28 January is Data Protection Day. The purpose of the day is to raise awareness and promote privacy and data protection best practices. To mark the day, our Tech & Data Team has summarised the key regulatory trends for 2023 in tech & data.
International data transfers
New framework for EU-US data transfers
On 13 December 2022, the European Commission published its draft adequacy decision on the new EU-US Trans-Atlantic Data Privacy Framework (“TADPF”), a framework that aims to facilitate data flows between EU-based companies and certified US companies. There are still some steps to take in the ratification process, such as the opinion of the European Data Protection Board (“EDPB”) (which we expect in the coming weeks), but the final adequacy decision is expected to be adopted in July 2023 (see our previous Law Now for more information). For EU-based companies that rely on services provided by US tech providers in their day-to-day operations, this is a welcome development after the Court of Justice of the European Union (“CJEU”) invalidated the previous frameworks for transatlantic transfers in its Schrems I and Schrems II decisions. Indeed, as soon as the adequacy decision is officially adopted, EU companies will no longer have to put in place standard contractual clauses (“SCCs”), perform transfer impact assessments (“TIAs”) or implement additional technical and organisational measures for transfers to certified US companies.
Be aware, however, that the TADPF is not a silver bullet:
SCCs, TIAs and additional safeguards will still be required for data transfers to non-certified US companies or to third countries other than the US.
Privacy activist Max Schrems has already stated that he will challenge the validity of the TADPF on the grounds that it is allegedly in flagrant breach of fundamental rights. A Schrems III decision by the CJEU is thus not out of the question.
Will the EU impose “sovereignty requirements” for cloud providers?
The European Union Agency for Cybersecurity (“ENISA”) is working on a cloud certification scheme that will make it virtually impossible for cloud providers that transfer their customers’ data to non-European recipients to obtain a “high” certification level. 2023 could be the year in which the EU finally takes a clear position on whether it will effectively go ahead with this controversial proposal. See the section Cloud security certification: bye bye “sovereignty requirements”? below for more details.
There were some bombshell decisions affecting the adtech industry in Europe in 2022, and we don’t expect 2023 to be any different.
The year started with the much-anticipated decisions (see here and here) in which the Irish Data Protection Commission (“DPC”) essentially ruled that targeted and personalised advertising on social media platforms cannot be deemed to be an inherent part of the social media service and therefore requires the users’ express prior consent. The DPC imposed around 400 million euros in fines for failure to obtain such consent. If these decisions are upheld on appeal, they will significantly affect the effectiveness of advertising on social media. Custom audiences and lookalike audiences, for example, will be limited to only those social media users that have consented to the use of their data for personalised advertising on social media.
The IAB Europe saga is also far from over. The Belgian Data Protection Authority (“BDPA”) decided on 2 February 2022 that IAB Europe was responsible for processing personal data under the Transparency and Consent Framework (“TCF”), a widespread mechanism that facilitates the management of user preferences for online personalised ads. IAB Europe has since appealed the DPA decision and the Court of Appeal referred certain key points to the EU Court of Justice for a preliminary ruling. Further clarifications by the CJEU are now expected in 2023 regarding the TCF, including the definitions of personal data and joint controllers.
On 17 January 2023, the EDPB published a report prepared by its Cookie Banner Taskforce. The report sets out a common EU-wide interpretation of the relevant provisions of the ePrivacy Directive and the General Data Protection Regulation (“GDPR”), regarding topics such as cookie reject buttons, pre-ticked boxes, banner design and withdrawal icons.
As we await ratification of the commitments made by the US, it is probable that there will be additional developments regarding the illegal transfers of analytic tools to the US and potential additional measures that may be taken. This is part of an EU-wide initiative. Previously, positions had already been taken by data protection authorities such as the Austrian DPA, French CNIL, Italian Garante, Danish Datatilsynet and Spanish AEPD (which took an unexpected stance).
Europe’s increased privacy enforcement will likely result in radical changes to online advertising. Advertisers are expected to move away from the use of third-party cookies and to push for less privacy-intrusive alternatives. 2023 will likely be a pivotal year in that transition.
Implementation of the Whistleblowing Directive: are we going to see an avalanche of GDPR-based complaints?
The Belgian Parliament has finally approved the Act implementing the EU Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law, commonly known as the Whistleblowing Directive, in the private sector (“Whistleblowing Act”). It was published in the Belgian Gazette on 28 December 2022 (in French/Dutch) and will enter into force next month (on 15 February 2023).
The Whistleblowing Act allows people to report numerous kinds of breaches, internally or externally, without fear of retaliation, including regarding the protection of privacy and personal data (under the GDPR) and network security. For instance, a whistleblower can file a report if he/she is required to use an app from his/her employer that is continuously tracking him/her. As a result, some of the competent authorities to receive reports on such violations (and to enforce the Whistleblowing Act effectively when necessary) are going to be data protection authorities, including the BDPA. This will entail extra work, including additional notifications. Some data protection authorities, such as the French CNIL, are already making changes to their standards of best practice for processing such personal data in the context of whistleblower hotlines, but others, such as the Autoriteit Persoonsgegevens, are warning about the need for additional structural resources. Making a report can have major personal consequences for a whistleblower; he/she must be confident that his/her report will be considered carefully and seriously.
