal basis particularly around health data and special category data – especially with systems using biometric data like facial recognition
- Companies failing to perform DPIAs on new systems and tools
- Breaches and breach reporting
- Cookie compliance.
In life, the older something gets, the more complex its needs usually become. Data protection is no different. As GDPR matures, and as this blog shows, the regulation and its offshoots look set to make more demands of data protection professionals.