As we await the EU Commission’s review of the general data protection regulation (GDPR), let’s take a look at five data protection trends for 2020.
DPAs to increase GDPR enforcement
Since the GDPR came into force on 25 May 2018, Europe's data protection authorities (DPAs) have had few qualms about enforcing the GDPR: audits have been carried out, warnings have been issued and fines imposed in ever increasing amounts, including penalties of tens of millions of euros.
However, some DPAs claim that, so far, they have focused on implementation, raising stakeholders’ awareness and working with organisations on GDPR compliance. In other words, DPAs have yet to deploy their full enforcement capacities. But the coming year will likely see them get closer to doing so.
Some DPAs have adopted instruments to facilitate enforcement activities: the German (PDF) [in German] and the Dutch (PDF) [in Dutch] DPAs have published their fining model, and the European Data Protection Board (EDPB) is working on harmonised fining guidelines.
Others have already said they intend to intensify their interventions, including the UK DPA, which made clear it will use new powers, intelligence and resources to take robust action against non-compliant organisations.
Private actions to rise
The European Commission has claimed that the GDPR has made EU citizens increasingly aware of data protection rules and of their rights.
Facing more and more complaints, DPAs will have come to the same conclusion: the UK DPA received 41,661 data protection complaints (PDF) (a rise of 50 per cent) in 2018-19, while in 2018 the French DPA received 11,077 complaints [in French] (a rise of 32.5 per cent).
This increased awareness has led to not only more DPA interventions but also a rise in civil proceedings, which will probably increase further.
Under the GDPR, data subjects have a range of ways of seeking redress. They can turn to the DPA and the courts in parallel or they can also go to court after having complained before the DPA.
Furthermore, data subjects may act individually or by joining a group litigation, the latter being incentivised by emerging privacy consumer groups. For example, in Austria, in addition to individual claims, a mass claim lawsuit is being prepared by a well-known organisation that specialises in such proceedings.
This trend of GDPR-related civil claims is, however, emerging EU-wide. In many member states, such as France [in French] or the UK, organisations thus face both regulatory fines and civil claims.
These risks may become even more significant when the EU adopts its draft directive on representative actions for the protection of the collective interests of consumers.
Ad-tech issues to be at the heart of the discussion
Ad-tech issues will continue to be the subject of guidelines, complaints and court decisions.
Many DPAs have already adopted guidance relating to cookies or other trackers, such as in Germany, where many DPAs [in German] have released statements concerning Google Analytics and other trackers following the ruling of the EU Court of Justice on the storage of cookies.
More guidelines are to come. France has an action plan relating to online targeted advertising for 2019-20. And the French DPA is about to publish a recommendation relating to the operational aspects of collecting consent, following its guidelines on cookies issued in July 2019.
In parallel, enforcement actions are expected. The Dutch DPA [in Dutch] has already announced that it will investigate whether cookies are being used lawfully.
Courts will also have their say. In the the UK and France [in French], consumer groups have started group litigation against Google and its targeted advertising practices.
DPAs to prioritise the protection of children’s data
Firmly on the agenda of multiple DPAs, children’s data will definitely be an important topic in 2020.
The UK DPA explicitly stated in its GDPR: One year on (PDF) report that children’s privacy is one of its regulatory priorities for the new year and has published its code of practice for age-appropriate design.
Likewise, Ireland's DPA, which ran a public consultation on the processing of children’s data and the rights of children, will probably issue a definitive stance following its preliminary report on Stream I (adult stakeholders’ views). It has also made the special protection of children’s data a key objective, as set out in its consultation on regulatory strategy for 2020-2025 (PDF).
At EU level, interest has also been shown and the European Data Protection Board (EDPB) has already indicated (PDF) that it plans to adopt guidelines on children’s data during 2020.
Data subject rights to be further strengthened
Both the EU and member states are looking to further strengthen the rights of individuals.
For example, the EDPB:
- held a stakeholder workshop in November 2019 to gather feedback on its draft guidelines on data subject rights relating to access, rectification, erasure, restriction of processing and objection; and
- has published guidelines on the criteria of the right to be forgotten for public comments.
Meanwhile, the UK DPA has launched a public consultation on its draft guidance (PDF) on data subject access rights and the Belgian DPA has made data subject rights a priority for its 2019-2025 strategic plan (PDF) [in French].
For further information on GDPR issues, please see our chapter in the the Global Data Review Insight Handbook 2020 on data privacy in the European Union.
