The European Commission (“EC”) recently published its 2-year review on the General Data Protection Regulation 2016/679 (“GDPR”) which became effective on 25 May 2018. We’ve reviewed the EC’s report and highlighted below the key points that stood out to us and what they means for organisations going forward.
There has been greater awareness on the topic of the data protection compliance from a global and local perspective.
The EC referred to Cisco’s Consumer Privacy Study in 2019 which showed that individuals around the world now increasingly value their privacy and security and that data protection compliance is an important factor that influences their buying decisions and their online behaviour. Cisco surveyed 2,600 consumers worldwide during which it was discovered that a significant number of consumers had taken action to protect their privacy, for example, by switching companies or providers because of the data protection notices or data sharing practices of an organisation.
The EC referred to the Fundamental Rights Survey 2019 which found that 69% of the EU population confirmed that they had heard about the GDPR and 71% knew about their national data protection authority. Certain data subject rights were exercised more so than others e.g. the data portability right has not being exercised as much but has clear potential in enabling individuals to switch between different service providers or to combine different services.
The EC recognised that the adoption of the GDPR has spurred other states and countries in many regions of the world to consider following suit. For example, California, Chile, Brazil, India, Indonesia, Japan, Kenya and South Korean have either passed or are in the process of passing data privacy legislation.
What does this mean for organisations going forward? They must ensure compliance with data protection laws and should especially focus on their external data protection documentation (such as external Privacy Notices, Cookies Notices etc.) as they can make a determination as to whether or not an individual wishes to obtain their products/services.
Data protection regulators and national courts are taking action and the EC is planning for a future of even more collaboration.
The EC noted that data protection authorities are taking action by issuing monetary fines to organisations (ranging from a few thousand euros to millions). It stated, however, that sanctions such as bans on data processing may have a higher deterrent effect than fines.
The EC acknowledged that national courts and the European Court of Justice has helped to create a consistent interpretation of data protection rules. National courts in Germany, Spain and in Austria have issued judgments whereby they have invalidated provisions within national law that departed from the GDPR.
The EC stated that GDPR has emerged as a key reference point at an international level and has acted as a catalyst for many countries around the world to consider introducing modern privacy rules. The EC is setting up a “Data Protection Academy” which is a platform where EU and foreign data protection authorities can share knowledge, experience and best practices to facilitate and support cooperation in respect of data privacy.
What does this mean for organisations going forward? They should be wary of the fact that the EC has highlighted that other sanctions, such as a ban on data processing, are less used. This is because it is likely to prompt data protection authorities to be more considerate as to whether they should use wider sanctions.
There have been more reviews and consideration of the data privacy frameworks in different jurisdictions and how to ensure that data is protected when transferred across borders.
The EC highlighted that it worked on the EU-Japan mutual adequacy decision which entered into force in 2019 and created the largest area of free and safe data flows. The EC stated that it is working with the Republic of Korea and is having ongoing discussions with countries in Asia and Latin America in respect of whether it could determine an adequacy decision in their favour at a later date. It also specifically mentioned the UK and stated that it would consider issuing an adequacy decision in favour of the UK if its applicable conditions in respect of data privacy are met.
The EC mentioned that it is working on a comprehensive modernisation of the standard contractual clauses between data controllers and data processors. It stated its current standard contractual clauses are most widely used as a mechanism for the transferring of personal data. There are thousands of EU companies relying on the standard contractual clauses in order to provide a wide range of services to their clients, partners, suppliers and employees.
What does this mean for organisations going forward? They should ensure that when they are transferring data, they are using the correct mechanisms whether it be reliance on an adequacy decision or standard contractual clauses. They should also monitor when the EC issues revised standard contractual clauses as they will need to put them into place.
The GDPR has brought opportunities and challenges for different types of organisations.
The EC recognised that small and medium-sized enterprises have been significantly affected. It stated, however, that several data protection authorities have provided practical tools to help those organisations in complying with the GDPR (albeit in situations where those enterprises are involved in low risk processing activities).
The EC mentioned that future challenges lie ahead in clarifying how the principles in the GDPR will apply to specific technologies such as artificial intelligence, blockchain or facial recognition and this will require monitoring on a continuous basis.
The EC noted though that many businesses also promote respect for personal data as a competitive differentiator and a selling point on the global marketplace by offering innovative products and services with novel privacy or data security solutions.
What does this mean for organisations going forward? The ultimate objective of the GDPR is to change the culture and behaviour of anyone involved in data protection for the better and we can see through the EC’s review that this is happening. Organisations need to ensure that they have data protection compliance programs in place and where necessary should engage external assistance to either build or further develop their programs.
Aria Grace Law
Our Data Privacy Team including Puja Modha and Katharina De Resseguier have been working with a number of clients in respect of building and developing their data protection compliance programs. Puja and Katharina have supported organisations of varying sizes and across different industries in complying with data privacy legislation across multiple jurisdictions. If you would like to get in touch with them, please contact firstname.lastname@example.org.
Regulatory Update by Puja Modha and Katharina De Resseguier - Partners at Aria Grace Law 11.08.2020