More legislation, stronger regulation?

Last year saw a lot of new legislation introduced within the EU, showing privacy and digital rights being taken more seriously. In today’s world, this is essential and new laws to regulate previously non-regulated sectors indicate how times are changing and laws are adapting to the new landscape.

These are:

1. The Digital Services Act
2. The Digital Markets Act
3. The EU Data Act
4. The Data Governance Act
5. The Artificial Intelligence (AI) Act

In our previous blog series (part one and part two) we discussed four of the five new Directives, and how they will affect organisations. Now let’s turn our attention to the fifth one from the list above.

What is the Artificial Intelligence Act?

As anyone who has followed the progress of technologies like ChatGPT, AI is coming to the mainstream. The AI Act is a proposed law that intends to regulate AI in the European Union. The landmark regulation will be the first legislation regarding AI. It plans to introduce obligations proportional to the potential harm of the technologies’ applications. There will be core rules that apply to all industries as well as sector-specific guidance.

The Act will apply to all AI systems providers whose services or products reach the EU market. This way, it covers providers and users of AI systems outside the EU if the output of the AI system is used in the EU.

On 5 October, EU lawmakers held their first political debate on the Act and its scope. The discussion, as reported in Euractiv, covered sensitive topics like the contentious issue of biometric recognition. There’s expected to be an early agreement in 2023 on the European Commission’s draft law.

Points to note

A key goal of the Act is that AI systems in the EU market are safe and respect existing law on fundamental rights and EU values and that they ensure legal certainty to facilitate investment and innovation in AI. It’s also intended to facilitate safe and trustworthy AI applications and prevent market fragmentation.

High-risk applications, such as a CV-scanning tool that ranks job applicants, are subject to specific legal requirements. It’s also worth noting that:

• AI providers will need to conduct data protection impact assessments on all AI systems
• Applications not explicitly banned or listed as high-risk (see below) are largely left unregulated

AI systems deployed in certain sectors are deemed to be high-risk to safety or fundamental rights. These are: critical infrastructure where the AI could put people’s life and health at risk; educational and vocational settings where the AI could determine access to education or professional training, employment, worker management and self-employment.

How will it affect organisations?

Under the provisions of the AI Act, providers would have to tell users that:

• they are interacting with an AI system
• they are collecting personal data and if so, for what purpose
• they are classified into specific categories like gender, age, ethnic origin, or sexual orientation.

Stronger EU-US transfers?

Another major development of 2022 was the announcement surrounding the topical – not to say controversial – area of international data transfers. On October 7th, US President Joe Biden signed the EU-US Data Privacy Framework (EU-US DPF) into law.

The objective of the new EU-US DPF is to allow data to flow freely and safely between the EU and participating US businesses by resolving US Government surveillance issues.

In response to the Executive Order, the European Commission released its Q&As and announced its draft adequacy decision on December 13th. It also launched its adoption procedure, which could now take up to an additional six months.

The framework will require that the US conducts signals intelligence activities only in pursuit of defined national security objectives (e.g. terrorism). It must consider the privacy and civil liberties of all persons regardless of nationality or residence, and should only carry out these activities when necessary and in proportion to a validated intelligence priority.

It will be two to three years before we know if this framework can serve as a long-term solution for EU-US data transfers, since it will inevitably be subject to legal challenges once implemented. The privacy activist Max Schrems was sceptical, calling it an agreement in principle, with no text available to analyse yet. IAPP’s roundup of data protection developments also noted the potential for a challenge in the CJEU. It also referred to the possibility of stricter EU data localisation.

How will this affect organisations?

• Lower risk for non-compliance and possible fines once this is in place
• More legal certainty for transfers
• Less complication surrounding transfers
• The redress option for US law enables infringements of the data protection rules to be identified and punished in practice and offer legal remedies to data subjects.

No nonsense for GPDR violations

The Data Protection Commission had yet another year of dishing out substantial fines, the largest being Instagram’s €405 million penalty. The platform is being fined for violating children’s privacy, including publishing children’s email addresses and phone numbers in some cases.

This is the third fine the DPC has issued to a Meta-owned company. The regulator also issued Meta with a €265 million fine and a “range of corrective measures” under GDPR relating to a large-scale data breach that was uncovered in 2021.

The decision follows an inquiry investigating data processing carried out by Meta using Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools between May 25, 2018, and September 2019. The material issues in this inquiry concerned questions of compliance with the GDPR obligation for Data Protection by Design and Default. The fine is the third largest GDPR penalty served to date, following a €405 million fine from Ireland to Meta in September.

European data regulators issued €2.92 billion in GDPR fines last year, according to DLA Piper. The global law firm also found that 2022 was a record year for regulatory action with a 168 per cent year-on-year increase in the total fines issued across Europe.

It is clear that there is no-nonsense approach for GDPR violations four years on from its enforcement. The DPC sent a draft decision to the other EU regulators which sets out its intention to ban Meta (Facebook) from transferring personal data to the USA. This has the potential to cut off EU access from services including Facebook and Instagram. This will have a huge effect if it goes ahead. The European Court of Justice also upheld the €225 million fined to WhatsApp.

Year after year, it appears regulation gets tougher and pricier.

What does 2023 have in store for us?

After some key developments for data protection in the last 12 months, 2023 is sure to be yet another interesting year, jam-packed with fines, legislation, cases and more.

Certification is key

A new certification system aims to make it easier for businesses and citizens to better understand the GDPR and avoid penalties. Organisations should seriously consider this coming into 2023.

Europrivacy, a European research project co-funded by the European Commission, is the first to have its GDPR certification scheme officially endorsed by the European Data Protection Board. It aims to encourage companies to be more proactive in getting independent third-party validation of how they process data and comply with EU privacy rules. Europrivacy covers all EU countries, and considers both the GDPR and national data protection requirements in its criteria.

The certification encompasses a wide range of data processing operations in many sectors. It can help data controllers and data processors certify their activities are valid in all member states. Companies can use the certification scheme to increase the value of their businesses and trust in their services.

Organisations can use Europrivacy to:

• assess the compliance of their data processing activities
• select data processors
• assess the adequacy of cross-border data transfers
• assure citizens and clients of the adequate processing of their personal data.

There are different stages to getting certified having the certifications can aid with:

• Transparency and information
• Having in place appropriate technical and organisational measures for accountability and security
• Complying with data protection by design and by default
• Demonstrating that you have in place sufficient guarantees and appropriate contractual documents in relation to third parties such as processors, sub-processors or joint controllers:
• Demonstrating you have in place appropriate measures for transfers of personal data to third countries.

Conclusion

There seems to be a heavy sway towards stronger regulation and protection for data subjects, with large fines for noncompliance and a safer mechanism for transferring data out of the EU and laws that will regulate a previously unrestricted area. With another year passing, data protection and privacy continues to be taken more seriously by companies, individuals, and regulators.