Five years ago, on May 25th, 2018, the GDPR became enforceable. To mark this anniversary, Alex Carroll, a privacy consultant at TechGDPR, reflects on the changes that took place in the European privacy landscape over that period, considers the opportunities it has created for organizations and provides some insights into what organizations should look out for in the next five years.
Changes to Date
1. Reactions to Novelty
The fundamental principles of data protection found in Article 5 of the GDPR were not created with the Regulation but had enjoyed successful international and European iterations in the forty-plus years that preceded it; yet it appears many organizations woke up to the principles of data minimization, purpose limitation or privacy by design on May 25th, 2018.
Since then, the regulatory landscape has changed somewhat and a high number of data protection cases were presented and ruled on in court. The European Data Protection Board (EDPB) has provided prolific guidance readable by experts and non-experts alike; while individual Supervisory Authorities (SAs) have been busy advising companies, members of the public and DPOs, investigating processing practices and ordering companies to comply, occasionally issuing fines to those who ignored the recommendations.
Many companies have taken the challenge very seriously, but others still believe they can fly under the supervisory radar. This is not particularly intentional; they likely think the Regulation does not apply to them. Often, new clients formulate needs based on misconceptions as to the scope of the Regulation or based on the misguided belief they do not process PII. While they might not process PII, they are still likely to process personal data, the very asset the framework regulates and it is arguably only a matter of time before they are called out by disgruntled employees or dissatisfied service users. The general public has become increasingly savvy about their rights and how to exercise them, and many companies are not listening to the tell-tale signals from customer support, sales, and procurement teams and eventually find out the hard way.
Then in July 2020, a not-so-unexpected ground-shaking development, the so-called Schrems II ruling of the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield framework, relied upon by 5000+ US companies, many of which acting as suppliers of services to EU companies. This was a predictable repetition of the Schrems I case, which, five years prior, had invalidated the Safe Harbour. The ruling also placed much more stringent requirements on companies relying on the next available international transfer mechanism, Standard Contractual Clauses (SCCs), making their use insufficient without an accompanying Transfer Impact Assessment (TIA).
2. Increased Awareness
- Reactions from the B2C Sector
There has been an increase in awareness of the general public for privacy rights, sometimes backed by communication campaigns by large platforms like Apple and Google who, under impulse from court decisions, strategized privacy as a market differentiator, offered more transparency or user control -e.g. the reject-all-cookies button on Youtube- and imposed, in their marketplaces, more stringent conditions for app publishers or removed them altogether.
- Reactions of the B2B Sector
But for most companies, the impetus has come from a mix of ethical and commercial factors, chiefly pushback from B2B clients with increasingly demanding procurement checklists. Before Schrems II, it was common to talk to vendors who had little understanding of the Regulations and virtually no preparedness. The Schrems II decision was the necessary awakening for a lot of companies to get DPAs in place and address transfers. Nowadays, few processors in the US, for example, show resistance or lack of knowledge as to what is expected in EU client contracts by virtue of statute.
3. Predictable Changes
Much like the Schrems II case, Brexit also did not come from leftfield. It turned the UK into a non-EU-country and quickly got adequate country status from the EU Commission. The UK GDPR is similar to its mainland counterpart, and while the British supervisory authority indicates EDPB guidance on Transfer Impact Assessments is still valid, some companies have chosen to perform them the UK way in anticipation of further deviation from EU data protection by the UK. The UK’s adequacy status will be reviewed by June 2025, and by then, such anticipation may have proven worthwhile.
4. Increased Enforcement and Fines
There has been a significant increase in enforcement actions and fines across the EU. The biggest to date was handed to Meta on May 12th at € 1.2 billion for sending Facebook data back to the US, despite implementing new SCCs and additional supplementary measures found not to address the risks to the fundamental rights and freedoms of data subjects.
To name a few others, Google was fined €50 million for violating transparency and lawfulness obligations, and the Spanish bank BBVA, €5 million for similar violations, while TikTok was fined €5 million for making it harder to refuse cookies than accept them. Instagram was fined €405 million for privacy settings inadequate for child use. Amazon was fined €746 million for, though unconfirmed, targeted advertising; this is worth singling out as perhaps being the closest to a large class action, which the GDPR provides for.
5. Coordinated Task Forces
The EDPB responded to complaints filed by Schrems’ NOYB, and under its consistency mechanism, set up a cookie banner task force to assess dark patterns in cookie implementation and exchange views on legal analysis and possible infringements. Another NOYB complaint, following the Schrems II case, found many transfers to be still based on the invalidated Privacy Shield. Anonymization of the IP address only after the data is sent out of the EU was unsurprisingly found insufficient and of accountability was found lacking in joint-controllership scenarios or when relying on data controllers that do not provide sufficient guarantees.
