Data Protection in 2022 – Things to Look Out for

Authors: Emma Swahne and Caroline Sundberg

2021, which recently drew to a close, was an eventful year in the field of data protection: the aftermath of the Schrems II decision, the new standard contractual clauses (SCC), continued interventions to personal data activities of the “Big Five” tech companies across the EU (e.g. the fines against WhatsApp and Amazon, headwind of Microsoft 365 solutions), a huge leap in digitalisation (partially thanks to continued remote and hybrid work), and, unfortunately, the highest number of recorded data breaches[1] — to name a few.

Looking ahead, there are no signs of things slowing down. In 2022, we can expect continued progress in the tidal wave of new legislation in the EU, such as the Digital Services Act, the Digital Markets Act, the Data Governance Act, the ePrivacy Regulation, the Network and Information Security Directive (NIS II), the AI Act, and the Data Act. All of these are supposed to govern the fast-growing diversity of technologies in the markets. There is a very delicate balance between the regulatory framework continuously becoming more complex and the freedom needed for businesses driven by technology and data to thrive (and to develop solutions the society needs).

Interesting developments are also taking place in the field of data protection regulations in other jurisdictions, such the recent Data Security Law and Personal Information and Protection Law in China, which resemble GDPR and CCPA in the U.S. However, these regulations may be enforced in very different ways as compared to the GDPR considering the somewhat different regulatory goals between these regions.

We are also eagerly waiting for more case law from national instances and the CJEU, as well as the EDPB and the EDPS on some important concepts, which are yet to be properly defined, such as de-identification and anonymisation.

In addition to many expectations, we also very much hope for the adoption of at least a few useful codes of conducts and certifications. Such tools would not only align the state of the art but provide the organisations with efficient tools to verify their compliance in the markets and bring privacy to the core of the ESG programmes. The EDPB’s recently adopted certification criteria opinion may be the first step in such further developments.

Meanwhile, we would like to speculate about some of this year’s important themes and to provide a few tips for compliance.

International Transfers

It is likely that this year everyone dealing with personal data will continue to have a great interest in following the latest developments regarding international transfers. This is the year, for instance, to replace (no later than 27 December) any old versions of the standard contractual clauses to the new set published by the European Commission last June.

Furthermore, as businesses have now had some time to adapt to the “post-Schrems II” requirements, personal data transfers outside the EU can be expected to be on the data protection authorities’ radar. It is likely that the Transfer Impact Assessment project will continue to be an activity that keeps the privacy lawyers and personnel busy, any it is still likely that many organisations will realise that the tools and services they are using are not in compliance with Chapter V of the GDPR requirements as clarified by the ECJU in the Schrems II decision — at least not without amending the contract and adding some further technical measures when possible.

Regardless, there are still many open questions, such as if there are commercially reasonable ways of ensuring compliance in order to be able to use the U.S.-based cloud service providers, and this year we are likely to see several decisions from national supervisory authorities in this respect and to have more information about the size of the administrative fines issued, if any, for breaches of these requirements.

Cookies

Almost all companies use cookies in their websites and marketing, and cookie considerations should not be put on hold because of the long wait for the ePrivacy Regulation (which is unlikely to become applicable before 2023, if even then). The number of complaints made on cookies and analytic technologies resulted in the EDPB establishing in 2021 a cookie banner task force and adopting a letter on cookie consents, which indicates that cookies will continue to be a hot topic also this year. Moreover, the NOYB has its eyes set on the issue of bringing several complaints for non-compliance of these rules before the authority in the near future.

Interestingly, it seems that commercial forces are causing cookies to slowly crumble. The big audience hopes that the age of banners and consent boxes would end, and to answer this cry (or to comply with law), Google has announced that it will end its support for third-party cookies in Chrome by the end of 2022, and as a result of Apple’s iOS update in 2021 all tracking is by default deselected.

Accountability

Record of processing activities, organisational safeguards, personal data processes, security safeguards, processing policies, privacy notices, retention policy, DPIA, PIA, TIA, DPA…

The list of the required and recommended documentation sounds overwhelming! It is no wonder that many organisations (often meaning legal teams and privacy officers) are struggling to maintain the documents while the business is evolving. However, it is very clear that a data protection compliance programme cannot be opaque or a documentation made just for the sake of having one. For example, the obligation to inform data subjects is not met by a nice looking privacy notice, if it only provides that “data may be transferred outside the EU and adequate safeguards are applied”. In order to comply, both the transfers and the safeguards must be defined, implemented, and documented accordingly, including that they are clearly informed to the data subjects.

The COVID-19 pandemic forced organisations to make multiple decisions that require or affect the processing of the employee data (even health data), such as considerations related to remote working, remote events, monitoring of work, conditions for accessing the workplace, virus testing, and COVID passports. It is very important that data protection and security are not forgotten about when making such decisions and that any considerations are documented accordingly.

Privacy Engineering and Security

Log4j vulnerability, reported in 2021, started quite a hassle, but starting from the enforcement date of the GDPR, the authorities have been pressing businesses to ensure the security of the personal data. New technologies, remote working, increasing number of integrations between different systems and stakeholders — not to mention metaverse looming behind the corner — set high demands for efficient and intelligent data security. Luckily, the privacy-enhancing technologies have developed and provide an array of technological advances that can be used to implement, maintain, and monitor a variety of data protection issues in an effective, sustainable, and cost-friendly way.

The accountability discussed above should not be forgotten here either. Demonstrating the existence of a sufficient security programme requires documentation (including training to be provided) and in case of a breach, plenty of notices and documents are needed. For example, the Finnish Data Protection Ombudsman reminded in late 2021 that controllers have an obligation to document personal data breaches, which includes keeping the information systems’ log data from the time of the breach.

Some Practical Tips

• International Transfers: Ask each business unit to make an inventory of their data transfers outside the EU and to ensure that possible transfers outside the EU are carried out subject to sufficient safeguards under the GDPR. Do not forget to document all of this in your transfer impact assessment (TIA). Remember to check (data processing) agreements with suppliers and other business partners for any old SCC (2010) possibly applied and agree with the other party to update the SCC (2021), if needed.
• Cookies: Review if the current policies are complied with and monitor any possible changes resulting from the ePrivacy Regulation. It is even better if you can find resources to follow technological developments and seek alternative options for cookies, which can be both more efficient and privacy friendly.
• Accountability: Raise awareness (or rather, continue to raise awareness) and share the responsibility within your organisation. Data protection compliance governance should reach beyond legal and security teams and preferably start from the business units processing personal data as part of their duties. Also consider teams other than just HR and marketing —is there personal data involved in the development of products and services? How does the sales department gather leads? How detailed information does the finance department need on the employees? Raising awareness within the organisation helps to develop business-friendly compliance processes but also promotes accountability, as once the teams know what’s needed and where to find information, it is easier for them to flag if any updates are needed.
• Security: Implementing state of art security controls and solutions is actually the required minimum to maintain the required level. Remember to ensure that you have the internal expertise, vendors, and contracts allowing you to easily and cost-efficiency keep up with the development. It is highly recommended to look for suitable privacy engineering implementations to efficiently embed privacy principles in your business and demonstrate compliance.

[1] Identity Theft Resource Center's 2021 Data Breach Report