Data Protection round-up: Key stories of 2019 and forecast for 2020
The protagonist was obviously the General Data Protection Regulation (GDPR) as the European Union Data Protection Authorities (DPAs) found their feet enforcing the new rules.
For businesses 2019 was a year for evaluating GDPR compliance within governance structures, to identify gaps and assess how such governance frameworks were performing at a practical level. Some businesses were held accountable for non-compliance. For example, the CNIL (French DPA) fined Google €50 million for a lack of transparency, inadequate information and a lack of valid consent regarding the personalisation of adverts on its platform. The ICO (UK DPA) announced its intention to fine British Airways €204 million and Marriot International €110 million for breaches of the GDPR while other DPAs also followed suit.
2019 also saw more data subjects exercising their rights. The Court of Justice of the European Union (CJEU) handed down a number of ground-breaking decisions on some of the key concepts and principles under EU data protection and privacy law:
- Fashion ID Case: the CJEU ruled that website operators who embed social plug-ins, such as the Facebook "Like" button, may be a joint controller with Facebook regarding the collection and transmission of website user personal data (gathered from the plug-in).
- Planet 49 Case:the CJEU held that:
- pre-ticked boxes used to authorise the collection of cookies or similar technologies is not a valid consent;
- where consent is required for cookies, such consent must be the GDPR Standard;
- irrespective of whether cookies collected under the e-Privacy Directive are personal data or not, consent must be obtained for any information installed or accessed from a user's device; and
- website operators must inform users about the duration of cookies and whether third parties will have access to cookies.
- Google v CNIL: the CJEU held that the right to erasure under Article 17 of the GDPR did not impose an obligation on Google to effect that right on all versions of its search engine, only those within the European Union.
In Ireland, we see 2020 as a landmark year for the DPC:
- more investigations are likely to be conducted with a particular focus on the ad-tech sector, profiling / algorithmic decision-making, cookies, the quality of consent and the actions of data brokers;
- the DPC is likely to deliver its first public decision in the first six months of 2020 and its first administrative fine under the GDPR; and
- it is reported that the DPC may be the first DPA to lead an investigation involving all the other DPAs under the GDPR's consistency mechanism.
Milestones in European data protection law and practice will continue to capture international audiences in 2020:
- 31 January 2020: the United Kingdom will leave the European Union. However, 2020 should remain a stable year for businesses as the GDPR will continue to apply in the UK until the transition period ends on 31 December 2020. Businesses will need to use this time wisely to put Brexit contingency plans in place. There is still some uncertainty about the application and enforcement of the UK-GDPR that will be enacted in the UK, along with whether (and when) the European Commission deems the UK adequate for the purposes of international transfers of personal data form the EU to the UK.
- February 2020: the long-awaited Schrems II decision will be delivered by the CJEU. Businesses with international operations will hope that the future of Standard Contractual Clauses (SCCs) will be settled. It might be the case that the European Commission will soon issue long-awaited, revised versions of the SCCs, and perhaps some new SCCs for processors.
2020 could be the year when EU regulators agree on the long overdue plan of action for the e-Privacy Regulation. The divergent approaches and different sets of national e-privacy/cookies laws in Member States remain a challenge for businesses, particularly those with multi-Member State remits.
Worldwide the influence and impact of the GDPR is more obvious with 2020 set to be a big year for privacy and data protection legislation globally. In the US, the California Consumer Privacy Act will take effect and has set the standard for other privacy laws in the US to be tabled such as the proposed Virginia Privacy Act, Washington State Privacy Bill, Illinois Data Transparency and Privacy Act and the New Hampshire House Bill. New data protection legislation will also come into force in Brazil and Thailand while countries, such as India and South Korea, are considering more robust data protection laws.
25 May 2020 will mark the GDPR's two-year anniversary, and with it, will come the European Commission's review and evaluation of the GDPR (as set out under Article 97). The GDPR remains a ground-breaking piece of legislation and it will continue to evolve through 2020 as DPA's apply and enforce its provisions and those affected by it take further action to avail of its protections.
Article provided by: Leo Moore
Dr. Tobias Höllwarth (Managing Director INPLP)