As we enter H2, NDA asked several industry figures about the key developments in 2021 and what’s to come. This time it’s Julie Rubash, Chief Privacy Counsel, at Sourcepoint
The GDPR was a true reckoning for digital practices in Europe and around the globe. However, as with any privacy law, reform will be necessary to reflect new innovations in data collection, use, and protection.
Currently, the law has built-in flexibility to adapt as technology evolves. It allows controllers and processors to apply the “appropriate technical and organisational security measures” rather than dictating specific measures. It also encourages the creation of codes of conduct to take account of the specific needs and features of various sectors, which should allow the law to stand up in the meantime.
However, there’s still improvements to be made. We’re likely to see an increase in legal enforcement, as the invalidation of the Privacy Shield in Schrems II will drive increased pressure for countries outside the EEA to achieve adequacy. Separately, we’re starting to see more extraterritorial enforcement, which will likely continue. The Collective Redress Directive, which was launched on 24 November 2020, will begin to be implemented under the Member-State mechanism. This will require European Member States to put in place at least one procedural mechanism that allows for collective claims; this scope includes GDPR, and it will increase the risk of class action claims. It means that collective action can be brought against traders if they have allegedly violated EU law in the broad area of data protection.
We’ll also see an increased enforcement of local cookie guidelines, which I imagine will increase the complexity of the nuances of cookie consent across jurisdictions. A resolution for this is a comprehensive approach to consent.
In the year ahead, we’ll see a more thorough approach to GDPR. Companies will employ comprehensive privacy and data ethics programs that can anticipate and plan for future laws and industry trends, instead of the simplistic checkbox approach to a single law.
Additional challenges facing GDPR implementation is the one-stop-shop mechanism which is designed to ensure cooperation and consistency where one supervisory authority’s decision may affect a significant number of data subjects in other Member States.
The purpose is sound in theory; however, recent case studies show that the complexity of the process works against those purposes, leading to friction between Member States and confusion for companies involved in cross-border processing. This confusion spirals into an inconsistency in application of local guidelines and ultimately an inconsistent and confusing experience for data subjects.
A revised process that removes the complexity and creates clear, objective enforcement procedures would likely result in a better, more consistent, experience for supervisory authorities, companies and data subjects.Pressure continues to increase for EU and US authorities, which has been exacerbated by the inquiry into Facebook’s cross-border transfer mechanisms from the EU to the US from the Irish Data Protection Commissioner. The resulting precedent may lead to further uncertainty for businesses that rely on data transfers between the EU and the US. Hopefully, EU and US officials see the criticality of prioritizing and expediting negotiations to find a framework that both provides certainty for businesses and protection for data subjects.