It is 2022 already, but the GDPR still makes it to the headlines. Aside from 2018, when it first came into effect, 2021 was probably the most exciting year for privacy professionals and businesses that need to implement GDPR into their day-to-day operations.
We are still in the aftermath of the Schremms II decision, which made EU-US data transfers extremely tricky, and in the middle of the negotiations of the ePrivacy Regulation, which should repeal the ePrivacy Directive.
Here we will summarize what happened to the GDPR in 2021 to figure out what has been going on, where we are now, and where we are going.
We will cover:
The Schremms II judgment annulled the EU-US Privacy Shield in 2020. As a result, data transfers from the EU to the US are illegal without some supplementary measures that are not easy to implement.
This means there are ways to transfer data from Europe to the United States, but it is so complicated that companies often circumvent the rules and do not respect them.
Users seem not to care too much about that, but that doesn’t solve the problem. International data transfers must be legal, and companies must know how to make them legal.
Nevertheless, in 2021 data transfers were a mess. The general perception is that most transfers to the US are not lawful simply because Standard Contract Clauses or similar transfer tools are not sufficient.
Although the EDPB recommended specific additional measures, these measures were overwhelming for most companies or could make the processing nearly impossible.
Data flows between Europe and the US are too important for technological development, so politicians from both sides of the Atlantic are looking for a solution. The EU-US Trade and Communication Council has been also formed.
It helps the talks that are underway and we may expect a specific agreement to be reached soon. Companies always transfer data; they are mostly on the other side of the law. Hence an agreement that simplifies transfers would be a great relief for everyone.
So far, the European Commission has adopted new Standard Contractual Clauses, but we know that these clauses are not useful without supplementary measures.
All we know for now is that companies need clear directions and requirements that are easy to comply with.
The government’s role in this mess is not to make it easy for companies but to ensure that data privacy rights are being protected. Having that in mind, we wait for
A similar mess was about to happen in the EU-UK data flows after Brexit. The United Kingdom became the third country, not on the adequate countries list.
The UK government found a pragmatic solution – they passed the UK GDPR law, which has the same text as the EU GDPR. The EC job was easier when the adequacy decision was on the table.
At the same time, the UK and US governments are pushing for an agreement that would simplify the data transfers between the two countries.
The ePrivacy Regulation is a new data protection law of the European Union aiming to replace the ePrivacy Directive. Technology has changed significantly since the directive has come into effect, hence the need for a new law.
The regulation will build upon the experiences of the GDPR. GDPR seems to come short in the user experience of the consent request requirements, particularly the cookie banners, and the ePrivacy Regulation aims to streamline this experience.
Moreover, it contains provisions to clarify the rules for collecting and processing metadata.
However, the provisions on cookie banners seem to be the most important. Negotiations were hard and resulted in multiple amendments to the initial draft.
NOYB, whose most important member is Max Schremms, has a take on cookie banners.
Cookie banners are annoying for many internet users. But, when they are sneaky and non-compliant, they are very annoying. Max Schremms aims to tackle that.
The average internet user is not yet aware of how they should be asked for cookie consent. NOYB, on the other hand, does know. That’s why they started submitting complaints against random non-compliant websites on the internet.
Many websites are not complaint yet.
They had the first win when the Austrian court decided that the data transfers with GA were not compliant.
GDPR has a global impact. In the beginning, it raised the question, “Do we need this law?”.
The answer caused many governments worldwide to pass online privacy legislation resembling the EU regulation.
Here are a few countries that have passed new laws or their laws came into effect in 2021:
However, these laws are not as comprehensive as the GDPR. The wave of GDPR-like legislation creates pressure on legislators in the US. Yet, the laws they pass do not limit the data collection and processing, do not require users’ consent for data processing, and guarantee a limited amount of subject data rights.
2021 was the year of the greatest GDPR fines.
According to a survey by DLA Piper, the GDPR fines have risen 7x since 2020. Aside from the total amount of imposed fines, 2021 brought the largest GDPR fines.
The top 10 of them include:
Having said all this, it turns out that 2021 was the year of navigating the legal labyrinths created by the existing laws and judicial decisions and expectations for new and simpler laws, while big and small companies receive big penalties for non-compliance with the GDPR.
The events of the past year imply that the most general issues of 2022 will be: