It is 2022 already, but the GDPR still makes it to the headlines. Aside from 2018 when it first came into effect, 2021 was probably the most exciting year for privacy professionals as well as the businesses that need to implement GDPR into their day-to-day operations.
We are still in the aftermath of the Schremms II decision, which made EU-US data transfers extremely tricky, and in the middle of the negotiations of the ePrivacy Regulation, which should repeal the ePrivacy Directive.
Here we will make a quick summary of what happened to the GDPR in 2021 to figure out what has been going on, where are we now, and where we are going.
We will cover:
The Schremms II judgment annulled the EU-US Privacy Shield in 2020. As a result, data transfers from the EU to the US are illegal without some supplementary measures that are not easy to implement.
This means that there are ways to transfer data from Europe to the United States, but it is so complicated that companies often circumvent the rules and do not respect them.
Users seem not to care too much about that, but that doesn’t solve the problem. International data transfers have to be legal and companies need to know how to make it legal.
Nevertheless, in 2021 data transfers were a mess. The general perception is that most transfers to the US are not lawful simply because Standard Contract Clauses or similar transfer tools are not sufficient.
Although the EDPB recommended specific supplementary measures, these measures were overwhelming for most companies or could make the processing nearly impossible.
Data flows between Europe and the US are too important for technological development, however, so politicians from both sides of the Atlantic are looking for a solution. The EU-US Trade and Communication Council has been also formed.
It helps the talks that are underway and we may expect a specific agreement to be reached soon. Companies transfer data all the time, they are mostly on the other side of the law, hence an agreement that simplifies transfers would be great relief for everyone.
So far, the European Commission has adopted new Standard Contractual Clauses, but we know that without the supplementary measures these clauses are not useful.
All we know for now is that companies need clear directions and requirements that are easy to comply with.
Governments’ role in this mess, though, is not to make it easy for companies, but to ensure that data privacy rights are being protected. Having that in mind, we wait for
A similar mess was about to happen in the EU-UK data flows after the Brexit. The United Kingdom became a third country that was not on the adequate countries list.
The UK government found a pragmatic solution – they passed the UK GDPR law, which has pretty much the same text as the EU GDPR. It made the EC job easier when the adequacy decision was on the table.
At the same time, the UK and US governments are pushing for an agreement that would simplify the data transfers between the two countries.
The ePrivacy Regulation is a new data protection law of the European Union aiming to replace the ePrivacy Directive. Technology has changed significantly since the directive has come into effect, hence the need for a new law.
The regulation will build upon the experiences of the GDPR. GDPR seems to come short in the user experience of the consent request requirements, particularly the cookie banners, and the ePrivacy Regulation aims to streamline this experience.
Moreover, it contains provisions to clarify the rules for the collection and processing of metadata.
However, the provisions on cookie banners seem to be the most important. Negotiations were hard and resulted in multiple amendments to the initial draft.
NOYB, whose most important member is Max Schremms, has a take on cookie banners.
Cookie banners are annoying for many internet users. But, when they are sneaky and non-compliant, they are very annoying. Max Schremms aims to tackle that.
The average internet user is not aware yet of how they should be asked for cookie consent. NOYB, on the other hand, do know. That’s why they started submitting complaints against random non-compliant websites on the internet.
Many websites are not complaint yet.
They had the first win when the Austrian court decided that the data transfers with GA are not compliant.
It is obvious that GDPR has a global impact. In the beginning, it raised the question “Do we really need this law?”.
The answer caused many governments all around the world to pass online privacy legislation that closely resembles the EU regulation.
Here are a few countries that have passed new laws or their laws have come into effect in 2021:
However, these laws are not as comprehensive as the GDPR. It is clear that the wave of GDPR-like legislation creates pressure on legislators in the US, yet the laws they pass do not limit the data collection and processing, do not require users’ consent for data processing, and guarantee a limited amount of data subject rights.
2021 was the year of the greatest GDPR fines.
According to a survey by DLA Piper, the GDPR fines have risen 7x since 2020. Aside from the total amount of imposed fines, 2021 brought the largest GDPR fines as well.
The top 10 of them include:
Having said all of this, it turns out that 2021 was the year of navigating the legal labyrinths created by the existing laws and judicial decisions, expectations for new and more simple laws, while big and small companies receive big penalties for non-compliance with the GDPR.
The events of the past year imply that the most prevailing issues of 2022 will be: