GDPR in 2021: What Happened and What Is Down the Road?

Petar Todorovski

By Petar Todorovski . 15 February 2022

Data Privacy Specialist

Miklos Zoltan

Fact-Checked this

It is 2022 already, but the GDPR still makes it to the headlines. Aside from 2018 when it first came into effect, 2021 was probably the most exciting year for privacy professionals as well as the businesses that need to implement GDPR into their day-to-day operations.

We are still in the aftermath of the Schremms II decision, which made EU-US data transfers extremely tricky, and in the middle of the negotiations of the ePrivacy Regulation, which should repeal the ePrivacy Directive.

Here we will make a quick summary of what happened to the GDPR in 2021 to figure out what has been going on, where are we now, and where we are going.

We will cover:

  • Schremms II Decision effects
  • UK GDPR
  • ePrivacy Regulation
  • NOYB complaints
  • GDPR influence worldwide
  • GDPR fines

    GDPR in 2021

    Schremms II Aftermath

    The Schremms II judgment annulled the EU-US Privacy Shield in 2020. As a result, data transfers from the EU to the US are illegal without some supplementary measures that are not easy to implement.

    This means that there are ways to transfer data from Europe to the United States, but it is so complicated that companies often circumvent the rules and do not respect them.

    Users seem not to care too much about that, but that doesn’t solve the problem. International data transfers have to be legal and companies need to know how to make it legal.

    Nevertheless, in 2021 data transfers were a mess. The general perception is that most transfers to the US are not lawful simply because Standard Contract Clauses or similar transfer tools are not sufficient.

    Although the EDPB recommended specific supplementary measures, these measures were overwhelming for most companies or could make the processing nearly impossible.

    Data flows between Europe and the US are too important for technological development, however, so politicians from both sides of the Atlantic are looking for a solution. The EU-US Trade and Communication Council has been also formed.

    It helps the talks that are underway and we may expect a specific agreement to be reached soon. Companies transfer data all the time, they are mostly on the other side of the law, hence an agreement that simplifies transfers would be great relief for everyone.

    So far, the European Commission has adopted new Standard Contractual Clauses, but we know that without the supplementary measures these clauses are not useful.

    All we know for now is that companies need clear directions and requirements that are easy to comply with.

    Governments’ role in this mess, though, is not to make it easy for companies, but to ensure that data privacy rights are being protected. Having that in mind, we wait for

    UK GDPR

    A similar mess was about to happen in the EU-UK data flows after the Brexit. The United Kingdom became a third country that was not on the adequate countries list.

    The UK government found a pragmatic solution – they passed the UK GDPR law, which has pretty much the same text as the EU GDPR. It made the EC job easier when the adequacy decision was on the table.

    At the same time, the UK and US governments are pushing for an agreement that would simplify the data transfers between the two countries.

    ePrivacy Regulation

    The ePrivacy Regulation is a new data protection law of the European Union aiming to replace the ePrivacy Directive. Technology has changed significantly since the directive has come into effect, hence the need for a new law.

    The regulation will build upon the experiences of the GDPR. GDPR seems to come short in the user experience of the consent request requirements, particularly the cookie banners, and the ePrivacy Regulation aims to streamline this experience.

    Moreover, it contains provisions to clarify the rules for the collection and processing of metadata.

    However, the provisions on cookie banners seem to be the most important. Negotiations were hard and resulted in multiple amendments to the initial draft.

    As it seems now, the user experience regarding cookies improves by allowing users to refuse cookies through their browser settings.

    NOYB Complaints

    NOYB, whose most important member is Max Schremms, has a take on cookie banners.

    Cookie banners are annoying for many internet users. But, when they are sneaky and non-compliant, they are very annoying. Max Schremms aims to tackle that.

    The average internet user is not aware yet of how they should be asked for cookie consent. NOYB, on the other hand, do know. That’s why they started submitting complaints against random non-compliant websites on the internet.

    Many websites are not complaint yet.

    They had the first win when the Austrian court decided that the data transfers with GA are not compliant.

    Worldwide Influence

    It is obvious that GDPR has a global impact. In the beginning, it raised the question “Do we really need this law?”.

    The answer caused many governments all around the world to pass online privacy legislation that closely resembles the EU regulation.

