GDPR in 2021: What Happened and What Is Down the Road?

Schremms II Aftermath

The Schremms II judgment annulled the EU-US Privacy Shield in 2020. As a result, data transfers from the EU to the US are illegal without some supplementary measures that are not easy to implement.

This means there are ways to transfer data from Europe to the United States, but it is so complicated that companies often circumvent the rules and do not respect them.

Users seem not to care too much about that, but that doesn’t solve the problem. International data transfers must be legal, and companies must know how to make them legal.

Nevertheless, in 2021 data transfers were a mess. The general perception is that most transfers to the US are not lawful simply because Standard Contract Clauses or similar transfer tools are not sufficient.

Although the EDPB recommended specific additional measures, these measures were overwhelming for most companies or could make the processing nearly impossible.

Data flows between Europe and the US are too important for technological development, so politicians from both sides of the Atlantic are looking for a solution. The EU-US Trade and Communication Council has been also formed.

It helps the talks that are underway and we may expect a specific agreement to be reached soon. Companies always transfer data; they are mostly on the other side of the law. Hence an agreement that simplifies transfers would be a great relief for everyone.

So far, the European Commission has adopted new Standard Contractual Clauses, but we know that these clauses are not useful without supplementary measures.

All we know for now is that companies need clear directions and requirements that are easy to comply with.

The government’s role in this mess is not to make it easy for companies but to ensure that data privacy rights are being protected. Having that in mind, we wait for

UK GDPR

A similar mess was about to happen in the EU-UK data flows after Brexit. The United Kingdom became the third country, not on the adequate countries list.

The UK government found a pragmatic solution – they passed the UK GDPR law, which has the same text as the EU GDPR. The EC job was easier when the adequacy decision was on the table.

At the same time, the UK and US governments are pushing for an agreement that would simplify the data transfers between the two countries.

ePrivacy Regulation

The ePrivacy Regulation is a new data protection law of the European Union aiming to replace the ePrivacy Directive. Technology has changed significantly since the directive has come into effect, hence the need for a new law.

The regulation will build upon the experiences of the GDPR. GDPR seems to come short in the user experience of the consent request requirements, particularly the cookie banners, and the ePrivacy Regulation aims to streamline this experience.

Moreover, it contains provisions to clarify the rules for collecting and processing metadata.

However, the provisions on cookie banners seem to be the most important. Negotiations were hard and resulted in multiple amendments to the initial draft.

As it seems now, the user experience regarding cookies improves by allowing users to refuse cookies through their browser settings.

NOYB Complaints

NOYB, whose most important member is Max Schremms, has a take on cookie banners.

Cookie banners are annoying for many internet users. But, when they are sneaky and non-compliant, they are very annoying. Max Schremms aims to tackle that.

The average internet user is not yet aware of how they should be asked for cookie consent. NOYB, on the other hand, does know. That’s why they started submitting complaints against random non-compliant websites on the internet.

Many websites are not complaint yet.

They had the first win when the Austrian court decided that the data transfers with GA were not compliant.

Worldwide Influence

GDPR has a global impact. In the beginning, it raised the question, “Do we need this law?”.

The answer caused many governments worldwide to pass online privacy legislation resembling the EU regulation.

Here are a few countries that have passed new laws or their laws came into effect in 2021:

