Data Protection Regulations in Europe Set to Tighten in 2020

European leaders are pushing for the tech industry to tighten the bolts of data protection laws in EU member states. With European Commission head Margarethe Vestager demanding stronger enforcement of General Data Protection Regulation (GDPR) policies.

Fines for violations have already cost companies operating in Europe more than €146 million within the first two years of the legislation.

Google got a €50 million fine in January 2019. This was the largest penalty so far. However, that figure is possible to be exceed soon as stiffer rules are in place. Also over the second half of 2020 with sights set on targeting social media platforms. 

Other victims of data protection include Italian telecom provider TIM. With a €27.8mn fine by Italy’s DPA. Germany’s 1&1 Telecom a $10.8 million penalty in December 2019. As for failing to secure sensitive client data.

Austrian Post got $20.4 million fine and German property management firm Deutsche Wohnen SE $16.8 million. They were collecting data on tenants without providing an opt-out option.

Hotel chain Marriott and British Airways are currently facing fines that dwarf Google’s penalty pay out. Marriott may have to pay a $123mn fine for a data breach in 2018. British Airways could end up paying $230mn for a data leak in the same year.

“Digital sovereignty” is the new buzzword as new rules are about to come up for the Digital Services Act. Tightening the screws on the ways companies obtain consent from customers. Especially interactions with online users. As well as redefining the boundaries of hate speech and other legal requirements governing online content. 

EU regulators hope that bringing more countries under the GDPR umbrella will make it easier for individuals in European states to understand their rights and file complaints when companies are compromising their privacy.  

EU A Major Influencer

The European Commissions drive to bolster data protection has also spurnned Australia, Brazil, Canada, India and numerous US states. With California leading by example – to implement more of their own data protection regulations and governing bodies and pass new bills and laws.

Britain Still Bound by EU Regulations After Brexit

Even though the United Kindom officially left the EU at the end of January, 2020, businesses in the British Isles still have to abide by European data protection regulations. However, ePrivacy Regulations that were initially supposed to be implemented in 2017 to support GDPR laws are yet to be pushed through by legislators. 

The e-privacy regulations are in discussion with the aim of regulating the way companies obtain user information. First by website ‘cookies’ and second how they use this information to target demographic segments. Mainly for advertising purposes. However, in the quickly evolving digital world, keeping up with technological advancements is tough. In fact the Permanent Representatives Committee of the Council of the European Union downvoted the proposed ePrivacy proposal in late 2019, delaying any potential implementation until after 2020.

Third Party Data Transfer Still Under Fire

Facebook has been in the spotlight of the data protection quagmire for more than five years. After Austrian privacy advocate Max Schrems filed a complaint with the Irish Data Protection Commissioner in 2015.

The crux of the issue is a challenge against Facebook Ireland using contractural clauses to transfer personal data to US-based Facebook Inc., a third party. Schrems claims that the standard contractural clauses fail to meet EU standards of data protection.  

Article 46 GDPR is the legislation under fire, which states: ‘a controller or processor may transfer personal data to a third country or an international organisation Only if the controller or processor has provided appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies for data subjects are available’.

So far the Advocate General to the Court of Justice of the European Union (CJEU) has upheld that standard contractual clauses could be used to transfer data between international organisations. However he has also suggested that clauses should be reviewed case-by-case. Hence the US now playing catch up with EU. Also rushing to shore up defenses anticipating a flood of more international data protection cases.   

Whatever the CJEU ruling for the Schrems claim against Facebook, it will set a new president in data protection developments over the next year and beyond, and many more similar challenges will shape the landscape.  

Organizations large and small all over the earth are under affect by the changing regulations. Whether operating locally or internationally, they have to implement their own security measures to protect themselves from data protection legislation. Moreover mitigate the risk of penalties before another Schrems puts them in his spotlight.  

Intelimasters is a background screening agency, not a law firm. This article is for informational purposes only. Nothing in it should be considered as legal advice. We encourage you to consult with legal counsel regarding your specific business and/or individual needs.


Comments are closed.