6 Min

The current state of data privacy

International Data Transfers 

 

Since the CJEU (Court of Justice of the European Union) overturned the then Privacy Shield in its famous "Schrems II" decision on July 16, 2020, the topic of "international data transfer" has been a permanent guest on the agenda of data protection officers and statements by European supervisory authorities. In 2022, the topic has gained particular momentum in several respects. 

 

In March 2022, the EU Commission and the Biden administration announced they had reached an "agreement in principle" regarding a new replacement for the invalid Privacy Shield.

 

Finally, on October 7, the White House released information on the corresponding Executive Order, which would implement the announced agreement in principle on data transfers between the U.S. and the EU into U.S. law.

 

The Executive Order addresses the requirements of Schrems II by, among other things, adapting the far-reaching access to data in the context of national security and the complaint and redress procedure.

 

The legally compliant design of data transfers from Europe to the USA was one of the most frequent, complex, and time-consuming issues that data protection officers in companies had to deal with over the last two years.

 

There is a movement on this issue, as the Commission published its draft version of the upcoming adequacy decision as an early Christmas gift in mid-December 2022, and the work is being carried out at full speed on the new EU-US Data Privacy Framework. So, the agreement is initially welcomed from a data protection perspective.

 

However, until the EU Commission adopts an adequacy decision, which is expected in the first half of 2023, everything has stayed in the current legal situation.

 

Until then, the other possible transfer instruments of Art. 46 GDPR (in particular standard contractual clauses (SCC) and Binding Corporate Rules (BCR)) as well as the exceptional circumstances of Art. 49 GDPR (in particular, consent of the data subjects) must be used - with all the known challenges and disadvantages. 

 

You might also be interested in reading International Data Transfers: 10 Steps for Compliance with EU Privacy Laws.

 

 

Conversion to New Standard Contractual Clauses (SCC) 

In June 2021, the European Commission issued new standard contractual clauses, which have been mandatory for new contracts since September 27, 2021.

 

These new SCCs have a modular structure and now cover all practically relevant data transfer variants without resorting to complicated and partly impractical contract constellations as in the past.

 

In this context, organisations must have converted all old contracts to the new standard contractual clauses by December 27, 2022. In personal discussions, heads of various German data protection authorities have independently assured us that there will be no further extension of the deadline or "turning a blind eye" on their part.

 

Instead, companies that have not adopted old contracts and converted to the new SCCs by the end of December 2022 will face sanctions from the supervisory authorities, as companies had sufficient time for the conversion with one and a half years.

 

Regulatory and Supervisory Initiatives 

In 2022, there were again a large number of regulatory and supervisory measures. Since the Personal Information Protection Law (PIPL) and Data Security Law (DSL) came into force in China at the end of 2021, there are now initial empirical values regarding practical implementation, in particular, data localisation and restrictions on certain data transfers.

 

Major economic powerhouses, like the U.S. or India, are discussing new nationwide comprehensive privacy regulations while the UK is debating significant amendments to the present legal regime. On the other hand, the European supervisory authorities were also very active again regarding fines in 2022.

 

From January to October, they imposed fines of more than 550 million euros, with the Irish data protection authority taking the top spot this year with its 405 million euro fine against Meta in September, the second-highest fine ever imposed since the introduction of the GDPR.

 

In addition, major data scandals, such as the massive data breach at Uber, also made headlines worldwide and shook consumers’ confidence in their data’s secure and lawful handling. 

 

With the rise of social media and online platforms, companies can now connect with customers and users all over the world. But it also made them more vulnerable to data breaches which can damage their brand, reputation and revenue.

 

Data scandals can devastate a company’s reputation –regardless of size.

They have been known to

-Damage your brand,

-Cause consumers to lose trust in your company

-Put employees at risk,

-Cost you money in terms of legal fees, lost business as well as potential fines and damages claims.

 

Trust as a Precious Asset – Privacy as Human Right 

 

Speaking of trust, various studies in 2022 have once again revealed what we at DataGuard have also been observing in our daily practice for a long time: Transparency is an essential element of trust, and consumers value transparency as the most important thing organisations can do to build and boost trust when it comes to dealing with their personal data.

 

In fact, according to Cisco 2022 Consumer Privacy Survey, 89% of consumers said they care about data privacy they care about protecting others, and they want more control.

 

Moreover, 82% of them also said this is a buying factor for them.

 

In this respect, consent and preference management tools can play a vital role in establishing trust in a scalable way as they allow users to decide what processing of their personal data they want – more transparency and control over your data is hardly possible. Therefore, you should consider consent as a verb – not a noun.

 

On the surface, consent and preference management might not seem all that impactful, but it can make a big difference to a company’s financial performance.

 

"We implemented the platform and within 6 weeks had captured consent for over 100,000 passengers with a 68% email opt-in rate." Duncan Waugh, Head of Rail IT at FirstGroup

 

Our experience shows that a large portion of the IT or software budget is spent only on managing internal complexities, such as having a fancy and powerful CRM tool. Instead, valuable resources could be invested in innovation, such as a good consent and preference management solution, resulting in a better product or customer experience and higher productivity as there will be less churn due to higher trust in your brand.

 

Last but not least, the importance of data protection as a human right was highlighted in a report to the United Nations General Assembly in October, describing privacy & data protection as an “increasingly precious asset in the digital era”. Another point of proof is that companies should invest in privacy and compliance solutions.

 

Navigate and Build Your Privacy Roadmap for 2023

Download DataGuard’s Special Report: What to Expect in 2023: Trends and Predictions for Privacy to stay up-to-date with the most recent changes in data privacy and comply with the regulations in a constantly evolving regulatory environment.

In this report, you’ll find:

  • The privacy regulations that you should be aware of in 2023
  • What these developments mean for your business and key dates
  • Data privacy trends and predictions for 2023
  • How you can be proactive: actionable insights for organisations.

The analysis and viewpoints in this report will help you navigate and build your privacy roadmap for 2023 and beyond. 

 

 

What to Expect in 2023_ Trends and Predictions for Privacy 212x234 UK What to Expect in 2023_ Trends and Predictions for Privacy 800x600 MOBILE UK

Privacy trends & predictions - the whole report

Get a copy of the whole report and learn what to Expect in 2023 and which rends and predictions for privacy you should have on your radar in the full version of the expert report.

Get your copy now

About the author

Dr. Frank Schemmel Dr. Frank Schemmel
Dr. Frank Schemmel

Dr. Frank Schemmel, CIPP/E, CIPP/US, CIPM, CIPT, supports DataGuard since 2018 in various management positions (incl. Head of Privacy) and is currently responsible for the company-wide content and strategic design as well as optimization of the DataGuard service lines "Privacy" and "Compliance", a hybrid model of first-class consulting and support through self-developed, scalable software solutions. As a certified Data Protection Officer (TÜV) and Compliance Officer (Univ.), he advises on all topics of data protection, IT security and general compliance. Before joining DataGuard, he worked for Allen & Overy LLP for five years in the area of data protection and employment law as a consultant and legal project manager. He regularly publishes in relevant media and shares his experience as a lector at universities (Duesseldorf, Augsburg), conference speaker (euroforum Datenschutzkongress, bitkom Privacy Conference, IAPP Data Protection Intensive: Deutschland) and webinar host.

Explore more articles

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk