GDPR is 3 years old today!

Well, that was a year!  The thing with GDPR, is that it’s always so intense that you have to live in the moment, and it’s too easy to forget what things were like even 3 months ago.  You’ve a vague recollection of late nights, sudden panics, paper everywhere (hadn’t we digitally transformed?) and mess, but surely some fun along the way … right?

The Terrible Twos

Even the European Union acknowledged year zero and one had been tough.  Everyone was working out what they needed, where everything was (has that moved?) and how to not be referred to the authorities.

We all knew the Twos were going to be interesting, what with:

• Brexit on the way (or not) (yes, but how, tell me how?),
• new SCCs on transfers and even for processors, and
• Schrems II in the mix as well.

In all these areas, practitioners and Joe Public were hoping (trust is probably too strong a word) that the authorities-that-be would ride in and save the day with enough time and clear guidance to not disrupt organisational planning and operational compliance.

Well, it was ‘interesting’ to say the least.  Transfers took centre stage but there was a rising tide of adoption, broader topics of enforcement, a mass of official guidance, a potential draft e-Privacy Regulation, and movement on AI.

You’ll no doubt have your own list of [high/low*]-lights.  Here’s some of ours that are more operational in character, which is our focus.

3 or 5?

Article 99(2) of GDPR says it ‘shall apply from 25 May 2018’.  Just as laws can be passed on one date and take effect on later dates, we’re following the EC itself and talking about GDPR from the date it applied.

Transfers

In July 2020, Schrems II delivered a verdict well within the bounds of reason and that many had been warning would happen.  Privacy Shield was invalidated with no transitional period, but ‘don’t worry’ said the Court, ‘Article 49 has got your back’.  Except that it doesn’t.

Guidance was slow in coming, and not very helpful, until the EDPB’s twin-set of Recommendations put out for consultation in November 2020 on:

• how to look at transfers and when and how to do a Transfer Impact Assessment, or TIA, and
• how to consider surveillance issues in that TIA.

While still not delivering certainty and a route for transfer, the Recommendations, particularly the first one, do give a helpful structure to look at transfers and confirm some well-established but often confused points which we covered in more detail an article for Thomson Reuters that also covered Brexit.

At the time of writing, we’re still waiting for the successor to Privacy Shield (maybe Safe Shield or ‘Privacy Harbor, this time it’s personal’?).  And not only is there rising angst about transfers between the EEA / UK and the USA, but the focus is sure to expand to include transfers to other popular processor countries such as China, India, the Philippines and South Africa.  Expect this to be huge in the coming months.

Brexit

Brexit finally took place on 31 January 2021 – although not ‘finally finally’ for Data Protection practitioners.  The UK and EU struck a last-minute deal on Christmas Eve that means there’s no transfer for EU GDPR until the end of June 2021 – and that ruffled quite a few tail feathers.

Feathers continue to be ruffled as the European Commission published their draft Adequacy Decisions for the UK in February 2021 (the UK having already declared the EEA as adequate):

• The EDPS wasn’t particularly happy about not being fully involved in the Christmas Eve agreement.
• The EDPB issued opinions that raised concerns around surveillance and onward transfers – which we should all welcome full resolution of.
• And the EU Parliament have passed resolutions critical for the same reasons.

The extension on transfers was welcome, as the focus on SCCs only stressed how outdated the existing set are.  We expect the final version of the new, modernised, multi-use SCCs anytime now – which is great as the end of June doesn’t seem so far away!

STOP PRESS – European Court of Human Rights holds UK’s bulk interception violated the Convention for the Protection of Human Rights and Fundamental Freedoms

In a decision today, the ECHR has held that the UK’s bulk interception violated the Convention – showing that data protection isn’t just about the GDPR.   This decision, which includes various dissenting opinions, brought together 3 claims from as far back as 2013.

There’s an awful lot to unpack (the PDF version has 204 pages) and there have been a number of changes in UK law since, as noted in the judgement.  In any event, it isn’t a good look for the UK right now.

Broader Enforcement (in the EEA)

Although it’s issued 2 of the 5 biggest fines under GDPR, and issued many fines under PECR (mostly on emailing and cold-calling consumers without consent) the UK ICO has come in for a lot of stick for not issuing enough fines on GDPR.  At the other end of the spectrum, Spain’s regulator has issued roughly a third of all GDPR fines.

But we have now seen enforcement on a broad range of areas, not just Security.  Fines regularly come through on lacking a legal basis, not having given the right information in a Privacy Notice, incorrect sharing, disproportionate use of personal data, not having governance in place, and many more.

You can find all of these on the EDPB’s News page.

So Much Official Guidance!

Well, last year we did all say there wasn’t enough official guidance, particularly from the EDPB, to drive harmonisation and help operationalise compliance.  The EDPB has responded with a torrent of Guidance, and opinions on codes of conduct, adequacy decisions, and more including (with many still in consultation):

• transfers post Schrems II as above,
• virtual voice assistants,
• connected vehicles,
• examples of breaches and notifications,
• targeting social media users, and
• the draft e-Privacy Regulation…

(Another) Draft e-Privacy Regulation

Not GDPR but part of the family, the current e-Privacy Directive sits on top of GDPR and takes priority in the areas it covers such as cookies and similar technologies, and electronic marketing.  It badly needs an update and there’s a lack of consistency across the EEA and UK.

A directly-applicable e-Privacy Regulation would be very welcome, if not just for the increased certainty and harmonisation.  Even though it wouldn’t cover the UK post-Brexit, it will cover the 30 EEA Member States.

However, it feels like it’s always been in draft.  CMS have put together a great page on the draft e-Privacy Regulation, with an informative visual of its tortured progress.  Everyone got very excited in early 2021 with a proposal from the EU Council of Ministers from February 2021, but there’s a long path of negotiations still to come and the EDPB has issued a couple of Statements.  Keep watching that space.

EU Data Governance

Again, not GDPR itself, but there are major steps taking place in the EU ‘to foster the availability of data for use by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU‘.  That obviously triggers data protection and GDPR concerns, with the EDPB and EDPS issuing joint statements.

And there’s more

For example we’ve not touched on the draft EU AI law or many of the fines and learnings, but we hope we’ve pulled out some of the key milestones for you from the last year of GDPR!