Data protection compliance remains big for companies, particularly as data protection authorities have lost all reluctance to enforce the GDPR. Just think about the increasing number of official investigations as well as record-breaking fines in 2021. Staying up-to-date in data protection should therefore remain on the top of your agenda.
We would recommend not losing track of the following five hot topics in 2022:
Third country data transfers remain a key challenge
In 2020, the CJEU’s Schrems II ruling caused major legal challenges to justify data transfers to third countries. Ever since, companies have to assess their international data flows for a risk of potential data access by foreign governments and authorities, take additional security measures, if necessary based on the identified risk level, and, in a worst-case scenario, even stop high-risk data flows. In 2021, the European Commission’s new Standard Contractual Clauses (SCC) revived the topic once more, setting those requirements into stone. Their implementation will cause many companies a lot of work this year: existing contracts need to be switched to the new SCC by December 27, 2022. While the “old” SCC only differentiated between two data transfer scenarios, the new ones distinguish between four. Thus, companies have to secure their data transfer relationships in a much more sophisticated way. However, this task will likely grow even more complex. The European Commission has already expressed their intention to publish another set of SCC for companies that are subject to the GDPR without being established in the EU/EEA.
Privacy law changes in different jurisdictions
United Kingdom
Many companies maintain important relationships with the UK. Since Brexit, the UK’s own privacy law applies, which has so far largely corresponded to the GDPR. However, the British government is already planning a reform of UK privacy law. Deviations from the GDPR are likely. UK-specific standard contractual clauses are also expected for 2022, which shall then be used by companies to secure their data flows to and from the UK.
China
In China, a new data protection law (the PIPL) came into force in November 2021. Companies with relations to China should address the PIPL by 2022 at the latest. Our Chinese colleagues recently published a summary of the most important legal changes. In a nutshell: The PIPL not only plays a role for companies based in China, but – like the GDPR – can also apply to companies based outside China. The PIPL sets our certain legal restrictions for transferring data outside of China. This could cause difficulties in practice. Data mapping and, if necessary, the adaptation of internal processes might have to be included on the to-do list.
Did you get mail from the data protection authority because of cookies & paywalls (yet)?
In 2021, a number of companies already received mail from noyb, Max Schrems’ data protection non-profit organisation. The organisation had issued draft complaints about cookie banners that they considered “unlawful” to more than 500 companies in the EU. The draft complaints were to be submitted to the competent data protection authorities, unless the companies fully remedied the “violations” of their cookie banners within one month. noyb is continuing to pursue this action. By the end of 2021, noyb wanted to assess the cookie banners of the 10,000 most visited websites in the EU. It is therefore likely that more companies will receive mail from noyb and/or the data protection authority in 2022. Companies using paywalls may also become noyb’s new pen pal as noyb started a similar action related to paywalls.
CJEU: Schrems I, Schrems II, … Schrems III
Max Schrems also remains active in court. In 2022, the CJEU will deal with a referral from the Supreme Court of the Republic of Austria, which is based on a claim by Max Schrems. A “Schrems III ruling” will therefore follow eventually. Among other, the CJEU will have to deal with the following questions, the answers to which are likely of high practical relevance:
- The CJEU will have to clarify whether data subjects can “pay” for free access to a service by providing their personal data for personalised advertising (“paying with data”). If this were the case, companies would not have to obtain data subject’s consent to use the data for marketing purposes, but the processing could likely be justified based on its necessity for the performance of the contract. The ruling will therefore have practical consequences for companies that monetise their business by using data for marketing purposes.
- The CJEU will also have to clarify whether personal data that allow for targeted filtering of special categories of personal data, such as political opinion or sexual orientation, are themselves special categories of personal data within the meaning of Art. 9 GDPR, even if a company does not differentiate between these data. Drawing the line as to whether or not certain data are special category data that are subject to strict protection is not always easy. The German data protection authorities recognise that not every indirect indication of special category data should lead to the application of specific GDPR rules for such data. However, there is no firm guidance on when the threshold is reached. Some suggest to take into account whether the data are to be analysed with regard to their sensitive content. The CJEU could finally shed light on were the line may be drawn.
Privacy-Litigation – consumers join the scene
The data protection authorities seem to be increasingly active in enforcing the GDPR. However, they are no longer the only relevant players in privacy litigation. Individuals affected by data processing are already getting active in court. Claims for damages due to denied or poorly fulfilled data access requests seem to be particularly frequent. However, German courts have so far been rather reluctant to award damages. There has been a lack of guidance on the correct interpretation of the legal requirements for GDPR damages. However, a series of CJEU rulings expected in 2022 could bring greater clarity and increase the risk of successful damages claims for companies.
Moreover, consumers will soon no longer have to go to court alone. While class actions are very common in the US, this concept is still rather foreign to European countries. However, the transposition of the EU directive on representative actions for consumers is due by end of 2022. It will lead to consumers being able to claim damages under the GDPR through class actions when being represented by consumer organisations. However, due to the implementation deadlines for the new legal rules, the first class actions are not to be expected in 2022, but rather 2023.