• Non-EU European countries keep introducing laws to harmonize their national legislation with the GDPR. Some of them, such as North Macedonia, aim to join the European Union in the future, hence they have to align their laws with the EU laws. The law in North Macedonia came into effect in 2020, but the enforcement came in 2021. Ukraine, despite uncertainty around joining the EU, has a draft law that is now in a legislative procedure. Very soon, all the European countries, both EU member states and non-members, will have comprehensive data protection laws that protect the online privacy of their citizens and require businesses to meet high requirements.
• South Africa POPIA has come into effect on 1 July 2021. It requires explicit consent for the processing of personal data, and introduces data subject rights.
• Indian government has been working on the new data protection bill since 2019. The Joint Parliamentary Committee has submitted the report that is expected to be the basis of the new law. If all that is in the report becomes part of the new regulations, Indian citizens will have data subject rights guaranteed by domestic law for the first time ever. Companies to which the law applies will have to process data based on consent or another legal basis. They will have to report data breaches as well. The law draws inspiration from the GDPR and other similar laws.
• Dubai is the only emirate of the United Arab Emirates with a comprehensive data protection law, but only for the Dubai International Finance Center. Now all the seven emirates are getting prepared for a federal data protection law that would apply to all the companies incorporated in the emirates, as well as to foreign companies processing data of UAE citizens and residents.
• Australian data privacy law dates back to 1988. It has been updated several times, but it needs another major update. The government has issued a discussion paper outlining what may be changed in near future. They follow the trend set by the GDPR. The proposed changes are related to the limitation of data collection for processing and reliance on users’ consent for processing.
• Japanese government updated the existing APPI with provisions that make it more similar to the GDPR. Most notably, it introduces data breach notifications and notifications about the disclosure of personal data to third parties. It also recognizes international data transfer as an issue and regulates them in a way that resembles EU law. However, data transfers from Japan to third countries are not as complicated as when the exporter is from the European Union.
• Chinese government updated the Chinese data protection law. It is hard to determine whether the GDPR has influenced them, but there is no doubt that the changes resemble the EU law. The most important updates are related to international data transfers.
• Some Canadian provinces, such as British Columbia and Quebec have brought their provincial legislation closer to the one in Europe. Most notably, they require businesses to obtain explicit consent for data processing. These updates have not come into effect yet, but when they do, they will be stricter than PIPEDA, the Canadian federal data privacy law. The federal government has some ideas to update the federal law, but there are no particular updates yet.

The US States Oppose the Trend

Virginia and Colorado have passed new data privacy laws. Oklahoma, Florida, and Massachusetts are most serious among the states that may follow soon.

However, these laws are not as comprehensive as the GDPR. The wave of GDPR-like legislation creates pressure on legislators in the US. Yet, the laws they pass do not limit the data collection and processing, do not require users’ consent for data processing, and guarantee a limited amount of subject data rights.

Fines

2021 was the year of the greatest GDPR fines.

According to a survey by DLA Piper, the GDPR fines have risen 7x since 2020. Aside from the total amount of imposed fines, 2021 brought the largest GDPR fines.

The top 10 of them include:

1. Amazon Europe was fined EUR 746 Million by Luxembourg DPA for using customers’ data for targeted advertising without a proper legal basis;
2. Whatsapp was fined EUR 225 Million by the Irish DPA for lack of transparency, particularly for not disclosing enough details about data collection and processing;
3. Notebooksbilliger.de was fined EUR 10.4 Million by the DPA of the German province Lower Saxony for surveilling employees by video means without a legal basis;
4. Austrian Post was fined EUR 9.5 Million from the Austrian DPA for not allowing users to exercise data subject rights by email, despite responding to their requests submitted via their contact form;
5. Vodafone Espana was fined EUR 8.15 Million by the Spanish AEPD for a number of violations, including wrongful international data transfers and use of personal data of users who had opted out of processing;
6. Grindr LLC was fined EUR 6.3 Million by the Norwegian DPA for unlawful sharing of sensitive personal data with third parties;
7. Caixabank SA was fined EUR 6 Million by Spanish AEPD for processing data without obtaining proper users’ consent for data processing;
8. Fastweb SpA was fined EUR 4.5 Million by the Italian DPA for a number of violations, including processing personal data without users’ consent;
9. Sky Italia was fined EUR 3.3 Million by the Italian DPA for multiple violations, including lack of transparency about processing and not obtaining proper consent, and
10. Caixabank Payments and Consumer EFC was fined EUR 3 Million for not obtaining consent for data processing.

Final Thoughts

Having said all this, it turns out that 2021 was the year of navigating the legal labyrinths created by the existing laws and judicial decisions and expectations for new and simpler laws, while big and small companies receive big penalties for non-compliance with the GDPR.

The events of the past year imply that the most general issues of 2022 will be:

1. International data transfers. They have become the biggest issue for companies that process personal data on US soil or by using the services of US data processors. Using US processors is the most viable option for businesses worldwide, but US laws do not help. An agreement between the US and the EU may help a lot, though.
2. Cookie banners. NOYB complaints will likely bring penalties for non-compliant cookie banners. Penalties will make the headlines. The headlines will increase awareness about cookies and get explicit users’ consent. The simplifications promised by the ePrivacy Regulation will be welcomed by businesses and internet users.
3. Huge fines are real. And no one is spared. We can expect more penalties for smaller businesses as well.