GDPR regulators have been busy. They issued hundreds of fines to companies, including Google and Facebook, more than €114 million in the first 20 months of GDPR. Later this year, on May 25, the European Commission will produce a report, as mandated by Article 97. This report will contain an evaluation of the progress made under the GDPR and the challenges encountered and likely for the basis of any major upcoming reforms.
However, are other developments, like Brexit, other countries introducing their own data protection laws, and rulings from the Court of Justice of the European Union that could have an immediate effect on the GDPR this year. This blog post will give you a sneak peek at what the next year holds in store for the GDPR, what could change, and how it could impact your business.
A year of great expectations
While it is true that Facebook, Google, and WhatsApp have received GDPR fines, their number and size disappointed GDPR’s advocates. The French data protection agency fined Google a record €50 million, but this amount is a rounding error compared to its overall budget. For the largest tech companies to truly take data protection seriously, experts think that the fines will need to be much higher. None other than Margarethe Vestager, head of the European Commission, has called for stronger enforcement of the GDPR and policies that promote competition in the tech industry.
Additionally, as of July 2019, some countries — namely Greece, Portugal, and Slovenia — still had not brought their national laws into accordance with the GDPR. Others are still hiring and training staff for these new regulatory bodies. This lag means that the GDPR has not been fully enforced across the EU. Because a country needs national laws in place before they can have a data protection agency, they delay impacts the number of people in the EU who can file a complaint or even just understand their rights. That should end in 2020 as these last countries implement national legislation, incentivizing Greek, Portuguese, and Slovenian companies to ensure they are fully compliant.
This could be a make-or-break year for the GDPR as it attempts to establish comprehensive and strong data protections.
The GDPR is no longer the only data protection acronym to pay attention to
The GDPR has inspired many imitators, from Brazil’s LGPD to the CCPA in California. While many of these laws agree on the broad terms of data protection, each implements these protections in its own way. And these two new regulations are just the start: Canada and Australia are both considering new data protection regulations, and India’s legislature will vote on its Personal Data Protection Bill. In the US, several states, including Nevada, New York, Texas, and Washington, are considering following California’s lead and passing their own data protection law.
Brexit will not make a difference… yet
Brexit has dominated European news for the past several years, and UK and EU regulators need to create an alternate data protection regulatory framework for the future. However, this will have relatively little impact on 2020, at least as far as data protection is concerned. Despite the fact that the UK formally exited the EU on Jan. 31, 2020, they will still adhere to all the EU standards and regulations throughout this year. That means the GDPR will still be the law of the land in the UK.
The EU’s new ePrivacy Regulation still does not seem ready
The oft-delayed counterpart to the GDPR, the ePrivacy Regulation, seems likely to fall even further behind schedule. In fact, the Permanent Representatives Committee of the Council of the European Union voted down its proposal in Nov. 2019. This makes it likely that there will need to be a revised proposition put forward this year, meaning actual implementation is likely at least still a year off. The ePrivacy Regulation was meant to be implemented in 2017 to replace the current ePrivacy Directive, the current law that governs how cookies are regulated throughout the EU.
There will be another fight over data transfers
In 2015, Max Schrems, an Austrian privacy advocate, filed a complaint with the Irish Data Protection Commissioner challenging Facebook Ireland’s reliance on standard contractual clauses as a legal basis for transferring personal data to Facebook Inc. in the U.S. Essentially, Schrems was arguing that such standard contractual clauses do not provide an adequate level of protection for EU data subjects. This led to a contentious ruling, which was then contested, leading to the Schrems II case, which is currently nearing a conclusion.
At the heart of the matter is Art. 46, which states a data controller (a company that determines how and why data is processed) may transfer data internationally or to a third party “only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.”
On Dec. 19, 2019, the Advocate General to the Court of Justice of the European Union (CJEU) released an opinion that upheld that standard contractual clauses could be used to transfer data internationally. However, in the fine print, the AG also suggests that the use of such clauses should be reviewed on a case-by-case basis. It also raises serious questions about the data protections in the US, throwing data transfers to the United States into doubt.
While the AG’s opinion is non-binding, it is often a preview of the CJEU’s ruling. You can expect the CJEU’s final decision — and for another fight over data transfers to begin — later this year.