by Giulia Zappaterra and Deborah Paracchini
2018 brought us considerable changes in the data protection world. The EU General Data Protection Regulation No. 679/2016 (GDPR) finally became applicable, introducing in the privacy law context its expected innovative principles and rules. But as soon as the GDPR entered into force, the EU Member States began to think about the adequacy of their national legislation. As a consequence, most of EU countries decided to adopt a new local legislation in order to review, amend and, therefore, adequate their local laws to the newcomer GDPR.
But what will happen in the next 12 months? Here our personal predictions on privacy legal issues for 2019.
- Companies’ privacy compliance programs will still need to be fine-tuned to avoid GDPR sanctions
If GDPR sanctions were scary in 2018, they are expected to become scarier in 2019, when Data Protection Authorities (DPAs) are unlikely to continue to follow a tolerant approach.
Few DPAs already started to impose sanctions under the GDPR. The Austrian Datenschutzbehörde was the first DPA to sanction a company for the unlawful use of a video surveillance system. The German watchdog followed soon after, fining a company for the occurrence of a data breach and, therefore, the violation of art. 32 of the GDPR. Also, a Portuguese health company was sanctioned by the Comissão Nacional de Proteção de Dados for inadequate technical and organizational measures.
A number of companies rushed to have their privacy information notices GDPR compliant by the May 25, 2018. Our impression is though that after such deadline they “forgot” about the GDPR, adopting privacy policies and notices that are too generic, not transparent, and do not actually outline what they do with personal data. This is because they often tackled GDPR with a pre-GDPR approach where privacy compliance was in some cases confined to a pile of paper with not much sense.
The GDPR requires a deep change in technical and organizational measures accompanied by policies and procedures that are able to prove privacy compliance to regulators and individuals and justify decisions taken on data processing.
Our feeling is that there is not much time of tolerance left to companies in order to ensure privacy compliance. Even if some DPAs are still working on their national laws and provisions in order to align them to the GDPR, we are expecting that in 2019 all the European DPAs will be stricter and start issuing GDPR sanctions.
- National GDPR approaches will further divert
During 2018, the European Data Protection Board (EDPB) (the former Article 29 Working Party) – a body composed of representative of the national data protection authorities (DPAs) – started issuing guidelines on measures to be adopted in order to interpret the GDPR and comply with it.
Following the example of the EDPB, few DPAs also adopted resolutions aimed at clarifying the provisions included in the local privacy legislations. However, some national EU Member States are still reviewing and finalizing their new local privacy laws implementing the GDRP so that companies are still uncertain as to the concrete application of the GDPR and its principles (at least in certain jurisdictions).
In 2019, however, we can expect that the remaining EU Member States will adopt local provisions implementing the GDPR and, accordingly, that a number of DPAs – following the approach of the EDPB – will provide guidance on the relevant privacy laws, also allowing companies to face the challenge of the implementation of the GDPR.
The potential scenario is that companies will have to deal with at least four layers of regulations, given by: the GDPR, national legislations integrating the GDPR that in some cases add further obligations, new EDPB guidelines and local guidelines from DPAs that are not always consistent with EDPB guidelines and GDPR principles.
This uncertain scenario will make life of companies with European customers even harder than with the previous regime. The GDPR goal to ensure consistency across the EU on privacy laws might turn into a heavier obligation of localization.
- Online privacy reform will (probably) come into place
It is not a surprise that the 2002 EU ePrivacy Directive might be soon replaced by a new EU ePrivacy Regulation which will likely come into force in 2019 and will supplement the GDPR setting specific data protection law obligations for electronic communications.
A first draft of the ePrivacy Regulation was already published in 2016, providing a number of new stringent obligations on companies and organization that use metadata, tracking software or other tools to monitor online behaviour.
After the GDPR, the ePrivacy Regulation will be the next big thing in the privacy scene as it will align Europe’s ePrivacy regime more closely with privacy regime set out in the GDPR, covering the confidentiality of electronic communications and regulating the direct marketing, website audience measurement and cookies settings, thus having a wider field of application including M2M and IoT data. In fact, according to Recital 2 of the drafted ePrivacy Regulation, such Regulation intends to “particularise and complement” the provisions on personal data stated in the GDPR, “translating its principles into specific rules”.
Since this new ePrivacy Regulation may have an impressive impact on existing business models and digital markets, we should carefully monitor the legislative process in order to intercept the changes the Regulation may bring to light in the data protection world.
On July 10, 2018 the Council of the European Union published the latest revision proposal of the ePrivacy Regulation, but the road ahead towards its final adoption seems still long. However, it cannot be too far ahead given the rapid growth of technologies.
Thus, in the next few months, we might expect another big change in the data protection world and another crazy rush to ensure compliance is likely to start!