The year 2020 promises to be an interesting one for privacy and data protection in Europe. In this post, we highlight four of the most important developments to watch this year: 1) we expect that European Union (EU) regulators will ramp up GDPR enforcement across the board, and with a particular focus on AdTech, cookies, and children’s data; 2) legislators and regulators are looking to take concrete measures on AI; 3) the Standard Contractual Clauses will likely have to undergo major reform to escape the same fate as the now-defunct Safe Harbor Framework; and 4) we expect that the proposed ePrivacy Regulation will move forward or be withdrawn altogether.
As early as 2016, the GDPR was hailed as a game-changer that would reshape the relationship of big tech and other organizations with user data, largely due to the potential for massive penalties of up to 4 percent of a company’s global revenue. Despite the steady proliferation of high-profile interrogations of data-rich companies, the expected crackdown has not yet materialized. Investigations are often delayed due to extensive, and often confidential, back-and-forth with the target, or due to court challenges. The Irish regulator, for example, has faced criticism for the long-delayed outcome of its investigations into a number of big tech giants with EU headquarters in Ireland, and the headline grabbing announcements by the UK regulator that it intends to issue record-breaking fines to Marriott International and British Airways have yet to come to fruition. We expect this to change in 2020.
We anticipate that enforcement actions will take a sudden jump this year. Regulators have been busy handling a backlog of complaints from newly empowered data subjects. As the dust begins to settle, and regulators have scaled up in terms of resources, we expect an increase in larger enforcement actions, including both audits and fines. A number of regulators are already laying the groundwork for this increase. In September 2019, the German regulators published guidelines on how they would calculate GDPR fines, and soon thereafter two different German regulators issued multimillion Euro fines.
Raising the Bar on All Things AdTech, Cookies, and Kids’ Data
Last year, there was a good deal of interest in and engagement on the interlocking AdTech space and cookies rules, as well as the handling of kids’ data. Recent developments indicate that we can expect regulators to crack down hard on companies resisting moves towards compliance. Unfortunately, there is still a great deal of confusion regarding obligations in all three of these areas, making compliance more challenging and enforcement actions more likely.
Guidance was issued by each of the UK, French, German, and Spanish regulators on cookies, and the European Court of Justice (ECJ) delivered its judgement in Planet49 confirming that active opt-in consent is required to set cookies. While a consensus was reached on some points (including the invalidity of implied consent), divergence still exists, for example on the validity of “cookie walls” and the requirement for consent for first-party analytics cookies. How companies operating cross-border will navigate these inconsistencies remains to be seen.
Along with the cookies developments, in June 2019, the UK regulator issued a call to arms to the AdTech industry giving it six months to engage with and seek solutions to the perceived incompatibility between the GDPR and AdTech operations, with real-time bidding in particular. The UK regulator has made positive statements regarding cooperation with the AdTech community but indicates there are still concerns about current practices. The ICO urges organizations, even ahead of an update on its formal position due early 2020, to take action, embedding privacy by design and preparing management for changes ahead. This requirement for change from individual organizations, combined with a lack of certainty as to the way forward, makes enforcement action likely. The one potential benefit of such actions would be additional clarity regarding compliance obligations.
The use of children’s data was a hot topic in 2019, and this shows no sign of letting up. On January 22, 2020, the UK regulator published the final version of its Age Appropriate Design Code. We are also awaiting guidance on kids’ data from the Irish regulator. The UK regulator’s draft version of the code, published early 2019, met with consternation, with fears that it would lead to an age-gated internet. Although clarifications have been made to alleviate these concerns, a seismic shift in how kids’ data is handled is likely.
Establishment of Guidelines and Potential Regulation of AI
The year 2020 will see an increase in the scrutiny of artificial intelligence technology (AI), both in the data protection space and otherwise, and an attempt to reach a Europe-wide consensus on ethical AI. A report published in June 2019 by the EU Commission’s High-Level Expert Group on AI recommends new regulation to “ensure adequate protection from adverse impacts” (concerns include profiling of children, and impact on fundamental rights), and recommends the creation of different “risk classes” to ensure proportionate regulator intervention. The EU Commission has promised that new legislation setting out a coordinated approach on the implications of AI will be presented in early 2020.
Regulators have similarly expressed concerns regarding AI and its impact on profiling and automated decision-making, and its use in other emerging technologies such as facial recognition and deep fakes. The UK regulator, in particular, has focused on this, listing it as one of its three strategic priorities, stressing the importance of privacy by design. It has been working closely with stakeholders to publish a formal consultation paper later this month, with an AI auditing framework and guidance expected in spring 2020.
Despite the effort toward an international consensus on AI, we foresee continued fragmentation across the EU member states, as attempts are made to iron out the tensions between the privacy and ethical risks in AI, and its benefits.
A Shake-Up of the Data Transfer Landscape
In the coming months the ECJ will deliver its verdict on the validity of the EU Standard Contractual Clauses (SCCs) as a means of transferring personal data out of the EU in the Schrems 2.0 case. On December 19, 2019, the Advocate General (AG) issued his non-binding, but indicative, opinion, maintaining that SCCs are valid, but that data controllers, and as a second line of defense, national regulators, should ensure that an analysis is conducted for each data transfer to assess whether the laws where the data importer is located are reconcilable with the SCCs. The AG also expressed concerns regarding the validity of the EU-U.S. Privacy Shield.
We expect the ECJ to closely follow the opinion of the AG in its ruling. Although the AG opinion was in many ways favorable, it left open many issues: a greater burden will be placed on companies and increased regulatory scrutiny of transfers will be encouraged. Although the ECJ is not expected to review the Privacy Shield mechanism, the ECJ’s decision may be indicative as to how the General Court of the EU will rule on the future of Privacy Shield in La Quadrature du Net v Commission. While the SCCs will remain a valid, albeit more highly scrutinized, method of transfer, Privacy Shield for EU to U.S. transfers could be invalidated, leaving companies no choice but to turn back to the now more burdensome SCCs.
One positive result of the increased pressure on SCCs is that we can expect revised versions of the SCCs to finally make an appearance at some point over the coming year. In the latter half of 2019, the EU Commission was seeking input from organizations on updated SCCs, and the Council of European Union, in its draft position on the Application of the GDPR, called on the EU Commission to update the SCCs to align with recent developments, and for the EDPB to issue new guidance on cross-border transfers.
Continued Lack of Clarity in Relation to the ePrivacy Regulation
We still have no clarity over the future of the long awaited ePrivacy Regulation and expect little movement on this in the coming year. The future of cookies and electronic marketing remain in flux, meaning organizations will need to ensure that they are operating in line with the existing Directive driven regime, which is here to stay for the foreseeable future.
Various versions of the ePrivacy Regulation have been presented to the EU Parliament, most recently by the Finnish presidency, with the latest compromise voted down in November 2019. The incumbent Croatian presidency is expected to propose another version in February. The latest debates highlighted the diverging priorities and opinions of the different member states and EU institutions on a number of issues, including regarding the prevention of child abuse imagery and the validity of “cookies walls.” This leaves open questions as to when a new regulation will be agreed upon.
The new EU Commission is left with the choice of either allowing continuous compromises and amendments to be tabled, or withdrawing the draft legislation completely and going back to the drawing board to create an electronic communications bill fit for its new digital aims.