6. An Opulence of Tools to Choose From
- Press Releases from Supervisory Authorities and Case Law
Following the Schrems II decision, a flurry of press releases were published by authorities across the EU, warning about the implementation of vendors like Google Analytics, Google Fonts, and Mailchimp and advising on feature settings or the deprecation of such tools. As case law provides a constant feed of insights into applications of the law. A highly recommended newsletter subscription on the topic is that of NOYB itself, which provides the EU round view of lower-profile rulings.
- The Resourceful DPO
DPOs who are successful at establishing communication channels within their companies are faced with daily questions from their colleagues, vendors, and partners alike. To help them, many answers have made their way into the 30+ guidance documents provided by the EDPB. Arguably, the ones that have been most relied on include updated guidance on the concepts of controller and processor, updated recommendations on measures that supplement transfer tools, guidelines on the territorial scope of the GDPR, guidance on the interplay between that scope and transfer requirements.
- Support from the Fields of Cybersecurity and Compliance
The EU Agency for Cybersecurity (ENISA), known for its cybersecurity certification schemes, released its Pseudonymisation Techniques and Best Practices in 2019. Yet it should be noted that national initiatives are equally welcomed and constitute complementary material in the DPO’s toolbox. One such contribution in Germany is the Practical Guide to the Anonymisation of Personal Data from the Stiftung Datenschutz, the data protection foundation, which helps consider the relationship between the practical side of the technique and German national legal requirements. Specific to the GDPR’s Article 25 requirement to design data processes that are the least privacy-invasive, the ISO’s consumer protection technical committee published the ISO 31700-1:2023 Privacy by design for consumer goods and services, establishing high-level requirements to protect privacy throughout the lifecycle of a consumer product.
Opportunities for the Privacy Profession
It may sound bold but it can be argued that regulators do not intend for companies to be 100% compliant, but rather expect them to act responsibly. There is no such thing as total compliance, and relevant certification frameworks have only just started to emerge, like ISO/IEC 27701 and more recently, Europrivacy. Much like implementing an ISMS, the focus should be on the journey (the process improvement) rather than the destination (the certification). A sizeable difference, however, between complying with security standards, which are still largely normative, and conforming to the law is that in the former, the CISO serves company interests, while in the latter, the DPO serves data subject interests.
1. Fixing Compliance with the Data Protection Office
Many organizations have chosen to appoint a Data Protection Officer (DPO) in an attempt to “man the problem”, and in so doing, have defaulted to being hands-off, assuming one person alone would bring the organization into compliance with little-to-no disruption to operational models.
A suitable analogy there would be the appointing of an ISO/IEC 27001 lead implementer, expecting them to get the organization certified within a year while failing to communicate top-down on security objectives and failing to assign responsibilities, promote multidisciplinary contributions or adequately resource the effort. Additionally, the misconception around the tasks and the independence of the DPO leads to invalid internal DPO appointments. Conflicts of interest happen when DPOs are expected to report to CFOs or CTOs or when the DPO also happens to be head of security, CISO or CEO. A DPO must be seen as an independent representative of the data protection authority, holding office within the organization and reporting to the highest form of management, i.e. CEO or board of directors.
2. The DPO of 2023
While the role of the DPO is still unclear for many organizations, DPOs themselves have had five years to better understand their challenges and sharpen their ability to establish and manage comprehensive privacy programs, while monitoring the fast-changing regulatory landscape and adjusting the compliance roadmap accordingly. For DPOs with little-to-no support nor robust project management skills and tools, the last five years will easily have triggered a burnout or two.
3. The DPO of Tomorrow
With the Cybersecurity Act, the DPO, already the bestplaced contact person for all things data, compliance, and due diligence, is likely to play a stronger advisory role in data governance but also security-related fields like encryption, pseudonymization, the degree of anonymity, the review of access rights and the performing of control audits. This will lead to more tailored training opportunities for the wider organization that help it fathom the relationship between information security and data protection and leverage both as factors of competitiveness.
4. Raising the Awareness of Stakeholder Groups
Central to the DPO’s advisory role is their ability to raise awareness. This is a starting point in any program and any discussion. Yet data protection training mostly focuses on operational staff, while top candidates for training remain C-level executives. As powerful proponents for the inclusion of privacy into company-wide OKRs, their understanding of what the DPO can and cannot do helps better resource, designate owners and sign off on efficient privacy programs. This in true conformance with clause 5.1 of ISO/IEC 27001 and its expectation for demonstrated leadership and commitment.
