What’s in Store for 2023?
Exclusive Insights from Thought Leaders on Developments and Trends in the Privacy Landscape
As we worked out in our recent report What to Expect in 2023: Trends and Predictions for Data Privacy, 2022 was a pretty busy year for privacy professionals. We saw a lot of enforcement actions such as:
- The second-highest GDPR fine ever,
- Critical statements of supervisory authorities on certain popular products of BigTech (Google Analytics, Microsoft 365) and
- The waves of warning letters regarding Google Fonts in the DACH region.
At the same time, regulatory developments as part of the EU Digital Strategy and the enactment of a successor to the infamous Privacy Shield gained particular momentum. While the global pandemic is in retreat, troops are marching elsewhere, keeping the Western world on edge.
During such times of uncertainty, it is particularly challenging to look into the crystal ball – we nevertheless dare to try and have asked leading experts in data protection landscape for their assessment of trends and developments this year.
The viewpoints in this article are intended to help you to align or adapt your data protection management system and strategy accordingly to be ready for 2023 – to not only ensure data privacy, but improve it.
International Data Transfers – Final Chapter or Never-ending Story?
The topic of “international data transfer” has been a permanent guest on the agenda of privacy professionals across the globe since the Court of Justice of the European Union (CJEU) overturned the Privacy Shield in its infamous Schrems II decision on July 16, 2020. And it was not easy to deal with the aftermath in practice.
“The legally compliant design of data transfers from Europe to the USA was one of the most frequent, complex and time-consuming issues that data protection officers (DPO) in companies had to deal with over the last two years”, says DataGuard’s Practice Lead International Privacy and Compliance, Dr Frank Schemmel.
Fortunately, a lot had happened in terms of succession planning, especially at the end of last year when the Biden administration published an Executive Order and additional information on how the U.S. side will cope with the requirements stipulated by the CJEU and the European Data Protection Board (EDSA), shortly followed by the EU Commission taking that into account and incorporating those commitments into a draft adequacy decision.
As expected, discussions then began in the data protection community as to whether the measures promised by the U.S. were sufficient to meet the high requirements of the CJEU. Certain supervisory authorities also joined the discussion, with some of them criticizing the proposed measures. Since the EDSA can only issue a non-binding opinion in the process of enacting an adequacy decision and must adhere to what the EU Commission crafts, some may wonder if such individual critical statements by supervisory are curse or blessing.
Carlo Piltz, Partner at Piltz Legal and one of Europe’s most active voices in privacy, has a clear opinion when asked how helpful statements from individual regulators on possible deficiencies in the Executive Order and adequacy decision are and whether they confuse more than they help:
“Personally, I appreciate different opinions and views, even among supervisors. In the end, of course, a different assessment is possible. However, I don't necessarily see this as a disadvantage from the company's point of view. Because, in the end, the statements of the supervisory authorities are also first of all (legal) opinions and not binding. It is therefore also possible to take a different view.”
There are many tips available on how to deal with international data transfers in future. In this respect, we often see in practice that data controllers try to implement several layers and mechanisms to stay compliant with the General Data Protection Regulation (GDPR). But is double really better?
“From a purely legal point of view, I honestly take a critical view of double coverage, i.e. with the additional conclusion of SCC. Art. 46 GDPR clearly states that the guarantees, such as the SCC, only apply if no (!) adequacy decision exists (“In the absence of a decision pursuant to Article 45(3)…”). However, one must take a close look here: which transfers are actually subject to the Privacy Framework, and which must be made on the basis of the SCC? Of course, out of caution, there will always be a situation in practice where companies nevertheless conclude the SCC in addition. This situation already existed under the former EU US Privacy Shield.” says Carlo Piltz when asked what (if anything) companies should do after the adequacy decision comes into force to avoid potential liability risks and whether it is worthwhile to conclude standard contractual clauses (SCCs) in parallel. And we do agree with him.
"It should not be an end in itself or an automatism to always and in every case conclude SCCs. Rather, a case-by-case approach is the method of choice in such cases,” is the conclusion by Dr Frank Schemmel.
