Technology | Summary of the Data Privacy Year 2022
A wave of new legislation
Even as companies are coming to terms with the GDPR, another wave of legislation has been passed in the EU and will be applicable for the EU member states from next year. The EU Commission (Commission) is expanding the lens from an early focus on personal data to data in general. The Commission has just this year passed the Digital Services Act (DSA), Digital Markets Act (DMA), Data Governance Act (DGA) and Data Act (DA) – a cocktail of tech regulation affecting digital platforms, digital services, sale and distribution of data and more. Most of these regulations are currently being assessed in the EFTA countries, hereunder Norway, but it’s assumed that they will pass for these jurisdictions as well. Further increasing the difficulty of navigating the legal terrain when processing personal and non-personal data.
In addition, industry leaders are currently keeping their eyes on the proposed Artificial Intelligence Act (AIA) which has broad implications for the development and use of artificial intelligence, as well as the proposed Network and Information Security Directive (NIS II) which aims to achieve a high common level of cybersecurity within the EEA (EU/EFTA-countries).
Schrems II
In 2020, the CJEU invalidated the EU-US Privacy Shield with immediate effect. The invalidation meant that the thousands of businesses using this scheme for transferring personal data from the EU to the US would break the law if they continued to do so. Businesses worldwide are still dealing with the fallout, and the consequences are still unclear. The EDPB have adopted two documents to help businesses be compliant when transferring personal data to countries outside the EEA. The first document is “Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”, which gives recommendations on which assessments must be done before the company may transfer personal data outside of the EEA. The second document is “Recommendations on the European Essential Guarantees for surveillance measures” which helps businesses assess the risk of surveillance in the third country.
New guidelines issued by the EDPB
In 2022, the EDPB issued several guidelines to clarify the law in certain areas of privacy law and lower the difficulty for being compliant with the GDPR. Inadvertently, some of these guidelines increase the difficulty with staying compliant, given their high-level of detail.
Guidelines from the EDPB give insight to the Supervisory Authorities’ stance on various issues. They should therefore be viewed as a supplement to the GDPR, even though they are not legally binding. These are some of the guidelines issued by the EDPB in 2022:
- Guideline 01/2022 on data subject rights – Right of access: This guideline tackles varies questions and issues concerning the implementation of the right of access. A consequence of the issuing of the guideline, is that EDPB’s interpretation might increase the burden on data controllers when handling access requests, due to its thoroughness.
- Guidelines 03/2022 on Dark patterns[1] in social media platform interfaces: This guideline includes best practice recommendations to designers and social media platform providers on how to assess and avoid dark patterns that may violate the GDPR.
- Guidelines 04/2021 on Codes of Conduct as tools for transfers: Complements Guidelines 01/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679. This guideline provides clarification on the use of codes of conduct as transfer mechanisms, what actors are involved in the development of different codes of conduct, what should be included in codes of conduct and the process for adopting codes of conduct.
- Guidelines 07/2022 on certification as a tool for transfers: This complements Guidelines 01/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation. The guideline focuses on the purpose, scope and the different actors involved. It also provides guidance on accreditation requirements for certification bodies and specific certification criteria for demonstrating the existence of appropriate safeguards for transfers.
- Guidelines 09/2022 on personal data breach notification under GDPR: This provides practical guidance on the obligations in Articles 33 and 34 to notify personal data breaches to public authorities and data subjects. An important takeaway from the guideline, is that non-EU based data controllers with representatives in the EU must report data breaches affecting data subjects in multiple member states to the data protection authorities in all those member states.
New report from the Norwegian Privacy Commission
The Norwegian Privacy Commission (Privacy Commission) was appointed in June 2020 for the purpose of investigating the overall situation for privacy in Norway and highlight the most important challenges. The Privacy Commission published its findings in 2022 and deemed the following issues as important:
- The use of manipulative design
- Prohibition of surveillance-based marketing
- Countering monopolies
- The use of biometric remote identification
- Strengthening of supervision
We particularly note that the Privacy Commission proposes specific measures regarding the use of personal data in schools and kindergartens, as well as behaviour-based marketing towards children and young people and prohibiting the use of sensitive personal data in such marketing. The Privacy Commission’s majority also believes that it should be investigated whether a general ban is necessary to protect Norwegian and European consumers. These issues have also been highlighted by several other member states, and it seems that there is consensus regarding the need for tackling these issues. This may result in more national privacy legislation restricting businesses in their marketing activities, as well as an uptick in supervision of companies’ marketing activities from supervisory authorities.
BAHR’s view
With its new regulations, the Commission will add several layers to the regulation of personal data and data in general. We expect these new regulations to increase the difficulty in navigating the legal terrain for businesses that seek to stay compliant both when it comes to processing personal data, as well as data in general. Especially considering that these regulations will also apply to personal data, already governed by the GDPR. Given the broad advantages in applying data and personal data in businesses, we expect that there will be an increase in businesses affected by these regulations in 2023 and beyond.
In 2022, the Commission and the EDPB have increased their scrutiny of businesses processing large amounts of data, specifically platforms and monopoly-like businesses. This will most likely continue to be a theme going into 2023, and we suspect that these businesses will continue to face increased scrutiny and supervision. Furthermore, it may be that the expectations are raised regarding businesses’ compliance with the GDPR, given that it has been 5 years since it came into force. This may result in increased supervision and an uptick in fines for non-compliance.