It seems there will be a packed agenda for EU and UK data protection this coming year. We set out below the 5 hot topics to watch in 2022 including expected legislative reforms, the most interesting cases to follow, and areas which are expected to continue to receive regulatory attention.
- Increased Enforcement Action: Last year marked a year of record breaking GDPR fines – including the largest fine to date of €746 million ($888 million). Indeed, this trend is expected to continue into 2022. Whilst to date these fines appear to have been reserved for some of the biggest players in the technology space, the lessons learned are transferrable across industries. In particular, a case before the European Court of Justice (“CJEU”) may ultimately require changes to privacy notices. Likewise, the claims brought by “None of Your Business” in the context of the unfair use of algorithms such as for recruitment purposes, should be monitored closely.
- Data Breaches and Cybersecurity: Cybersecurity and data breach reporting requirements remain priority issues for both businesses and regulators. Ransomware and distributed denial-of-service (“DDoS”) attacks are, according to the European Council, on the rise. Cyber incidents do not discriminate – indeed, as stated in the recently published Verizon report, all types and sizes of businesses are being targeted by financially motivated attacks in near equal measure. In turn, efforts are being made by regulators to respond to the increasing threat with EU countries agreeing to strengthen cybersecurity measures across a range of industries through the EU’s draft Cybersecurity Directive (“NIS2”) and a proposal for a Cybersecurity Resilience Act. The UK Information Commissioner’s Office (“ICO”) has also reported that cybersecurity is a key priority for them with a particular focus on more “sophisticated” attacks. Companies should in turn, seek to be pro-active in maintaining strong, state-of-the-art security systems.
- International data transfers: Schrems II related projects should remain a priority for businesses, especially given the recent focus on international transfers by regulators such as the Austrian Data Protection Authority (“DPA”) who began the year by upholding complaints against companies for unlawfully exporting EU website visitors’ personal data to non-adequate jurisdictions, including the US. Businesses should continue to be aware that jurisdictions not deemed to be “adequate” must implement additional safeguards to transfer data out of the EU, e.g., through use of the EU’s new Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules (“BCRs”). The UK is also expected to finalize its own SCCs called an International Data Transfer Agreement (“IDTA”) (instead of adopting the new EU SCCs), in early 2022 although a specific release date has not been announced. Likewise, the EDPB is also expected to update its BCR requirements, and finalise its guidelines on the interplay between Article 3 of the GDPR (on the territorial scope of the GDPR) and the provisions on international transfers in Chapter V of the GDPR. The EDPB also will likely publish new SCCs addressing the scenario where an importer is outside of the European Economic Area (“EEA”) but is subject to the GDPR later this year.
- UK – broad data protection reforms: 2022 is likely to be a busy year for UK data protection reform following last year’s publication of the “Data: a new direction” report by the UK government. The reforms are intended to create an ambitious, pro-growth and innovation friendly UK data protection regime supporting the trustworthy use of data. For a summary of the key proposals and the reaction of the UK ICO, please see our previous blog-post here. Aside from this, the ICO has announced expected reforms to the Data Protection Act 2018, and further work regarding the draft Online Safety Bill and the Age Appropriate Design Code.
- Emerging technologies and AdTech: A key focus for businesses (and regulators) in 2022 will be the use of emerging technologies such as, artificial intelligence (“AI”). There are currently a number of ongoing / proposed legislative reforms in this space including, the EU’s proposed Artificial Intelligence Act (as summarized in our blog-post) and the UK’s pending AI Whitepaper. Further, Spain recently became the first EU Member State to establish a Supervisory Agency specifically relating to AI. Whilst businesses should continue to monitor these regulatory developments, action should be taken now to ensure their use of such emerging technologies are made in compliance with existing data protection laws. In doing so, the ICO’s draft AI toolkit is a good place to start as it provides a form of auditing framework for companies to assess compliance.
ePrivacy, platform regulation and advertising technology or “AdTech” regulation will also be a focus for the EU this year with a package of reforms expected—including final agreement on the proposed ePrivacy Regulation. Companies will need to be sensitive to changing expectations in this regard and may need to explore new dynamic means of seeking consent and providing notice to individuals to ensure data is handled in a compliant way.
The EU also continues to grapple with cookie compliance. On 19 January 2022, the EDPB adopted a letter calling for a consistent interpretation of cookie consent. To aid this, the EDPB has set up a taskforce on cookie banners to coordinate a response to complaints regarding cookie banner compliance and adopt further guidelines on consent. Expect further enforcement action regarding cookie compliance from DPAs in 2022.
The above key points give a flavour of where developments, debates and trade-offs are likely to occur, especially regarding how to balance data privacy against innovation. One thing is clear: from a data protection perspective, 2022 is likely to be a dynamic year for businesses, legislators and regulators alike.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.