Three years of GDPR: looking back and forward
Three years may seem like ages to anyone in the corporate world, but to legal professionals it is as short a season as it is to parents seeing their child grow from infant to toddler.
A lot has certainly happened over these three years.
Policymakers, companies and regulators have honed in on the importance of privacy to businesses, citizens and societies. And the impact of GDPR is felt far beyond the EU borders. Thus, 17 countries have adopted privacy legislation since May 2018. 11 have created a data protection officer requirement. 60 countries worldwide now have a dedicated data protection authority. And commerce never stays far behind: the number of global privacy tech vendors has increased from 192 to 355 over the last three years. (Source: IAPP)
Most importantly perhaps, people across the globe have started to take an active interest in the protection of their right to privacy. Citizens are becoming vocal on this topic, supported by robust privacy laws and an increasing awareness of just how pervasive the impact of their social media feeds on their lives can get.
Privacy is hot.
But a lot remains in the pipeline still.
Here are the three developments I look forward to most as we leave privacy childhood behind and enter the age of GDPR adolescence:
1. New standard contractual clauses
At the time of writing we are still eagerly anticipating the formal adoption of the new sets of standard contractual clauses by the European Commission that would qualify as an adequate measure to counter the spectre of the Schrems case law in international data transfers. Particularly, if the implementing decision sheds some clarity on the requirements for supplementary measures that Schrems II has raised, this would be a welcome evolution indeed.
2. The ePrivacy Regulation
February 2021 saw (at long last) the European Council's proposal of the long awaited ePrivacy Regulation that is set to replace (and improve upon) the ePrivacy Directive, which is nearing its 20th birthday having entered into force in 2002. Apart from an extended scope (which will include over-the-top OTT digital services next to the classic providers of electronic communication services), we can look forward to a bit more leniency on the ban on "cookie walls" and even a relaxation of the presently ubiquitous informed consent requirement for secondary processing of (pseudonymized) metadata. Most importantly, the ePrivacy Regulation should put to bed some of the headaches on the interaction and interoperability between the ePrivacy legislation and GDPR.
3. An increase in legal certainty
When you talk to privacy managers and in-house DPO's alike, the primary concern they face day to day is the inherent legal uncertainly that is the net result of a very complex legislation combined with a high level of fines and repetitional risk if things go south. The EDPB (former working party 29) guidelines are invaluable in boosting legal certainty and supporting the privacy community in implementing robust cultures of compliance throughout organisations. So more of the same there, please. An area where there is still much opportunity for development is that of the sectoral or industry code of conducts and monitoring bodies. Few of those exist today, whereas the GDPR considers them a proper tool to contribute to the implementation of its rules (see Article 40). At the same time, it would be great to see an increase in opportunities for data controllers and processors alike to turn to data protection authorities to get binding advice on their privacy programs and measures. In this respect, the "privacy ruling" concept that was recently proposed in Belgian Parliament is of particular interest. If organisations could have their privacy efforts vetted and approved by DPA's, this would certainly help in fostering compliance.