Data protection compliance remains big for companies, particularly as data protection authorities have lost all reluctance to enforce the GDPR. Just think about the increasing number of official investigations as well as record-breaking fines in 2021. Staying up-to-date in data protection should therefore remain on the top of your agenda.
We would recommend not losing track of the following five hot topics in 2022:
In 2020, the CJEU’s Schrems II ruling caused major legal challenges to justify data transfers to third countries. Ever since, companies have to assess their international data flows for a risk of potential data access by foreign governments and authorities, take additional security measures, if necessary based on the identified risk level, and, in a worst-case scenario, even stop high-risk data flows. In 2021, the European Commission’s new Standard Contractual Clauses (SCC) revived the topic once more, setting those requirements into stone. Their implementation will cause many companies a lot of work this year: existing contracts need to be switched to the new SCC by December 27, 2022. While the “old” SCC only differentiated between two data transfer scenarios, the new ones distinguish between four. Thus, companies have to secure their data transfer relationships in a much more sophisticated way. However, this task will likely grow even more complex. The European Commission has already expressed their intention to publish another set of SCC for companies that are subject to the GDPR without being established in the EU/EEA.
Many companies maintain important relationships with the UK. Since Brexit, the UK’s own privacy law applies, which has so far largely corresponded to the GDPR. However, the British government is already planning a reform of UK privacy law. Deviations from the GDPR are likely. UK-specific standard contractual clauses are also expected for 2022, which shall then be used by companies to secure their data flows to and from the UK.
In China, a new data protection law (the PIPL) came into force in November 2021. Companies with relations to China should address the PIPL by 2022 at the latest. Our Chinese colleagues recently published a summary of the most important legal changes. In a nutshell: The PIPL not only plays a role for companies based in China, but – like the GDPR – can also apply to companies based outside China. The PIPL sets our certain legal restrictions for transferring data outside of China. This could cause difficulties in practice. Data mapping and, if necessary, the adaptation of internal processes might have to be included on the to-do list.
In 2021, a number of companies already received mail from noyb, Max Schrems’ data protection non-profit organisation. The organisation had issued draft complaints about cookie banners that they considered “unlawful” to more than 500 companies in the EU. The draft complaints were to be submitted to the competent data protection authorities, unless the companies fully remedied the “violations” of their cookie banners within one month. noyb is continuing to pursue this action. By the end of 2021, noyb wanted to assess the cookie banners of the 10,000 most visited websites in the EU. It is therefore likely that more companies will receive mail from noyb and/or the data protection authority in 2022. Companies using paywalls may also become noyb’s new pen pal as noyb started a similar action related to paywalls.
Max Schrems also remains active in court. In 2022, the CJEU will deal with a referral from the Supreme Court of the Republic of Austria, which is based on a claim by Max Schrems. A “Schrems III ruling” will therefore follow eventually. Among other, the CJEU will have to deal with the following questions, the answers to which are likely of high practical relevance:
The data protection authorities seem to be increasingly active in enforcing the GDPR. However, they are no longer the only relevant players in privacy litigation. Individuals affected by data processing are already getting active in court. Claims for damages due to denied or poorly fulfilled data access requests seem to be particularly frequent. However, German courts have so far been rather reluctant to award damages. There has been a lack of guidance on the correct interpretation of the legal requirements for GDPR damages. However, a series of CJEU rulings expected in 2022 could bring greater clarity and increase the risk of successful damages claims for companies.
Moreover, consumers will soon no longer have to go to court alone. While class actions are very common in the US, this concept is still rather foreign to European countries. However, the transposition of the EU directive on representative actions for consumers is due by end of 2022. It will lead to consumers being able to claim damages under the GDPR through class actions when being represented by consumer organisations. However, due to the implementation deadlines for the new legal rules, the first class actions are not to be expected in 2022, but rather 2023.
According to a draft directive of the European Commission, software updates will become another building block for product safety.
2 of 4 Insights
The ePrivacy Regulation is to newly regulate data protection in the online context - uncertainties remain.
3 of 4 Insights
The EU Whistleblower Directive is not yet legally valid in Germany - Recommendations for action on the current status.
4 of 4 Insights
Return to