European Data Protection Regulations Set to Tighten in 2020

European leaders are pushing for the tech industry to tighten the bolts of data protection laws in EU member states with European Commission head Margarethe Vestager demanding stronger enforcement of General Data Protection Regulation (GDPR) policies.
Fines for data protection violations have already cost companies operating in Europe more than €146 million ($163 million) within the first two years of EU data protection legislation being introduced. 
Google was hit with a €50 million ($56 million) fine in January 2019 by French data regulator CNIL – the largest penalty dished out so far. However, that figure is expected to be exceeded soon as stiffer rules are introduced over the second half of 2020 with sights set on targeting social media platforms. 
Other victims of data protection suits include Italian telecom provider TIM, which was slapped with a €27.8mn ($31.6mn) fine by Italy’s Data Protection Authority. Germany’s 1&1 Telecom was also forced to pay a $10.8 million penalty in December 2019 for failing to secure sensitive client data such as names and dates of birth.
Austrian Post was fined $20.4 million and German property management firm Deutsche Wohnen SE was fined $16.8 million for collecting data on tenants without providing an opt-out option.
Hotel chain Marriott and British Airways are currently facing fines that dwarf Google’s penalty pay out. Marriott may have to pay a $123mn fine for a data breach in 2018. British Arways could end up paying $230mn for a data leak in the same year.
Greece, Portugal and Slovenia have been playing catch up and are set to close the gap in 2020 to bringing most of Europe’s nations in line with the EU’s increasingly stringent GDPR regulations. 
“Digital sovereignty” is the new buzzword as new rules are drafted for the Digital Services Act (DSA), tightening the screws on the ways companies obtain consent from customers – especially interactions with online users – as well as redefining the boundaries of hate speech and other legal requirements governing online content. 
EU regulators hope that bringing more countries under the GDPR umbrella will make it easier for more individuals in European states to understand their rights and file complaints when their privacy has been compromised.  

EU A Major Influencer

The European Commissions drive to bolster data protection has also spurnned Australia, Brazil, Canada, India and numerous US states – with California leading by example – to implement more of their own data protection regulations and governing bodies and pass new bills and laws.

Britain Still Bound by EU Regulations After Brexit

Even though the United Kindom officially left the EU at the end of January, 2020, businesses in the British Isles still have to abide by European data protection regulations. However, ePrivacy Regulations that were initially supposed to be implemented in 2017 to support GDPR laws are yet to be pushed through by legislators. 
The e-privacy regulations are being introduced with the aim of regulating the way user information is stored by website ‘cookies’ and how that information is used to target demographic segments, mainly for advertising purposes. However, in the quickly evolving digital world, keeping up with technological advancements is tough. In fact the Permanent Representatives Committee of the Council of the European Union downvoted the proposed ePrivacy proposal in late 2019, delaying any potential implementation until after 2020.

Third Party Data Transfer Still Under Fire

Facebook has been bogged down in the data protection quagmire for more than five years after Austrian privacy advocate Max Schrems filed a complaint with the Irish Data Protection Commissioner in 2015.
The crux of the issue is a challenge against Facebook Ireland using contractural clauses to transfer personal data to US-based Facebook Inc., a third party. Schrems claims that the standard contractural clauses fail to meet EU standards of data protection.  
Article 46 GDPR is the legislation under fire, which states: ‘a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available’.
So far the Advocate General to the Court of Justice of the European Union (CJEU) has upheld that standard contractual clauses could be used to transfer data between international organisations but has also suggested that clauses should be reviewed case-by-case. Hence the US now playing catch up with EU and rushing to shore up defenses anticipating a flood of more international data protection cases.   
Whatever the CJEU ruling for the Schrems claim against Facebook, it will set a new president in data protection developments over the next year and beyond, and many more similar challenges will shape the landscape.  
Organizations large and small all over the earth are affected by the changing regulations, whether operating locally or internationally, and will have to implement their own security measures to protect themselves from data protection legislation and penalties before being hit by another Schrems.  

1 Comment

Comments are closed.