25 May 2022 marks the fourth anniversary of the General Data Protection Regulation (EU) 2016/679 ("GDPR"). Over the course of its first four years, some common themes have dominated the GDPR landscape. This update looks at those common themes in Ireland and across Europe.
The challenge of GDPR compliant international data transfers covered in our earlier updates has not receded1. The US and EU announcement in March 2022 that a political agreement had been reached on a replacement for the Privacy Shield2 is welcome, however there is no firm commitment as to when the agreement will be published for European Commission review.
In the meantime, standard contractual clauses ("SCCs") continue to be the primary means used to legitimise data transfers. The 27 December 2022 deadline for the old transfer SCCs to be replaced by the new agreed 2021 SCCs is fast approaching. Businesses that have not yet begun this transition will need to move swiftly to adopt the 2021 transfer SCCs and complete any necessary transfer impact assessments. To assist businesses in their transition to using the 2021 SCCs, the European Commission published Questions and Answers on the New Standard Contractual Clauses on 25 May 20223.
Data breaches continue to be a relatively common occurrence and a focus for the Data Protection Commission ("DPC"). In January 2022, the European Data Protection Board ("EDPB") published the final version of its guidelines on examples regarding personal data breach notification4 to assist controllers in responding appropriately to data breaches.
Data Access Requests
For the fourth consecutive year since the GDPR's introduction, data subject access requests were the most common category of complaint handled by the DPC. The DPC has expressed concern on the adequacy of responses by organisations to data subject access requests, noting that controllers who are the subject of a complaint have often:
- Failed to perform an adequate search for the relevant data;
- Not advised the data subject that certain data is being withheld; or
- Failed to respond within the required timeframe.
The DPC has also identified an emerging pattern of controllers not responding to data subject access requests received from data subjects and / or not responding to DPC complaint commencement correspondence. This highlights the importance of organisations having appropriate response procedures in place for access requests, as many of these complaints could have been avoided if adequate responses were given in the first instance.
Cookies and the Adtech Industry
Cookies compliance continues to be a key focus area for EU data privacy activists and regulators. Fines for non-compliance in relation to cookies are on the rise, with the French data protection authority fining Google and Facebook a combined €210 million for failing to have proper processes for cookies on their websites in January 2022.
Adtech has relied heavily on cookies for some time. It recently suffered a blow when the Belgian supervisory authority held that the IAB Europe's transparency and consent framework ("TCF") infringed the GDPR. Over 80% of European websites and apps rely on the TCF to legitimise digital advertising via cookies, including Google and Amazon. IAB Europe is appealing the decision but with big tech companies such as Google announcing plans to phase out support for third-party cookies in the near future, it is likely that reliance on third party cookies in the adtech industry will reduce.
The number of headline-grabbing GDPR fines imposed on big tech has increased. The EDPB recently published draft guidelines on the calculation of administrative fines under the GDPR5. These aim to harmonise the approach to fining across European supervisory authorities by introducing a five step methodology for calculating GDPR fines.
Until August 2021, Google's 2020 fine of €50 million was the highest GDPR fine on record. As of May 2022, this is now only the sixth highest recorded fine imposed for breaches of the GDPR, with Amazon (€746 million), WhatsApp Ireland (€225 million), Google Ireland (€90 million), Facebook (€60 million) and Google LLC (€60 million) fines each exceeding this figure. The WhatsApp fine of €225 million is the largest imposed by the DPC to date. More recently, the DPC fined Meta €17 million following an inquiry into 12 data breach notifications.
Criticism of the DPC enforcement against big tech has escalated. In March 2022, Dr. Johnny Ryan brought judicial review proceedings in respect of the DPC's alleged failure to progress its investigation into Google and IAB's processing of personal data following a complaint filed in 2018. In April 2022, the DPC settled judicial review proceedings brought by the non-profit organisation, noyb, in relation to the delay in the DPC's investigations into Facebook and Instagram. The European Ombudsman report on its inquiry into the European Commission's monitoring of how the GDPR is applied in Ireland is expected in the coming days.
Looking ahead to the GDPR's next 12 months, these themes
will continue to occupy data subjects, businesses and regulators.
The complexity of the GDPR landscape will increase with the
finalisation of the Digital Services Act7, the AI
Act8 and Member States' implementation of the
Collective Redress Directive9 while we await the
long-anticipated adoption of the draft
E-Privacy Regulation which appears to have stalled in negotiations between the European Parliament, Council and Commission.
6 Our review of the DPC's 2021 Annual Report provides a detailed breakdown of the DPC's 2021 activities: https://maples.com/ireland-update
7 The Commission's original proposal for the DSA can be found here: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=COM%3A2020%3A825%3AFIN
The full text of the European Parliament's updated draft of the DSA, including a comparison against the Commission text, can be found here: https://www.europarl.europa.eu/doceo/document/TA-9-2022-0014_EN.html
8 The Commission's proposal for the AI Act can be found here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52021PC0206
9 The text of the Collective Redress Directive (EU) 2020/1828 can be found here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32020L1828
Member States are required to adopt implementing measures by 25 December 2022 for the Collective redress Directive. Drafting of Ireland's national implementing law has commenced: https://www.gov.ie/en/press-release/fe012-government-agrees-new-enforcement-rights-of-mass-harm-of-consumers/
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.