Sales teams receive procurement inquiries pertaining to privacy, such as questions about use, storage and international data transfers. As basic due diligence, procurement teams need to understand what questions to ask and how to spot a vendor full of marketing hot air. Process and data owners are responsible for updating records of processing activities, the cornerstone of GDPR compliance, from which obligations around transparency and lawfulness are established. Importantly, design and product teams are the champions of privacy by design, a core principle of the Regulation. Finally, staff at large need to be aware of what sensitive data is and how to handle it. They need to recognize incidents or breaches and report them by means of well-established processes, because when a breach happens on a Friday night, the data controller only has 72h to report it to its registered authority.
5. Implementing Basic Principles
Training turns practitioners from maverick innovators (e.g. sharing, reusing, but also losing, corrupting, or misusing data) to responsible data handlers based on simple principles anyone can understand (such as transparency, lawfulness, security, and accountability). Yet most companies have trouble implementing data minimization or defining and implementing data retention schedules. This is true of marketing, where the more data, the merrier. Data minimization is also problematic with AI where models are trained on quantitative volumes to identify qualitative patterns. Machine learning triggers violations of transparency as data is not traceable collected with the transparency expected of data controllers. Put simply, model trainers are essentially non-compliant data controllers, unable to fulfill obligations they are unaware apply to them. Additional violations include those of purpose specificity and purpose limitation, where data is collected and consolidated, oftentimes prior to there being a specifically defined, communicated, or legitimized purpose for either of these two activities.
What to Expect in the Next Five Years
1. Cookie Cleanup
In 2023, cookies are only slightly less of a pain than they used to be. This has nothing to do with the Regulation and everything to do with companies exploiting dark patterns.
Some rely on third-party solutions for their banners or on Consent Management Platforms (CMPs). One such CMP, IAB Europe, which appealed its €250.000 fine from the Belgium supervisory authority, did not initially recognize its data controller role and let implementers of its consent transparency framework set audience tracking and profiling cookies by default, leading them to believe this practice was valid.
It is perhaps worth myth-busting here that no vendor solutions, be it a CMP, cookie banner solution or other intermediary- provides compliance to data protection law, as such. If solutions are not scrutinized, additional clarifications not requested, or limitations of liability are not challenged, chances are clients assume compliant risk from the outset, with a very false sense of having done what was needed.
- Legitimate Interest Cookies
The same can be said for the dark practice of not setting cookies by default (great) while relying on the legitimate interest as an alternative to user consent and making it hard for visitors to object to that interest (very bad). The intersection of the ePrivacy Directive and the GDPR dictates that consent is the only legal base that can be implemented for non-essential cookies. Be on the lookout for enforcement cases.
- The End of the Cookie Nightmare?
In the past, a lot of uncertanty resulted from national implementations of the ePrivacy Directive, and their interactions with national implementation of data protection acts. On the one hand, the Directive stipulates that read and write operations on user terminals require consent unless the cookies are absolutely necessary to deliver the content, whereas the GDPR provides modalities on what constitutes valid consent.
Note the so-called cookie Directive was last updated in 2009 when smartphones and online services were far less ubiquitous. The privacy community has great expectations for the e-Privacy Regulation due in 2024, to potentially provide clarity on communication metadata, and more enforceable rules on cookies and spamming.
Whilst on client browsers, the age of the cookie is far from over, it is recommended to monitor the emergence of a flurry of more user-friendly and privacy-preserving audience measurement and advertising techniques.
2. Further Regulation of Cybersecurity
- The NIS2 Directive
NIS2 will become enforceable in October 2024. It lays down obligations for EU Member states to adopt strategies and establish competent authorities. It applies to public or private SMEs of a specific type that provide their services or carry out their activities within the Union. Much like the GDPR, it emphasizes accountability and reporting and the immediate breach notification. Companies should already be on the lookout for member state transpositions of the requirements into national law.
- The Cybersecurity Act
In the past, the adoption of national cybersecurity certifications has led to divergence and has prevented mutual recognition. The CSA aims to enhance cybersecurity protection in the EU by streamlining certifications. It also provides a permanent mandate the European Union Agency for Cybersecurity (ENISA). Companies that manufacture or provide ICT products, services, and processes will need to review their current cybersecurity practices, processes, and standards to ensure they comply with the new certification requirements. Whether they are candidates for compulsory certification should be clarified by member states by the end of the year.
