We can’t say that 2021 was a peaceful year in privacy land. With With 1.1 billion in GDPR fines, it is clear that privacy regulators are on a roll.
As if that were not enough food for thought already, 2022 has also kicked into high gear: the new SCC’ s must replace the old ones in all contracts by the end of the year, Google Analytics has been banned, and a European task force is sinking its teeth into cloud services for governments. And as icing on the cake, the GDPR seems to inspire numerous other countries…
Time to stop and reflect about what is ahead of us!
PIPL: China’s brand new privacy law
China’s Personal Information Protection Law (PIPL) became effective on 1 November 2021, less than three months after its passage by the National People’s Congress. Like the GDPR, the law has extraterritorial effect, requiring multinational companies in the technology, retail, luxury goods, automotive, financial and other sectors to set up comprehensive compliance programmes.
It is important to see PIPL in the broader context of tech regulation in China. Over the past two years, multiple supervisory authorities in China, including the Cyberspace Administration of China (CAC), which is now in charge of enforcing PIPL, have weighed in with new rules on data security, data transfer, artificial intelligence, and more.
Moreover, the government has already launched numerous enforcement actions against companies ranging from small app developers to big names in Chinese tech.
For companies with a global presence, one of the biggest challenges is complying with a whole set of rules on cross-border data transfers. Chinese law imposes data localisation requirements for certain sectors – and categories of data, while other companies can export data from China, but only under certain conditions, such as conducting a safety assessment and submitting it to the CAC.
What about privacy regulations in the US?
s Europeans, we perhaps look too much to the US at the Federal level. And despite the consensus on the need for a federal privacy law, no breakthrough is expected in 2022. This is partly due to electoral fever, but mainly due to a deep division between the interest groups. Indeed, the business community strongly opposes recourse mechanisms that go beyond regulation, while others lobby hard to expand the scope of privacy laws to address issues of equality, prejudice and discrimination.
But let us not think that everything is blocked. At least in California, Virginia and Colorado, new privacy legislation will come into force in the course of this year. And in Maryland, Oklahoma, Ohio, New Jersey, Florida and Alaska, they are working hard on it.
Then there is the strategic plans of the FTC (Federal Trade Commission) to be stricter against surveillance-based business models, weak information security and business models based on AI decisions, as well as the tone set by the White House with policy initiatives on privacy (even if it is only in the consultation round).
It is clear that doing business in the US comes with a lot of regulatory restrictions on privacy!
Europe: a beacon for privacy protection?
GDPR: from data protection to data protectionism
The introduction already gave the tenor: after several years of restraint, in 2021 we saw a clear uptick in GDPR enforcement across the EU. And what is striking is that supervisory authorities have shifted their focus from tackling data breaches, to investigating grounds for processing and crossborder data flows.
For 2022, we are already shifting up a gear: the decisions regarding Google Analytics are only a precursor of the declared intentions to tackle the excesses of digital marketing. And what else is on the radar? The protection of the data of minors (hello TikTok?), and the restriction of the use of sensitive medical or financial information.
It has been obvious for a long time that big tech is being targeted. But ordinary technology entrepreneurs also risk being dragged into this battle. Of course, every difficulty also creates opportunities: European initiatives that have been committed to GDPR compliance from the outset may well benefit from this tough approach. Or was that the intention from the start?
The European Data Protection Board (EDPB) as super regulator
The fact that the various supervisory authorities are more inclined to look in the same direction is at least partly due to the role of the EDPB. Where the tone was set last year with a draft opinion on data transfers, we expect more insights this year on the important concepts related to anonymisation. The use of data for research purposes is also at least on the agenda.
A tsunami of extra regulations
As if the GDPR was not enough, there is also a whole series of additional new regulations in the European pipeline. This year, we can still expect steps regarding the Digital Services Act (DSA), the Digital Markets Act (DMA), the Data Governance Act (DGA), the e-Privacy Regulation (ePR), the Network and Information Security Directive (NIS II), but also theAI Actand the Data Act.
Despite the doomsday messages at the GDPR’s coming into force, our corporate landscape was certainly not confronted with privacy compliance from a “big bang” experience.
However, the increasing intensity with which the supervisory authorities are fulfilling their role, spurred on by loud privacy activism, means that anyone who does not take privacy compliance to heart today is blind in the sight of others.
Moreover, the matter is complex, and subject to constantly new, evolving insights and additional regulations. All this means that privacy compliance has definitely made its entry into entrepreneurship, alongside other risk factors such as product liability.
Do you no longer find your way between GDPR, DSA, DMA, DGA, ePR, NIS II, PIPL, CPRA and so many more regulations? Talk about it with our experts via email@example.com and get a better view on where your risks exactly manifest themselves.
Written by Kris Seyen, Partner theJurists