Written by Steven Roberts
Friday, 28th January is World Data Protection Day. In recent years, we have witnessed a substantial increase in the profile and awareness of data privacy, both within the business community and the general public.
In particular, the introduction of the General Data Protection Regulation (GDPR) in 2018 marked a defining moment, as it sought to harmonise privacy laws across the European Union.
Ireland has been at the forefront of these changes, with the Data Protection Commission taking a lead role in policing some of the world’s biggest technology firms, many of whom have their European headquarters in Dublin.
Ireland’s privacy community is also very active; the country recorded the third highest number of data breaches per 100,000 population during the period from 25th May 2018 to 27th January 2021.
As we begin a new year, it is timely to consider some of the privacy challenges that lie ahead in 2022.
A baseline on fines
The GDPR caught the eye of many businesses due to the scale of potential fines, up to 4% of global turnover or EUR20 million, whichever was the greater. Yet, much uncertainty remains for businesses and management boards as they seek to effectively manage this risk.
We have seen eye-watering fines across the EU for several large technology firms, including €746 million for Amazon, €225 million for WhatsApp and €50 million for Google. Alongside this, there have been much lower fines for smaller businesses and institutions.
An effective baseline has yet to be reached, and there remain variances in how different EU supervisory authorities approach fines. For example, Ireland’s Data Protection Commission (DPC) was required to substantially increase its proposed fine of WhatsApp from €50 million to €225 million following feedback from its European counterparts.
Lack of consistency
The GDPR sought to provide a consistent approach to data protection throughout the EU. Whilst that ambition remains, much work is still required. There remain substantial variations across EU countries, particularly in its interplay with other privacy laws.
Website cookies offer a clear example. These small text files stored on an individual’s computer allow a website to keep track of a person’s preferences, and are a fundamental component of online advertising.
While the GDPR governs personal data, the privacy of online communications and the use of cookies is covered by another European law, the ePrivacy Directive. The latter has a slightly different interpretation as to what constitutes consent.
The EU is currently working on an updated law, the ePrivacy Regulation. In the meantime, individual EU countries have introduced their own guidelines on cookies; the DPC issued its document in April 2020.
The result is that a company with operations in Ireland, Germany and Spain has to take account of subtle differences of interpretation in order to remain compliant in each jurisdiction.
A similar issue surrounds marketing to business contacts. In Germany and The Netherlands, marketing to a work email requires the prior consent of the individual. In Ireland and the UK, a slightly more relaxed approach operates, where companies can opt out of receiving such correspondence.
Increased global complexity
The GDPR has sparked a wave of similar legislation internationally as countries around the globe seek to strengthen their privacy laws.
Recent examples include China’s Personal Information Protection Law (PIPL), which came into effect last November, and Brazil’s General Data Protection Law.
In the USA, a federal law seems unlikely at present; however, states and jurisdictions have implemented their own local legislation. The most well-known is the California Consumer Privacy Act (CCPA), which mirrors many aspects of GDPR.
For businesses trading internationally, this has resulted in increased complexity as compliance and legal teams seek to comply with these various laws whilst also adhering to the GDPR.
It is likely that this complexity will increase rather than decrease in the coming years as consumer concerns grow in response to data-using technologies such as artificial intelligence and machine learning.
International Data Transfers
Substantial changes are ongoing in the area of international data transfers. In July 2020, the European Court of Justice ruled invalid the Privacy Shield, an EU-US framework for sharing personal data.
Efforts are ongoing to develop a replacement. Many businesses, particularly small and mid-sized firms, have chosen another mechanism, Standard Contractual Clauses (SCCs). These clauses can be dropped into a contract with an international supplier, providing compliance with the GDPR.
The European Commission introduced new SCCs in June 2021, leading to significant re-papering of contracts. However, in what is a very fluid area, the European Data Protection Board (EDPB) has indicated that a further set of clauses will be needed for transfers to data importers outside the European Economic Area who are already subject to the GDPR.
Multinationals and large indigenous firms will have the scale and resources to effectively deal with this complexity. However, it creates a considerable barrier to business for many smaller companies seeking to develop internationally or to work with non-EU suppliers.
Conclusion
Data has been labelled the ‘new oil’ by some commentators; it underpins much of our modern economy.
It is clear that technologies such as artificial intelligence and machine learning will place increasing pressures on how countries effectively regulate the use of personal information. Consumer fears over the use of personal data are likely to grow in tandem with this development.
As we enter a new year, Governments and legislators must walk a tightrope. The use of personal data must be effectively regulated, assuaging apprehensions amongst the general population. Yet in doing so, they must avoid creating such complexity that innovation and business growth is stifled.
Data protection and privacy are fundamental rights, yet they are not absolute and must be treated in the context of other rights and considerations. How our lawmakers navigate this challenge will be one of the central concerns of this decade, and beyond.
About the author
Steven Roberts is the author of Data Protection for Marketers: A Practical Guide, published by Orpen Press. A certified data protection officer, he is vice-chair of the Compliance Institute’s Data Protection and Information Security Working Group. He is head of marketing at Griffith College.
More about Irish Tech News
Irish Tech News are Ireland’s No. 1 Online Tech Publication and often Ireland’s No.1 Tech Podcast too.
You can find hundreds of fantastic previous episodes and subscribe using whatever platform you like via our Anchor.fm page here: https://anchor.fm/irish-tech-news
If you’d like to be featured in an upcoming Podcast email us at [email protected] now to discuss.
Irish Tech News have a range of services available to help promote your business. Why not drop us a line at [email protected] now to find out more about how we can help you reach our audience.
You can also find and follow us on Twitter, LinkedIn, Facebook, Instagram, TikTok and Snapchat.