On 26 April 2006 the Council of Europe decided to launch a Data Protection Day to be celebrated each year on 28 January, the date on which the Council of Europe’s data protection convention, known as “Convention 108”, was opened for signature. That was first legally binding international law in the field of data protection. Data Protection Day is now celebrated globally and is called Privacy Day outside Europe.
Since Convention 108 – that has been adopted already in 1980 – Europe has been trendsetter of privacy regulation. And General Data Protection Regulation (GDPR) was turning point that attracted attention far beyond borders of European Union. Public and regulatory interest in data protection issues has increased significantly over the last few years. And with each big data breach or data misuse it grows just bigger.
So far already 107 countries have put in place legislation to secure the protection of data and privacy. Data protection is not just European thing – Asia and Africa show a similar level of adoption of privacy laws, with less than 40 per cent of countries having a law in place. Also, in US data protection laws have been introduced in many states, and federal law is under serious discussion, too.
What to expect in 2020?
Increased GDPR enforcement
European Union (EU) regulators will ramp up GDPR enforcement across the board, and with a particular focus on AdTech, cookies, and children’s data. So far EU data protection regulators have imposed €114 million in fines under the GDPR regime for a wide range of GDPR infringements.
Future of ePrivacy Regulation is still unknown. Most probably it will either move forward under Croatian presidency, or be withdrawn altogether. At the same time, EU regulators are looking deeper into cookie compliance. Guidance on cookies was issued by UK, French, German and Spanish regulators, and the Court of Justice of European Union (CJEU) delivered its judgement in Planet49.
Adtech has attracted attention of data protection authorities already in 2019, and regulators will focus on this area even further in 2020. Big players are adding push on adtech industry, too. For example, Google announced that it will phase out third-party advertising cookies over the next two years.
Last year was the year of facial recognition, with lots of press attention around its use in policing as well as by corporations. There are significant advantages to biometrics, such as security, but there is also a lots of privacy challenges associated with use of the technology. EU is already considering possible ban on facial recognition tech in EU.
AI and new technologies
Legislators and regulators are looking to take concrete measures on AI and new technologies. For example, European regulators are working toward a unified approach to regulating big tech companies’ voice assistant programs.
International data transfers
We’re waiting for Court of Justice of the European Union decision regarding validity of standard contractual clauses (SCCs) to legitimise transfers of personal data outside the EEA. SCCs will likely have to undergo major reform to escape the same fate as the now-defunct Safe Harbor Framework. Also, the European Commission (EC) intends to issue an adequacy decision for the UK by the end of the transition period (31 December 2020) which would allow data flows from the EEA to the UK to continue uninhibited too, but this is a fairly ambitious deadline.
What to do?
It is evident that data protection and privacy issues will remain in focus of both regulators and consumers. There is no way around it so the best approach is to integrate privacy in into daily business practices and try to find competitive edge. Consumer trust is becoming even more important. It can be a key differentiator for companies, especially those engaging with new and emerging technology.