Privacy Fines and Litigation Will be Making the Headlines
From January to October 2022, European watchdogs imposed fines of more than 550 million euros. Google Analytics has been classified as non-GDPR compliant by supervisory authorities in Austria, France, Italy and Denmark while German authorities see great need for improvement in Microsoft 365 and questioned its data protection compliance, resulting in Microsoft launching its EU Data Boundary services earlier than planned.
At the same time NGOs like noyb continued filing complaints with authorities over shortcomings in websites, and last but not least, litigation on damages over GDPR infringements saw an all-time peak in Europe with several pending casing before the CJEU. That was 2022. But what about 2023?
Will 2023 be a year of upheaval, leading away from pure enforcement measures on the part of supervisory authorities and toward enforcement under private law?
“I think we will continue to see a mix of both,” says Carlo Piltz. “I also think that the enforcement of the GDPR by the regulators is not yet up to full speed.”
Our DataGuard expert Dr Frank Schemmel agrees but also points out: “In my opinion, there will also be a gradual change in terms of enforcement of the GDPR. We already saw in 2022 in the matter of Google Analytics that supervisory authorities across Europe classify specific tools and processing activities as violating data protection regulations and demand the halt of their use.” and adding “It will only be a matter of time before supervisory authorities increasingly use the instruments available to them under Article 58 of the GDPR to (temporarily) prohibit processing and transfers and order the deletion of data. Since this has an immediate effect, it has the most significant impact and intensity of intervention. Due to the legal vulnerability of such decisions, the authorities have rarely used them. However, this will change.”
And in terms of damages under the GDPR, we will most likely see landmark rulings this year increasing litigation risks, so companies should be alert. Dr Frank Schemmel predicts: “2023 will also be an exciting and revealing year in claims for damages. There are currently more than a dozen cases from various European countries before the CJEU, which will set the course for this year.” So how can an organization prepare and avoid such fines and litigation? Tobias Neufeld, Partner at ARQIS and one of the thought leaders in the field of Digital Ethics, suggests the following when asked about his 3 tips:
- “See privacy compliance holistically, as part of your overall information security scheme, including cyber-defence.
- Have a plan (DPMS) and monitor implementation progress.
- Manage your interfaces (processors) and take TOM auditing seriously, also with affiliated companies.”
Asked the same question, Carlo Piltz has similar 3 tips to avoid fines and litigation:
- “Know your data flows: here, a good record of processing activities and a clear internal structure of the data protection management helps.
- Take the rights of data subjects seriously: clear guidelines and internal processes, but also training of employees, also help here.
- You may take risks, but always with sufficiently qualified argumentation and documentation: in case of an audit by a supervisory authority, only arguments count.”
Preventative measures are crucial, but having respective procedures in place should your organization face enforcement and litigation actions is essential.
According to Tobias Neufeld good stakeholder crisis communication “follows a general plan that you have set up for any such events”. Dr Frank Schemmel added “you cannot prepare for every situation, but you should have a general plan ready to hand that contains an outline of parties and departments to be involved, underlying responsibilities as well as a communication guideline including snippets of statements for shareholders, the media and public.”
Respecting Consumer Privacy: A Matter of Trust
In 2023, companies also need to focus more on how to protect consumer privacy. In the era of digitisation and as the data economy is no longer a mere hype but the driver of change and innovation, data has become the “new oil” or “most important asset” for digital business models. But consumers only provide their personal data if there is mutual trust. And “there is only trust where there is transparency and security”, says Dr Frank Schemmel. So, focusing on maintaining consumers’ trust by holistic privacy management should be a key topic in 2023 for all companies with a digital footprint.
Speaking of trust, various studies in 2022 have once again revealed what we at DataGuard have also been observing in our daily practice for a long time: “Transparency is an essential element of trust, and consumers value transparency as the most important thing organisations can do to build and boost trust when it comes to dealing with their personal data” is the key takeaway by Dr Frank Schemmel, adding “it’s all about the ‘Privacy Paradox’ and how to cope with it from an organizational point of view.” But what are the most common concerns of today’s consumers from a privacy perspective? How do consumers feel about privacy and how to gain consumer trust on data privacy?