New EU cybersecurity rules
The EU Directive on measures for a high common level of cybersecurity across the Union (“NIS2 Directive”) entered into force on 16 January 2023. EU Member States will have to implement this new directive by or before 18 October 2024. The NIS2 Directive will repeal and replace the current Directive concerning measures for a high common level of security of network and information systems across the Union and bring more harmonisation by setting out minimum rules.
The NIS2 Directive broadens the list of sectors and activities that are subject to cybersecurity obligations by adding new sectors (such as wastewater and space) and new types of entity (such as EU reference laboratories, manufacturers of certain medical devices and pharmaceutical products, data centre service providers and providers of public electronic communications networks or services). Entities covered by the NIS2 Directive will need to register with the competent authorities.
The NIS2 Directive also provides that essential and important entities must adopt cybersecurity risk-management measures that are proportionate to the risk posed, including policies on risk analysis and information system security, incident handling, supply chain security and cybersecurity training. Management bodies of such entities can be held liable in the event of non-compliance.
Essential and important entities will have to report significant cybersecurity incidents to the relevant Member State’s computer security incident response teams or to the competent authorities within 24 hours. This early warning must be followed by an incident notification containing an initial assessment of the incident (within 72 hours) and a final report (within one month of the incident notification).
Cyber Resilience Act: not for 2023
This year the EU Parliament and the EU Council will continue their work on the EU Cyber Resilience Act (“CRA”) which, among other things, aims to ensure that internet of things (IoT) products will be placed on the market with fewer cyber vulnerabilities. For further information about the CRA, see here. Although intensive negotiations are expected on the CRA in 2023, we do not expect it to be adopted this year.
Cloud security certification: bye bye “sovereignty requirements”?
ENISA recently proposed a draft Certification Scheme on Cloud Services (EUCS) which sets certain “sovereignty requirements” for cloud providers that want to obtain a “high” certification level. These requirements include a main establishment rule, which states that a cloud provider’s HQ must be in the EU and cannot be owned or controlled by a non-EU entity, as well as the requirement for maintenance, operations, and data to be located within the EU, effectively prohibiting international data transfers. This draft scheme has caused quite some turmoil, with five Member States insisting on conducting an impact assessment before adopting the scheme. 2023 could be the year in which the EU finally takes a clear position on the EUCS.
The avalanche of new EU tech laws is not over quite yet
In 2022, the EU adopted the Digital Markets Act (“DMA”) and Digital Services Act (“DSA”) introducing new EU-wide rules protecting users of digital platforms and services and aiming to establish a level playing field for businesses. We previously wrote about the DMA (here) and the DSA (here). The EU also adopted the Data Governance Act that aims to make more data available by regulating the re-use of publicly held, protected data, by boosting data sharing through new data intermediaries and by encouraging data sharing for altruistic purposes.
But that is just a prelude to what’s coming in terms of EU laws regulating the digital economy. The EU is working on a Data Act that aims, among other things, to set conditions for access to data on connected devices and related services. This legislation is expected to have a significant impact on businesses that produce connected devices (connected vehicles, connected thermostats, etc.) and on businesses that want to have access to data generated by the use of such devices and related services. If your organisation belongs to either of those categories, then you should keep an eye on the legislative process. However, we do not expect the Data Act to be adopted this year.
The draft AI Act is yet another piece of upcoming EU legislation in the tech space. The draft AI Act, which aims to regulate the high-risk use of AI, is currently being debated in the EU Parliament. It is expected that the Parliament will have its plenary vote in late March this year. The draft would then be part of the trilogue discussions in the early summer. If so, there is a fair chance that the AI Act will be adopted this year.
In September last year, the EU Commission published a proposal to regulate liability for AI. The draft AI Liability Directive aims to ease the burden of proof for individuals suing for damage resulting from AI systems and to introduce new disclosure requirements for “high-risk” AI systems. We do not expect this piece of EU legislation to be passed this year.
Will 2023 bring a breakthrough for the e-Privacy Regulation?
In 2017, the EU Commission published its proposal for a regulation on e-privacy. The e-Privacy Regulation is meant to update the current rules on cookies, data retention, e-marketing and telecom privacy. The regulation is still not adopted and one of the main sticking points is data retention. To put it simply: many Member States do not want the regulation to contain far-reaching restrictions on Member States’ ability to require telecom companies to retain telecoms metadata for law enforcement purpose while the EU Parliament takes a more privacy-oriented view. The e-Privacy Regulation won’t be adopted as long as this political disagreement remains unresolved. Maybe the breakthrough will come in 2023. If not, the chances are high that the draft regulation won’t be adopted before next year’s EU elections (May 2024).
Happy Data Protection Day from the Tech & Data Team!