The beginning of the 2020s seems to have flown by, the year 2022 is already in the starting blocks – and with it some innovations regarding data protection and digitization, two topics which are becoming increasingly important for companies. We have summarized the most important points of their potential impact in this article.
While data can be freely transferred within the European Economic Area, in countries outside this zone, so-called "third countries", a level of data protection adequate to the General Data Protection Regulation ("GDPR") must be ensured by other means. Typically, this is done in practice by concluding so-called standard contractual clauses ("SCC") pursuant to Art. 46 (2) lit. c GDPR, which are provided by the European Commission in the form of template agreements. With Implementing Decision 2021/914 of 4 June 2021, the Commission has now published new templates.
Many companies with a high level of third-country transfers are likely to face considerable additional work. Not only must the new templates be used for new contracts, but all old contracts must be converted to the new SCCs by 27 December 2022 at the latest. This means that all SCCs based on the old contract templates will lose their validity and new contracts will have to be concluded instead. Regarding the threat of high fines, it is strongly recommended that this effort be made.
This innovation must also be taken into account for data transfers to the United States of America ("USA"), although there is a need for additional action here. This is because the European Court of Justice ruled in its remarkable judgment of 16 July 2020 (Case C-311/18, "Schrems II") that the conclusion of SCCs alone is not yet sufficient to ensure an adequate level of data protection in the USA. Rather, further additional measures must be taken for this purpose, in particular the performance of a so-called "transfer impact assessment". The recent sensational decision of the Wiesbaden Administrative Court of 1 December 2021 (Case No. 6 L 738/21), in which the court banned the use of a cookie banner in summary proceedings on the grounds of US relevance, has made the issue of data transfer to the USA even more explosive.
What does this mean for companies? So far, the big US tech giants have been an indispensable part of most companies' everyday lives. Even though more and more small European providers are entering the market, for many there will still be no way around Amazon and Co. in 2022. However, when using US service providers, it should be examined more closely whether a cooperation with them is actually necessary or whether there are possible European alternatives. If this is not the case, measures should be taken to ensure that the requirements of a permissible third-country transfer are also fulfilled and documented. A large number of companies have not yet paid enough attention to the issue, possibly also due to a "grace period" granted by the supervisory authorities – this will probably not be possible for much longer.
On 1 December 2021, the "Gesetz über den Datenschutz und den Schutz der Privatsphäre in der Telekommunikation und bei Telemedien" (also "Telekommunikations-Telemedien-Datenschutzgesetz", short "TTDSG") came into force, in which essentially the data protection provisions from the now old versions of the German Telecommunications Act ("TKG") and Telemedia Act ("TMG") were combined. The length of its name is quite appropriate considering the history of the law's development: after all, it is supposed to transpose the ePrivacy Directive 2002/58/EC from 2002 into national law after almost 10 years.
Although this legislation is not directly the topic of data protection, it is of such far-reaching importance that it must of course not be missing from this year's outlook: With the "Gesetz zur Umsetzung der Richtlinie über bestimmte vertragsrechtliche Aspekte der Bereitstellung digitaler Inhalte und digitaler Dienstleistungen" and the "Gesetz zur Regelung des Verkaufs von Sachen mit digitalen Elementen und anderer Aspekte des Kaufvertrags", which come into force on 1. January 2022, as well as the "Gesetz zur Änderung des Bürgerlichen Gesetzbuchs (…) in Umsetzung der EU-Richtlinie zur besseren Durchsetzung und Modernisierung der Verbraucherschutzvorschriften der Union (…)" that will follow on 28 May 2022, the German law of obligations will again be revised. Definitely a reform that not only consumers but also businesses should keep in mind, especially if they are in the B2C business with digital products.
As is well known, Germany has recently voted in a new government, the so-called "traffic light coalition" consisting of SPD, BÜNDNIS 90 / DIE GRÜNEN and FDP. As a self-declared "progress government," it already has a number of plans in the area of data protection – which can be seen in the coalition agreement: The creation of a Research Data Act, a Mobility Data Act, a Health Data Use Act or new regulations on employee data protection – the to-do list is long. In addition, the digitization of Germany is to be advanced at a rapid pace, among other things in the area of justice. It is unlikely that there will be far-reaching changes as early as 2022. However, it is certainly worth keeping an eye on future developments in this regard.
The same applies to what is happening in Europe, where several major projects are due in the near future: There is the "Digital Markets Act", which aims to regulate large online platforms and thus create a fairer business environment in the European single market. In addition, the Digital Services Act aims to increase the security of platforms and facilitate the removal of criminal content. In the future, the "Artificial Intelligence Act", the world's first attempt at a law to regulate artificial intelligence, could also trigger a need for action on the part of companies.
Another contribution that cannot entirely do without mentioning is the all-dominant topic of the past years: Covid 19. It is to be expected that the year 2022 will still be marked by the effects of the pandemic. As is common knowledge, many people have already failed to predict how the situation will develop in this regard. Nevertheless, it can be said that the so-called "2G" in the workplace or compulsory vaccination could be possible hurdles that pose challenges for companies in terms of employee data protection.