by Giulia Zappaterra & Deborah Paracchini
2019 brought considerable changes in the data protection world. Some EU Member States finally integrated the rules of the EU General Data Protection Regulation No. 679/2016 (GDPR) with their national laws. At the same time, local data protection authorities started to fully apply – also issuing severe sanctions – the set of rules of the GDPR. This scenario does not anyhow mean that 2020 will not bring us any news! New legal issues – growing together with the improvement of innovative technologies – will test the data protection legal framework.
- An ePrivacy reform will finally be adopted
During the last couple of years, rumors were that the 2002 EU ePrivacy Directive was going to be soon replaced by a new EU ePrivacy Regulation, supplementing the GDPR and setting specific data protection law obligations for electronic communications. The original draft of the EU ePrivacy Regulation was first presented in 2017 to be adopted and applied together with the GPDR in May 2018. However, the plan did not go through, and the proposal did not obtain the necessary support from EU Member States. As a result, national supervisory authorities decided to adopt their guidelines on cookies and spam, creating a diversified approach across the EU.
However, EU politicians are still pushing for the adoption of an EU ePrivacy Regulation. Despite the representatives of the EU member states rejected the latest Finnish presidency’s proposed text on 22 November 2019, in December 2019, the newly appointed commissioner announced that the EU Commission is planning to present a new version of the document in the first half of 2020.
It is not yet clear if the proposal, which will be presented under the Croatian presidency, is going to be similar to the draft discussed over the last months. However, there is no doubt that the EU ePrivacy Regulation will be one of the main topics in the privacy world also in 2020.
Irrespective of whether it will be adopted in the short term, discussions over such a new regime will involve all stakeholders.
Companies engaged in their digital transformation process should carefully monitor the legislative process to intercept the changes the EU ePrivacy Regulation may bring to light in the data protection world and avoid to adopt technologies that will require substantial changes when the new regime is in place.
- There will be an increase in data breaches (and in the consequential fines)
During the last decade, innovative technologies based on artificial intelligence, machine learning, IoT, and blockchain have been rising. These technologies (artificial intelligence is just an example) entail the processing of a substantial amount of data, including personal data. Such a large amount of information is exponentially at reach of cybercriminals’ sight, who are exploiting bugs and backdoors to access and harvest information stored on any connected device, from smartphones to smart home systems, from connected cars to any other type of cloud service or IoT device.
This scenario will undeniably lead to a growth in the number of data breaches with the consequent need for companies to notify the suffered attacks to competent supervisory authorities, also informing the individuals whose data are subject to such violations.
In turn, data protection authorities are likely to perform deep scrutinies of companies notifying data breaches with an increase of dawn raids and, consequently, of the application of substantial fines against companies that do not comply with the GDPR and national data protection laws.
Such a trend already started in 2019 but is going to increase in 2020 so that any business will need to step up their organizational and technical measures, making a further effort to adapt to the new threats, guaranteeing compliance not only with data protection obligations but also with cybersecurity standards.
No security measure can eliminate the risk of cyber-attacks, but the adoption of a stringent data protection compliance program can avoid fines and challenges in case of data breach.
- A solution to data transfers will be necessary
According to the GDPR, personal data can be transferred to a third country that ensures an adequate level of protection of personal data, which needs to be recognized by a decision of the EU commission. In the absence of such adequacy decision, personal data can nevertheless be transferred to a third country if the transfer is accompanied by appropriate safeguards, such as binding corporate rules and Standard Contractual Clauses issued by the European Commission (the “SCCs”) set by an EU commission decision.
Standard Contractual Clauses initially adopted by the EU commission were recently challenged. The dispute was escalated to the Court of Justice of the European Union (CJEU) following the challenge brought by Max Schrems on the lawfulness of transfers of personal data by Facebook to its servers located in the US. According to Schrems’s view, US laws and practices do not seem to offer sufficient protection against surveillance, by the public authorities, of the data transferred to that country.
The outcome of the dispute, however, is not straightforward, also in light of the recent opinion of the Advocate General to the CJEU, which pointed out that SCCs guarantee per se an adequate level of protection and, therefore, transfer of data by such means does not violate EU’s provisions. The Advocate General, however, did stress that such adequacy of the SCCs depends on whether there are “sufficiently sound mechanisms to ensure that transfers based on the standard contractual clauses are suspended or prohibited where those clauses are breached or impossible to honor”. Thus, the data exporter shall assess on a case by case basis whether, in light of the specific circumstances, the SSCs guarantee an appropriate level of protection to personal data and data subjects. Otherwise, the transfer of data should be suspended or prohibited.
2020 will see the CJEU ruling on such a critical issue, which is also relevant to the transfer of data to the UK, further to Brexit. Even if the opinion of the Advocate General is reassuring for companies transferring data abroad based on SCC, CJEU’s final decision is the only source of certainty. In the meantime, controllers need to consider whether local laws applicable to their specific scenario conflict with the protections that the SCCs provide. To avoid disruptions in case of invalidation of the SCCs, they shall also consider to re-organize their business to limit risks.
In the next few months, we might expect that other significant changes in the data protection world and other substantial rushes to ensure compliance are likely to start!