Developments in the world of data protection are unceasing. Let’s have a look at the top five European trends we see for the months ahead.
Data transfers still in the spotlight
Following the Court of Justice of the European Union’s (CJEU’s) Schrems II ruling on 16 July 2020, the activity around data transfers outside the European Economic Area (EEA) has been intense.
Numerous data protection authorities (DPAs), such as the European Data Protection Board (EDPB), the German data protection conference, the Dutch DPA and the Spanish DPA, have adopted statements. And the European Commission has published a new set of standard contractual clauses (SCCs) for the transfer of personal data to third countries, as well as new SCCs for controllers and processors located in the EU.
A lot of guidance on the impact of the Schrems II ruling is already available. For example, the EDPB has issued recommendations on supplementary measures following Schrems II, as well as the recommendations on the European Essential Guarantees for surveillance measures. The German DPA of Rhineland-Palatinate has published a checklist on third-country data transfers, and the EDPB and EDPS have issued a joint opinion on the new SCCs. But organisations are still not entirely clear how they can legitimately transfer personal data outside the EEA.
This uncertainty has been compounded by Brexit and the questions around UK’s adequacy. This is likely to last – at least – until the new SCCs are finally adopted.
Discussions around ePrivacy to continue
Originally intended to come into effect on 25 May 2018, almost three years and nine(!) EU Council presidencies later, the EU Council reached a compromise agreement on their position on the ePrivacy Regulation. The Portuguese presidency’s draft will now serve as the basis for talks with the European Parliament. Debates will therefore continue. For further details, see our blog post.
While awaiting the final text, ePrivacy issues, especially cookies, will command centre stage. Many regulators – such as the DPAs of France, Ireland, Germany and Spain – adopted guidance in 2020 on the use of cookies and other trackers. But the recent ePrivacy fines decisions in France show that DPAs are willing to enforce the legislation. The recent French DPA’s statement, which reminds businesses of the applicable rules and urges them to ensure their websites and apps comply with the applicable new cookie rules by 31 March 2021, confirm this enforcement trend.
Minors’ rights to be further strengthened
Already on the agenda of many regulators, the protection of minors and their personal data is going to be one of the DPAs’ top priorities. While awaiting the French DPA’s conclusions on minor rights in the online environment, the UK DPA announced in a blog post that the transition period for its September 2020 Age Appropriate Design Code was coming to an end. The authority went on to say that it will be working hard to help organisations make the necessary changes to comply with the law.
In parallel, the Italian DPA has started enforcement actions and has made requests for information to social networks in relation to the processing of minors’ personal data.
Finally, potential class actions with respect to the processing of minors’ personal data confirm that protection of minors will be a hot topic.
Anonymisation to remain key
For a long time now, anonymisation has been at the heart of discussions and many DPAs, such as those in Ireland and Spain, have already issued related guidelines.
Particular interest was further shown last year with the French DPA also adopting guidance on the reasons and methods to anonymise data. However, real activity came from Germany with:
- the Federal Commissioner for Data Protection and Freedom of Information adopting a position paper on anonymisation under the EU General Data Protection Regulation (GDPR);
- the Germany Digital Association adopting guidance on anonymisation and pseudonymisation of data for machine learning; and
- the Federation of German Industries issuing a guidance paper (which Freshfields provided substantial input into).
Even though the various guidelines should help organisations get a better grasp of the technical, organisational and legal requirements around anonymisation, the topic remains a very challenging one and we can expect many more developments on the issue in the coming months.
An ever-more complex privacy landscape
More and more data protection legislation either modelled closely on the GDPR or with strong standards of protection is emerging across the globe. And while organisations are still having to contend with the complexities of the GDPR almost three years after it came into force, Europe’s data privacy landscape is set to get even trickier,
The EU strategy for data aims to create a single market for data that will ensure Europe’s global competitiveness and data sovereignty. The proposed regulation will not only fundamentally transform the privacy landscape: the Data Governance Act is supposed to increase trust in data sharing, strengthen mechanisms to increase data availability and overcome technical obstacles to the reuse of data. Additionally, the Digital Services Act package encompasses a single set of new rules across the EU.
On a national level Germany’s data strategy aims to strengthen individuals’ data sovereignty. With over 240 measures, the strategy could make Germany a trailblazer in the innovative use and sharing of data in Europe.
Germany has also recently enacted its Competition Digitisation Act, which introduces potentially sweeping data-access rights. It will be interesting to see how the German Federal Cartel Office will choose to enforce the new rules. Indeed, in the past, the German competition law authorities and courts have shown a lot of interest in data protection issues in the context of competition law and the fight against potential constraints. For a more in-depth review of this piece of legislation, read our blog post.
Finally, while we await the first EU ‘collective actions’ under the new Representative Actions Directive (likely from 2023 onwards) that could impact data protection, particularly interesting developments may already come from the CJEU’s request for a preliminary ruling submitted by the German Federal Supreme Court. The CJEU is expected to assess whether the GDPR empowers competitors and associations to bring proceedings before civil courts for GDPR breaches. This would be independently of the infringement of specific rights of individuals and without being mandated to do so by a data subject, on the basis of unfair commercial practices, breach of consumer protection law or invalid T&Cs.
It seems that 2021 will definitely be a busy year!