- AI
The EDPB recently established a task force to promote consistent and effective enforcement of data protection laws with respect to artificial intelligence and natural language processing technologies, and to ensure the correct and consistent application of the GDPR by national DPAs. This follows from an injunction taken by the Italian DPA against OpenAI, while more authorities are expected to follow suit, such as the German Datenschutzkonferenz, the French CNIL, and the Privacy Commissioner of Canada.
The UK has launched a consultation on new AI regulations that would similarly require companies to comply with transparency and accountability requirements when using AI systems.
3. Six More EU Data Regulations to Look Out For
- Digital Markets Act (DMA) and Digital Services Act (DSA)
In late 2022, the DMA and DSA came into force. It aims to create a safer digital space protecting the fundamental rights of users and aims to establish a level playing field for businesses, ultimately fostering innovation, growth, and competitiveness in the single market and globally. In April, the EU Commission adopted the first decisions, designating 17 very large online platforms that reach at least 45 million monthly active users (Alibaba, AliExpress, Amazon Store, Apple AppStore, Booking.com, Facebook, Google Play, Google Maps, Google Search, Google Shopping, Instagram, LinkedIn, Pinterest, Snapchat, TikTok, Twitter, Wikipedia, YouTube, Zalando) and two very large online search engines, Google and Bing. Because these gatekeepers centralize vast quantities of user information, the DMA and DSA exacerbate GDPR requirements for transparency and accountability while promoting user empowerment, stronger protection of minors, more diligent content moderation and less disinformation. The UK government is also developing its Online Safety Bill to address online harms, including the spread of misinformation, hate speech, and other harmful content. The proposed legislation will require online platforms to take more responsibility for the content posted on their sites and to protect users from harm.
- The Data Act
The Data Act being discussed at the EU Parliament will harmonize rules on fair access to and use of data for businesses to easily switch their data and other digital assets between competing providers of cloud and other data processing services. The creation of a common European interoperability framework, data spaces for strategic sectors of the economy, and domains of public interest should encourage a market for data enabling sharing and use across sectors. Non-personal data should also be shared, i.e. monetized.
- The Artificial Intelligence Act (AI Act)
Similar to the scope of the GDPR, the act will apply to providers and implementers of AI systems located within the EU as well as those located in a third country, where the output produced by the system is used in the EU. It aims at guaranteeing safety and the respect of existing law by considering the fairness, security, and robustness of AI algorithms by heightening transparency requirements. Like the GDPR, the Artificial Intelligence Act takes a risk-based approach but is more practical and places AI systems into four risk categories from low to unacceptable with, for example, requirements for high-risk systems to include: a risk management system, data governance, technical documentation, transparency, human oversight, accuracy, robustness, and cybersecurity. Worth noting is that maximum fines will be 50% higher than those of the GDPR. The law will also prohibit AI-based social scoring done by public authorities, the likes of what the Chinese government allows. Current debate indicates the intention to extend this ban to private actors as well.
- The AI Convention
The AI Convention of the Council of Europe is being drafted to serve as a convention on artificial intelligence, human rights, democracy, and the rule of law. The AI Convention will be the first legally binding international instrument on AI and will be open to non-EU states.
- European Data Governance Act (DGA)
The DGA will apply from 24 September 2023. It provides a cross-sectorial framework to make the planned data market a reality. More data should become available by regulating the re-use of publicly held, protected data, and promoting data sharing by regulating new data brokers that act as marketplaces while also encouraging the sharing of data for altruistic purposes. The DGA establishes a European Data Innovation Board, extends to data intermediation service providers and most importantly, applies to both personal and non-personal data. As data is intended to flow freely, innovation will flourish as market entry costs are lowered for smaller companies.
4. Looking Ahead
- EU-US Data Transfer Framework, Schrems III in Waiting?
A hot topic that organizations should monitor closely is that of a much-needed future-proof adequacy decision. The Safe Harbour and Privacy Shield were invalidated in 2015 and 2020, respectively by the EU Court of Justice in the so-called Schrems I and II cases. The privacy community is on standby as litigation is already expected to ensue if an adequacy decision comes through. For instance, it is widely recognized that no agreement can effectively limit US intelligence agency from accessing EU-citizen data stored in, or accessible from, the US and simultaneously provide data subjects with adequate redress mechanisms.
- Enforcement Actions are Expected on DPO Appointments
The EDPB has just launched a coordinated enforcement action on DPOs to better assess their designation, knowledge, and experience. But this is perhaps not so much about the DPOs as it is about the organizations employing them.
Expect enforcement to focus on the possible conflict of interest of the internally appointed DPO, whether they are able to report directly to the highest management, how well they are resourced, or made to remain independent and effectively perform their tasks. As a CEO, ensure you sit down with your DPO and align your respective understanding of GDPR articles 37 to 39.