Important innovations regarding data protection and digitization in 2022

The beginning of the 2020s seems to have flown by, the year 2022 is already in the starting blocks – and with it some innovations regarding data protection and digitization, two topics which are becoming increasingly important for companies. We have summarized the most important points of their potential impact in this article.

Implementation of the new standard contractual clauses

While data can be freely transferred within the European Economic Area, in countries outside this zone, so-called "third countries", a level of data protection adequate to the General Data Protection Regulation ("GDPR") must be ensured by other means. Typically, this is done in practice by concluding so-called standard contractual clauses ("SCC") pursuant to Art. 46 (2) lit. c GDPR, which are provided by the European Commission in the form of template agreements. With Implementing Decision 2021/914 of 4 June 2021, the Commission has now published new templates.

Many companies with a high level of third-country transfers are likely to face considerable additional work. Not only must the new templates be used for new contracts, but all old contracts must be converted to the new SCCs by 27 December 2022 at the latest. This means that all SCCs based on the old contract templates will lose their validity and new contracts will have to be concluded instead. Regarding the threat of high fines, it is strongly recommended that this effort be made.

Data transfer to the USA becomes more critical

This innovation must also be taken into account for data transfers to the United States of America ("USA"), although there is a need for additional action here. This is because the European Court of Justice ruled in its remarkable judgment of 16 July 2020 (Case C-311/18, "Schrems II") that the conclusion of SCCs alone is not yet sufficient to ensure an adequate level of data protection in the USA. Rather, further additional measures must be taken for this purpose, in particular the performance of a so-called "transfer impact assessment". The recent sensational decision of the Wiesbaden Administrative Court of 1 December 2021 (Case No. 6 L 738/21), in which the court banned the use of a cookie banner in summary proceedings on the grounds of US relevance, has made the issue of data transfer to the USA even more explosive.

What does this mean for companies? So far, the big US tech giants have been an indispensable part of most companies' everyday lives. Even though more and more small European providers are entering the market, for many there will still be no way around Amazon and Co. in 2022. However, when using US service providers, it should be examined more closely whether a cooperation with them is actually necessary or whether there are possible European alternatives. If this is not the case, measures should be taken to ensure that the requirements of a permissible third-country transfer are also fulfilled and documented. A large number of companies have not yet paid enough attention to the issue, possibly also due to a "grace period" granted by the supervisory authorities – this will probably not be possible for much longer.

The "Telekommunikation-Telemedien-Datenschutz-Gesetz"

On 1 December 2021, the "Gesetz über den Datenschutz und den Schutz der Privatsphäre in der Telekommunikation und bei Telemedien" (also "Telekommunikations-Telemedien-Datenschutzgesetz", short "TTDSG") came into force, in which essentially the data protection provisions from the now old versions of the German Telecommunications Act ("TKG") and Telemedia Act ("TMG") were combined. The length of its name is quite appropriate considering the history of the law's development: after all, it is supposed to transpose the ePrivacy Directive 2002/58/EC from 2002 into national law after almost 10 years.

The law is aimed at telecommunications service providers and providers of a website or app – which should cover almost every company in this day and age. For companies that are not telecommunications service providers, however, the effects of the TTDSG are manageable. The most relevant is certainly Section 25 of the TTDSG according to which the consent of the end user is generally required for the use of cookies in accordance with the GDPR, unless it is a matter of so-called "necessary" cookies or the provision of a telemedia service expressly requested by the user. However, since this was in line with the case law of the highest courts and the recommendations of the data protection authorities nonetheless, the approach was already advisable before the TTDSG came into force, even if it was not always consistently implemented by all companies. This should be completed now at the latest. When exactly cookies are necessary unfortunately remains unclear even after the TTDSG has come into force. Here it is worthwhile to pay attention to the guidance issued by the Conference of Independent Federal and State Data Protection Authorities on December 20, 2021 and to keep an eye on statements by the authorities, such as those already available from Bavaria, Hamburg, Lower Saxony, North Rhine-Westphalia.

Digital “Schuldrechtsreform“

Although this legislation is not directly the topic of data protection, it is of such far-reaching importance that it must of course not be missing from this year's outlook: With the "Gesetz zur Umsetzung der Richtlinie über bestimmte vertragsrechtliche Aspekte der Bereitstellung digitaler Inhalte und digitaler Dienstleistungen" and the "Gesetz zur Regelung des Verkaufs von Sachen mit digitalen Elementen und anderer Aspekte des Kaufvertrags", which come into force on 1. January 2022, as well as the "Gesetz zur Änderung des Bürgerlichen Gesetzbuchs (…) in Umsetzung der EU-Richtlinie zur besseren Durchsetzung und Modernisierung der Verbraucherschutzvorschriften der Union (…)" that will follow on 28 May 2022, the German law of obligations will again be revised. Definitely a reform that not only consumers but also businesses should keep in mind, especially if they are in the B2C business with digital products.

The "traffic light coalition" as the great unknown?

As is well known, Germany has recently voted in a new government, the so-called "traffic light coalition" consisting of SPD, BÜNDNIS 90 / DIE GRÜNEN and FDP. As a self-declared "progress government," it already has a number of plans in the area of data protection – which can be seen in the coalition agreement: The creation of a Research Data Act, a Mobility Data Act, a Health Data Use Act or new regulations on employee data protection – the to-do list is long. In addition, the digitization of Germany is to be advanced at a rapid pace, among other things in the area of justice. It is unlikely that there will be far-reaching changes as early as 2022. However, it is certainly worth keeping an eye on future developments in this regard.

Developments at European level

The same applies to what is happening in Europe, where several major projects are due in the near future: There is the "Digital Markets Act", which aims to regulate large online platforms and thus create a fairer business environment in the European single market. In addition, the Digital Services Act aims to increase the security of platforms and facilitate the removal of criminal content. In the future, the "Artificial Intelligence Act", the world's first attempt at a law to regulate artificial intelligence, could also trigger a need for action on the part of companies.

The elephant in the room: Covid 19

Another contribution that cannot entirely do without mentioning is the all-dominant topic of the past years: Covid 19. It is to be expected that the year 2022 will still be marked by the effects of the pandemic. As is common knowledge, many people have already failed to predict how the situation will develop in this regard. Nevertheless, it can be said that the so-called "2G" in the workplace or compulsory vaccination could be possible hurdles that pose challenges for companies in terms of employee data protection.