2018 was the GDPR year, but are companies fully compliant with privacy law? What regulators will ask to ensure compliance? Here are our 2019 predictions.
As part of DLA Piper Intellectual Property & Technology Predictions 2019 available HERE, Giulia Zappaterra and Deborah Paracchini provide our privacy law predictions for the new year that are summarized in Italian in the video and more extensively outlined in the article below
2018 brought us considerable changes in the data protection law world. The EU General Data Protection Regulation No. 679/2016 (GDPR) finally became applicable, introducing in the privacy law context its expected innovative principles and rules. But as soon as the GDPR entered into force, the EU Member States began to think about the adequacy of their national legislation. As a consequence, most of EU countries decided to adopt new local legislation to review, amend, and, therefore, adequate their local laws to the newcomer GDPR.
Companies’ privacy compliance programs need to be fine-tuned to avoid GDPR sanctions
If GDPR sanctions were scary in 2018, they are expected to become scarier in 2019, when Data Protection Authorities (DPAs) are unlikely to continue to follow a tolerant approach.
Few DPAs already started to impose sanctions under the GDPR. The Austrian Datenschutzbehörde was the first DPA to sanction a company for the unlawful use of a video surveillance system. The German watchdog followed soon after, fining a company for the occurrence of a data breach and, therefore, the violation of art. 32 of the GDPR. Also, a Portuguese health company was sanctioned by the Comissão Nacional de Proteção de Dados for inadequate technical and organizational measures.
Several companies rushed to have their privacy information notices GDPR compliant by May 25, 2018. Our impression is though that after such deadline they “forgot” about the GDPR, adopting privacy policies and notices that are too generic, not transparent, and do not outline what they do with personal data. This scenario is because they often tackled GDPR with a pre-GDPR approach where privacy compliance was, in some cases, confined to a pile of paper with not much sense.
The GDPR requires a profound change in technical and organizational measures accompanied by policies and procedures that can prove privacy compliance to regulators and individuals and justify decisions taken on data processing.
Our feeling is that there is not much time of tolerance left to companies to ensure privacy compliance. Even if some DPAs are still working on their national laws and provisions to align them to the GDPR, we are expecting that in 2019 all the European DPAs will be stricter and start issuing GDPR sanctions.
You can read on the topic above the article “Are privacy fines really massive under the GDPR?“.
National GDPR approaches will further divert
During 2018, the European Data Protection Board (EDPB) (the former Article 29 Working Party) – a body composed of a representative of the national data protection authorities (DPAs) – started issuing guidelines on measures to be adopted to interpret the GDPR and comply with it.
Following the example of the EDPB, few DPAs also adopted resolutions aimed at clarifying the provisions included in the local privacy legislation. However, some national EU Member States are still reviewing and finalizing their new local privacy laws implementing the GDRP so that companies are still uncertain as to the actual application of the GDPR and its principles (at least in certain jurisdictions).
In 2019, however, we can expect that the remaining EU Member States will adopt local provisions implementing the GDPR and, accordingly, that a number of DPAs – following the approach of the EDPB – will provide guidance on the relevant privacy laws, also allowing companies to face the challenge of the implementation of the GDPR.
The potential scenario is that companies will have to deal with at least four layers of regulations, given by the GDPR, national legislation integrating the GDPR that in some cases add further obligations, new EDPB guidelines and local guidelines from DPAs that are not always consistent with EDPB guidelines and GDPR principles.
This uncertain scenario will make the life of companies with European customers even harder than with the previous regime. The GDPR’s goal to ensure consistency across the EU on privacy laws might turn into a more onerous obligation of localization. The scenario will also depend on the approach to be taken on the one-stop-shop rule on which you can read, “What changes with the one-stop shop rule under the GDPR?“.
Online ePrivacy reform will (probably) come into place
It is not a surprise that the 2002 EU ePrivacy Directive might be soon replaced by a new EU ePrivacy Regulation which will likely come into force in 2019 and will supplement the GDPR setting specific data protection law obligations for electronic communications.
A first draft of the ePrivacy Regulation was already published in 2016, providing several new stringent obligations on companies and organization that use metadata, tracking software, or other tools to monitor online behavior.
After the GDPR, the ePrivacy Regulation will be the next big thing in the privacy scene as it will align Europe’s ePrivacy regime more closely with privacy regime set out in the GDPR, covering the confidentiality of electronic communications and regulating the direct marketing, website audience measurement and cookies settings, thus having a wider field of application including M2M and IoT data. In fact, according to Recital 2 of the drafted ePrivacy Regulation, such Regulation intends to “particularise and complement” the provisions on personal data stated in the GDPR, “translating its principles into specific rules.”
Since this new ePrivacy Regulation may have an impressive impact on existing business models and digital markets, we should carefully monitor the legislative process to intercept the changes the Regulation may bring to light in the data protection world.
On July 10, 2018, the Council of the European Union published the latest revision proposal of the ePrivacy Regulation, but the road ahead towards its final adoption seems still long. However, it cannot be too far ahead given the rapid growth of technologies, and you can read the latest update on the status of the negotiations on the ePrivacy Regulation in this article “ePrivacy Regulation – Status and interplay with the GDPR.”
Thus, in the next few months, we might expect another significant change in the data protection world and another crazy rush to ensure compliance is likely to start!
This article is an excerpt from our book 2019 Intellectual Property and Technology Predictions.