We are living in an era of extraordinary data creation. By 2025, it is estimated that we will be producing as much data every 3 minutes as had been created by all of humanity up to the year 2003. It was evident that 2022 was a milestone year for businesses worldwide in data protection compliance. At William Fry LLP, our annual celebration of the Council of Europe's Data Protection Day, which takes place tomorrow, represents an opportunity to reflect on the notable data protection stories of 2022 and set out our forecasted trends for 2023.
2022 brought landmark developments and was an important year for:
- International Data Transfers: The European Commission introduced a new EU-US data transfer legal framework. 27 December 2022 marked the deadline for businesses to transition from the old to the new standard contractual clauses (SCCs). Various Supervisory Authorities (SAs) made decisions on the compliance of Google Analytics with the General Data Protection Regulation (GDPR).
- Enforcement: The Data Protection Commission of Ireland (DPC) issued final decisions against companies from various industries, including technology, financial services, retail, insurance, education and the public sector. The hugely varied nature of businesses implicated in these decisions demonstrates clearly that all companies across every industry and sector are data-driven. More than ever, increased DPC enforcement shows that businesses should carefully scrutinise the approach to collecting, using and disclosing personal data.
January: The EU Commissioner for Justice, Mr Didier Reynders, provided strong support for the DPC, which was the subject of criticism for being behind in investigating large internet platforms. You can read more about it here.
February: We saw the first decision of a SA, the CNIL, to declare the use of Google Analytics to be non-compliant with the GDPR. This decision was only the beginning of a multiplicity of other SA decisions with the same findings (e.g. Germany, Hungary, Italy, Austria, Denmark, Netherlands, and Norway).
March: The Data Protection Act 2018 (Access Modification) (Health) Regulations 2022 (2022 Regulations) commenced, materially impacting businesses (acting as controllers) that process health data concerning individuals in the context of data subject access requests (DSARs). For a guide to the 2022 Regulations, see here.
April: A significant crossover was established between data protection and emerging technologies, as the Hungarian SA issued a fine following a bank's automatic analysis of recordings of customer service calls by way of artificial intelligence. We explored the decision here.
May: The GDPR reached a significant landmark as it turned 4. In celebration, William Fry released a briefing looking at seven upcoming data-driven pieces of EU legislation that will affect businesses globally. See our briefing here.
September: The DPC issued an administrative fine of €405m to the Instagram owner, Meta Ireland Limited (Meta), taking into account the decision of the European Data Protection Board (EDPB) requiring the DPC to amend its original decision. You can read more about this decision here.
- An Advocate-General Opinion took the view that when competition authorities investigate a breach of competition law, they should consider an alleged breach of the GDPR. You can read more about this decision here.
- The DPC also published guidance that provides welcome clarity for businesses responding to DSARs. See our article for more information here.
- The European Commission gave the green light to a new EU-US data transfer legal framework by publishing its draft decision on US adequacy (Draft Decision). If confirmed by EU institutions, the Draft Decision will pave the way for organisations to transfer personal data from the EU to the United States under an alternative transfer mechanism known as the EU-US Data Privacy Framework. You can read more about the Draft Decision here.
- The end of the year also saw a final push for businesses to implement new EU SCCs before 27 December 2022. This was featured here.
2023 Predicted Trends
2023 promises to be another bumper year for data. Some trends we expect to see are:
- Artificial Intelligence (AI) & Data Protection: We expect that new laws coming down the tracks on AI and other emerging technologies will impact what businesses need to consider when processing personal data. Legal issues surrounding datasets and training data models, including intellectual property (IP) considerations, will emerge. While there are exceptions for text and data mining regarding IP, there are no exceptions regarding data protection. Risk assessments to ascertain whether AI systems are high-risk systems, in which case impact assessments may be required. The EU's upcoming AI Act identifies this as essential to regulating high-risk AI systems. You can read more about the AI Act here.
- Ever-growing cyber-attack landscape & NIS2D: EU Member States will have 21 months to transpose the NIS2 Directive (NIS2D) into their national laws. NIS2D is responding to the increasing number and severity of cyber-attacks within the EU and worldwide. NIS2D aims to ensure a high, common level of cybersecurity across the EU. At this stage, organisations should consider whether their businesses fall within its scope, as they may need to conduct a detailed review of their technical and organisational measures to ensure compliance. To read more about the NIS2 Directive, click here.
- EU-US Data Transfers may get more manageable (for a while) and "Additional" SCCs: Possibly the most significant data protection headline for spring 2023 will be (again!) about EU-US transfers of personal data, as businesses globally wait for EU institutions to give the green light to Draft Decision. We also await the EC's publication of its long-awaited set of SCCs to deal with non-EU based businesses subject to GDPR's extra-territorial effect under Article 3(2) of the GDPR.
- Increased and More Onerous Transparency Obligations: The EPDB's three binding dispute resolution decisions (based on Article 65 of the GDPR), that concerned Meta and reversed the draft decisions of the DPC, create increased transparency obligations for businesses about what they have to include in data protection notices. They must provide significant detail of any processing in clear, intelligible language. Many businesses must revisit their privacy notices following these decisions to ensure compliance.
- An Increasing Move to the Cloud: It is expected that total global cloud spending will grow even faster in 2023. We have seen in our practice a huge take-up by businesses moving from on-premise servers to hosting data on cloud services, such as those offered by Google, Amazon and Microsoft. Cloud services are now the mainstream form of ICT provision for private and public organisations, both large and small, and we are seeing a corresponding increase in cloud deals in the Irish market. Data protection considerations always play a crucial role in any such move, so businesses should be alive to their data protection obligations when doing so. For more insights on the cloud, follow our Digital Transformation Series here.