2022 and 2023 in Baltic Data Protection

17.04.2023

At the end of January, we celebrated Data Protection Day. To mark that annual occasion, TGS Baltic’s Data Protection Team compiled an overview of the key market and enforcement trends in the Baltic region in 2022 and our predictions and recommendations for 2023.

ESTONIA

Key market and enforcement trends in 2022

  • Illegal video and audio surveillance

Similarly to previous years, the data protection authority (DPA) received many questions and complaints regarding the use of video surveillance (including audio surveillance). The main shortcomings identified by the DPA were failures to conduct legitimate interest assessments and properly notify data subjects. The biggest non-compliance levy that the DPA warned data controllers with was 105 000 euros in total (15 000 per each requirement that the DPA ordered the controller to fulfill).

  • Shortcomings in privacy policies

In most supervisory proceedings, the DPA found some shortcomings in the data controller’s privacy policy and ordered them to be remedied (e.g., unclear specification of the purposes and legal basis for processing, retention periods, and recipients; failure to explain how legitimate interest assessments will be made available to data subjects; etc.). An average non-compliance levy that the DPA warned data controllers with was 5000 euros (maximum non-compliance levy for such violation was 20 000 euros).

  • Absence of cookie consent forms

Previously the DPA was not very zealous in enforcing cookie regulations, which have not been properly implemented in Estonian local law. In 2022, however, several compliance notices were given for violations of cookie consent rules. The DPA explained in several cases that the requirement to obtain consent for placing non-essential cookies could be interpreted as being directly applicable from the e-Privacy Directive, while where personal data is involved, the consent requirement arises also from the GDPR. An average non-compliance levy that the DPA warned data controllers with was 5000 euros (maximum non-compliance levy for such violation was 20 000 euros).

Predictions for 2023

  • The DPA’s practices most likely will not change but will become more detail-oriented

Pending more convenient measures (like administrative fines or changes to misdemeanor proceedings), we expect the DPA will continue its current practice of trying to achieve compliance via precepts and warnings (including non-compliance levies). Recall that Estonia’s legal system does not currently allow for the administrative fines envisaged in the GDPR, while sanctioning legal persons through misdemeanor proceedings is said to be inefficient and burdensome for all the parties. The DPA seems to be going into more detail on some topics and a single complaint by a data subject can lead to detailed inspection of multiple documents, from privacy policies to legitimate interest assessments.

  • Hot topics

We expect that the DPA will continue enforcement with regard to surveillance cameras and employee monitoring in general, also making sure that privacy policies are detailed and specific. Furthermore, preventive joint supervision by the DPAs of the three Baltic countries in the field of short-term rental of vehicles (e.g., electric scooters) can be expected to yield results and recommendations.

LATVIA

Key market and enforcement trends in 2022

  • Big fines have arrived

A fine of 1.2 million euros imposed on telecommunications provider Tet for unlawful processing of the personal data of an underage data subject was not the only surprise the DPA served up last year. In infringement proceedings against retailer DEPO DIY, the DPA first imposed a stunning 4.3 million euro fine for invalid consent, only to amend it later to a mere 17 495 euros upon appeal to the DPA director.

  • The DPA knows what cookies you serve

Many companies received warnings from the DPA regarding the use of cookies on their websites last year. Those who hastily complied with the guidance in the warnings mostly escaped unharmed. Failure to swiftly show due respect for the GDPR and the DPA was penalized with infringement proceedings, though so far, to the extent publicly known, none have ended in large fines.

  • Sectoral supervision

The DPA approached several companies and performed in-depth audits in a context of preventive sectoral supervision. The results and, hopefully, useful data processing guidelines, are expected in 2023. Meanwhile, companies in data-intensive sectors should be prepared for detailed inspections, including on short notice.
Predictions for 2023

  • The DPA is expected to be less lenient

The staff hired by the DPA in 2020-2021 has now gained experience and is not afraid to challenge seasoned data protection lawyers. We expect to see a few big fines in 2023, though the DPA will likely continue its practice of mostly imposing warnings and fines of less than 15 000 euros, which generally are not appealed. But the DPA is likely to be less lenient towards outdated or insufficient compliance documents, such as risk assessments.

LITHUANIA

Key market and enforcement trends in 2022

  • Data subjects ready and able to defend their rights

An end-of-year survey conducted for the DPA showed that more Lithuanians know their rights as data subjects and have acquainted themselves with the GDPR, as well as that more people are willing to do research and look up information they do not know or understand when they encounter improper data processing.

That could be why more than 85 percent of significant rulings passed by the DPA this year resulted from investigations started based on the complaint of a data subject. This trend shows that data subjects are more in touch with their rights and will go to the trouble of defending them, so proper compliance and management of data subject rights is becoming more important than ever.

  • Health services

Health service providers were an object of special scrutiny by the DPA last year for a lack of due attention to the higher requirements for special categories of data. Rulings by the DPA show that (i) adherence to data processing principles enshrined in the GDPR (such as data minimisation and confidentiality) is a must, and (ii) that even if adequate procedures are in place, human error can still cause a breach. The latter shows that training is necessary in not only implementing, but also maintaining data security in your organization.

Predictions for 2023

  • Cookies and data protection officers

The DPA’s efforts last year mainly focused on how well data controllers in the public and private sectors comply with requirements related to cookies and on the implementation of requirements for the work of DPOs.

The DPA organized a training session for managers and DPO’s in late 2022. Based on the findings of investigations, we may see guidelines or “dos and don’ts” from the DPA. This, in turn, could be a useful tool for brushing up an organization’s procedures for data management and oversight.

  • Sectors of interest

The results of and recommendations deriving from the preventive joint supervision of the DPAs of the three Baltic countries in the field of short-term rental of vehicles (e.g., electric scooters) can be expected.

However, the final activity reports are still under preparation and other sectors may also be subjected to coordinated audits.

TGS BALTIC RECOMMENDATIONS FOR 2023


Train your people!
Given the increasing number of data breaches and other security incidents that may trigger notification obligations as well as the access and other requests from informed data subjects, it is essential that all employees understand your obligations and be able to properly handle any breaches, incidents, and requests. Mere procedures on paper are a start, but will not get you far.

Update your documents and procedures! While many companies made an effort to have all (or most) data-protection-related documents in place in 2018 when the GDPR became applicable, they have not kept those documents up to date, drafted other missing ones, or put the relevant procedures in place. Compliance is an ongoing process. Both changes in your own practices and new regulatory guidelines and practices require you to keep up to date.

Make sure your SCCs have been renewed! If you rely on Standard Contractual Clauses (SCCs) in your international data transfers, remember that new SCCs were introduced in 2021 and all old SCCs needed to be replaced by 27 December 2022.

 

Article provided by INPLP member: Mari-Liis Orav (TGS Baltic, Estonia)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.