    Here are a few countries that have passed new laws or their laws have come into effect in 2021:

    • Non-EU European countries keep introducing laws to harmonize their national legislation with the GDPR. Some of them, such as North Macedonia, aim to join the European Union in the future, hence they have to align their laws with the EU laws. The law in North Macedonia has come into effect in 2020, but the enforcement came in 2021. Ukraine, despite uncertainty around joining the EU, has a draft law that is now in a legislative procedure. Very soon, all the European countries, both EU member states and non-members, will have comprehensive data protection laws that protect the online privacy of their citizens and require businesses to meet high requirements.
    • South Africa POPIA has come into effect on 1 July 2021. It requires explicit consent for the processing of personal data, introduces data subject rights.
    • Indian government works on the new data protection bill since 2019. The Joint Parliamentary Committee has submitted the report that is expected to be the basis of the new law. If all that is in the report becomes part of the new regulations, for the first time ever Indian citizens will have data subject rights guaranteed by domestic law. Companies to which the law applies will have to process data on the basis of consent or another legal basis. They will have to report data breaches as well. Obviously, the law draws inspiration from the GDPR and other similar laws.
    • Dubai is the only emirate of the United Arab Emirates with its own comprehensive data protection law, but only for the Dubai International Finance Center. Now all the seven emirates are getting prepared for a federal data protection law that would apply to all the companies incorporated in the emirates, as well as to foreign companies processing data of UAE citizens and residents.
    • Australian data privacy law dates back to 1988. It has been updated several times, but it needs another major update. The government has issued a discussion paper outlining what may be changed in near future. It is obvious that they follow the trend set by the GDPR. The proposed changes are related to the limitation of data collection for processing and reliance on users’ consent for processing.
    • Japanese government updated the existing APPI with provisions that make it more similar to the GDPR. Most notably, it introduces data breach notifications and notifications about the disclosure of personal data to third parties. It also recognizes international data transfer as an issue and regulates them in a way that resembles EU law. Data transfers from Japan to third countries, though, are not as complicated as when the exporter is from the European Union.
    • Chinese government updated the Chinese data protection law. It is hard to determine whether the GDPR has had an influence on them or not, but there is no doubt that the changes resemble the EU law. The most important updates are related to international data transfers.
    • Some Canadian provinces, such as British Columbia and Quebec have brought their provincial legislation closer to the one in Europe. Most notably, they require businesses to obtain explicit consent for data processing. These updates have not come into effect yet, but when they do, they will be stricter than PIPEDA, the Canadian federal data privacy law. The federal government has some ideas to update the federal law as well, but there are no particular updates yet.

    The US States Oppose the Trend

    Virginia and Colorado have passed new data privacy laws. Oklahoma, Florida, and Massachusetts are most serious among the states that may follow soon.

    However, these laws are not as comprehensive as the GDPR. It is clear that the wave of GDPR-like legislation creates pressure on legislators in the US, yet the laws they pass do not limit the data collection and processing, do not require users’ consent for data processing, and guarantee a limited amount of data subject rights.

    Fines

    2021 was the year of the greatest GDPR fines.

    According to a survey by DLA Piper, the GDPR fines have risen 7x since 2020. Aside from the total amount of imposed fines, 2021 brought the largest GDPR fines as well.

    The top 10 of them include:

    1. Amazon Europe was fined EUR 746 Million by Luxembourg DPA for using customers’ data for targeted advertising without a proper legal basis;
    2. Whatsapp was fined EUR 225 Million by the Irish DPA for lack of transparency, particularly for not disclosing enough details about data collection and processing;
    3. Notebooksbilliger.de was fined EUR 10.4 Million by the DPA of the German province Lower Saxony for surveilling employees by video means without a legal basis;
    4. Austrian Post was fined EUR 9.5 Million from the Austrian DPA for not allowing users to exercise data subject rights by email, despite responding to their requests submitted via their contact form;
    5. Vodafone Espana was fined EUR 8.15 Million by the Spanish AEPD for a number of violations, including wrongful international data transfers and use of personal data of users who had opted out of processing;
    6. Grindr LLC was fined EUR 6.3 Million by the Norwegian DPA for unlawful sharing of sensitive personal data with third parties;
    7. Caixabank SA was fined EUR 6 Million by Spanish AEPD for processing data without obtaining proper users’ consent for data processing;
    8. Fastweb SpA was fined EUR 4.5 Million by the Italian DPA for a number of violations, including processing personal data without users’ consent;
    9. Sky Italia was fined EUR 3.3 Million by the Italian DPA for multiple violations, including lack of transparency about processing and not obtaining proper consent, and
    10. Caixabank Payments and Consumer EFC was fined EUR 3 Million for not obtaining consent for data processing.

    Final Thoughts

    Having said all of this, it turns out that 2021 was the year of navigating the legal labyrinths created by the existing laws and judicial decisions, expectations for new and more simple laws, while big and small companies receive big penalties for non-compliance with the GDPR.

    The events of the past year imply that the most prevailing issues of 2022 will be:

    1. International data transfers. They have become by far the biggest issue for companies that process personal data on US soil or by using the services of US data processors. Using US processors is the most viable option for businesses worldwide, but US laws do not help. An agreement between the US and the EU may help a lot, though.
    2. Cookie banners. NOYB complaints will, very likely, bring penalties for non-compliant cookie banners. Penalties will make the headlines. The headlines will bring increased awareness about the use of cookies and getting explicit users’ consent. The simplifications promised by the ePrivacy Regulation will be welcome by businesses and internet users.
    3. Huge fines are real. And no one is spared. We can expect more penalties for smaller businesses as well.

    Leave a Comment