“The key concern,” says Tobias Neufeld, “is how consumers (basically all holders of personal data) can trust organisations who want their data. This is foremost a question of lack of transparency on the processing that is being requested, on the purposes and the data stakeholders involved. Without proper information, there can be no proper consent which impedes trust. A lack of trust, in turn, means less engagement and loyalty, which is the opposite of what companies want with respect to their customers.”
At the same time, major data scandals, such as the massive data breach at Uber, also made headlines worldwide and shook consumers’ confidence in their data’s secure and lawful handling in 2022, and data breaches as well as cyber threats will continue to impact trust this year. Obviously, there is no quick fix when it comes to build and, more importantly, retain and maintain consumer trust.
However, there are golden rules for businesses to meet their consumers increased privacy expectations. Digital Ethics’ expert Tobias Neufeld advises:
“Put consumer privacy higher up on your agenda, don’t just treat GPDR rules as part of your organisation’s compliance obligation but as an added value to your offering to the market. Your KPIs for this are privacy by design and default; if you don’t have anything to show in this respect, you are likely not doing enough. Another building block is to go beyond mere privacy laws compliance and make digital ethics part of your values and governance. Corporate digital responsibility, also as part of ESG, is the next potential USP of companies in the digital world.”
But where to start, many organizations might wonder. The bad news: there is no one size fits all solution. However, when asked about the one tip you would give a business looking to build trust with consumers regarding data privacy, we agree with Tobias Neufeld “Make your privacy notice worthwhile, do more than the bare minimum. This is your key privacy interface with customers, employees, and suppliers and there is so much potential for content (transparency) and design/display.”
Dr. Carlo Piltz, Lawyer, Partner at Piltz Legal
Dr. Carlo Piltz is a partner of Piltz Legal, a Certified Data Protection Officer (TÜV®) and a Certified Information Privacy Professional/Europe (CIPP/E). He advises national and international clients on issues of data protection, IT security and IT law, both in daily business and in complex cases and contract negotiations. In addition, he is an external data protection officer. Dr. Carlo Piltz was invited as an expert to the respective parliaments for both the new version of the Federal Data Protection Act and the Berlin State Data Protection Act. He is part of the editorial board of the journal "Privacy in Germany" (PinG) and, since 2019, chief editor of the journal "Datenschutz-Berater". In addition, he runs the internet blog "De Lege Data" on data protection law issues and developments (www.delegedata.de) and can refer to numerous publications.
Tobias Neufeld, LL.M. (CIPP/E, CIPM)
Tobias Neufeld is a data lawyer with more than 20 years of experience, assisting domestic and international clients in challenging data and digital projects, focussing on HR data, HR data analytics and related AI projects. He is a partner at big law boutique ARQIS and the co-founder of b.yond, a digital-ethics consultancy firm. He is a visiting lecturer at Münster University and the University of Zurich.
Dr. Frank Schemmel, CIPP/E, CIPP/US, CIPM, CIPT
Dr. Frank Schemmel, CIPP/E, CIPP/US, CIPM, CIPT, supports DataGuard since 2018 in various management positions (incl. Head of Privacy) and is currently responsible for the company-wide content and strategic design as well as optimization of the DataGuard service lines "Privacy" and "Compliance", a hybrid model of first-class consulting and support through self-developed, scalable software solutions. As a certified Data Protection Officer (TÜV) and Compliance Officer (Univ.), he advises on all topics of data protection, IT security and general compliance. Before joining DataGuard, he worked for Allen & Overy LLP for five years in the area of data protection and employment law as a consultant and legal project manager. He regularly publishes in relevant media and shares his experience as a lector at universities (Duesseldorf, Augsburg), conference speaker (euroforum Datenschutzkongress, bitkom Privacy Conference, IAPP Data Protection Intensive: Deutschland) and webinar host.