Privacy 2022: Big Fines & no more US Service Providers? Privacy 2022: Big Fines & no more US Service Providers?

In 2022 the developments in the privacy landscape will keep companies busy. New regulations are already in the pipelines, and recent enforcement activities by European Data Protection Authorities ("DPA") further indicate that regulators will take a more rigorous approach.  

Over the past years, companies have struggled to keep up with the fast-paced data protection developments. 2021 was no different and brought significant changes in the data protection landscape. 

New laws entered into force, a plethora of guidelines have been published and fines were handed out. 

In 2022, companies should brace themselves for this trend to continue. Privacy regulations will proceed to proliferate and new regulations are already in the pipeline. Recent enforcement activities by European Data Protection Authorities ("DPA") indicate that the regulators are broadening their lens. 

When the GDPR was first passed, the potentially hefty fines made headlines. Years later, however, the EU DPAs have been criticized by many for the lack of enforcement.

According to the Strategies for 2022 released by EU DPAs (July 2021), the DPAs indicated that they will more actively enforce the GDPR, esp. focusing on online tracking and international data transfers. 

In 2022 so far, the DPAs seem to stay true to their strategy: the Spanish DPA fined a controller due to unlawful online tracking (EUR 16,000). Only days later, France's DPA fined Google's U.S. (EUR 90m) and Irish operations (EUR 60m), while Facebook Ireland was fined EUR 60m – also for online tracking violations. 

These decisions are followed by another landmark decision by Austria's DPA, in which the DPA has decided in a model case that the continuous use of Google Analytics ("GA") violates the GDPR.

The legal basis for this decision is the Schrems II ruling of the European Court of Justice (ECJ), which concerns the transfer of data from the EU to the US. In said ruling, the ECJ stated that the data transfer to the US is subject to strict conditions. Websites must refrain from transferring personal data to the US if an adequate level of protection cannot be guaranteed.

In this case, an IP address "anonymization" function had not been properly implemented. The DPA found IP address data to be personal data given the potential for the data to be combined "like a puzzle piece" by Google in order to identify a visitor. The IP address has to be anonymized at the client's site when sending the data and not when Google receives the data.

Consequently, the DPA considered the measures implemented by Google to be of little use and not sufficient to comply with the Schrems II requirements, and therefore the standard contractual clauses could not heal the deficiencies. 

A couple of days before the Austrian DPA's decision, the European Data Protection Supervisor confirmed in a similar fashion that the use of GA on the EU Parliament's website was not in line with legal requirements. The Dutch DPA also states that the use of GA may not be permitted in the near future.  

Similar decisions are expected in other EU member states as regulators have cooperated on these cases in a task force. 

These decision sound a loud warning to websites and services subject to the GDPR, having companies scrambling to update their safeguards and documentation. Presently the hurdles for engaging an US provider are high.

It has been 1.5 years since the ECJ invalidated the Privacy Shield. Ever since, the EU und the US have been working on a replacement agreement, intended to facilitate companies' ability to transfer data abroad. 

Meta (Facebook) was apparently interested in a timeline with regards to the Privacy Shield 2.0. According to minutes of a meeting between Meta and the Commission, it was stressed that "the only way to provide legal certainty is to develop a solution that addresses all requirements of the Schrems II judgment, which may take some time”" 

Companies should therefore not hope for a quick solution, but rather implement the Schrems II requirements.

It has been over 3 years since the GDPR entered into force and companies are still attempting to come to terms with it. In Brussels, however, a new wave of laws is already in the works. The most notable ones are the following:

The Digital Services Act and the Digital Markets Act are two proposals that are part of a regulatory package for online environments that aim to create a safer digital space and upgrade the rules governing digital services. 

The Data Governance Act aims, among other things, to increase trust in data sharing and establish trusted data use for research and innovation. The EU Commission also presented the AI Act, which is intended to regulate AI driven products, services and systems based on a risk-based approach. 

Most of these laws interact with the GDPR and add another layer of complexity to the already intricate rules. 

Unfortunately for companies, compliance with the relevant laws is not likely to become any easier in the future.