Happy birthday, GDPR – five lessons from five years of EU data protection law

Laurie-Anne Ancenys, Helen Christakos, Catherine Di Lorenzo, Peter Van Dyck, Jane Finlayson-Brown, Catharina Glugla, Nicole Wolters Ruckert, Steve Wood
Allen & Overy LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Allen & Overy LLP

In the five years since the European Union’s General Data Protection Regulation came into force, what have been the main learnings for business, and what will the future hold?

On 25 May 2023, the European Union’s General Data Protection Regulation will have been in force for five years.

It may not be an occasion that you mark with cake and candles, but for those of us in the data protection world it is an important anniversary and a moment to reflect on the huge changes that this landmark legislation created.

So what have we learned over the past five years?

GDPR made the European bloc a leader in digital policy and gave citizens expansive rights as to how their data was used, but its implementation has been - and still is - a long and sometimes challenging process.

When it came into effect in 2018, many businesses struggled to understand what was required and how they needed to change. Regulators responded by providing guidance and collaborating with businesses to help them understand what was expected of them. By 2020, the gloves were off and we entered a new era of enforcement with multi-million euro fines issued to international companies.

Over the past five years organisations have developed a much more sophisticated understanding of the field of data protection. Many now understand the benefits of looking after their data, including measures that demonstrate their accountability, such as privacy management programmes. Companies have also stepped up their investment in this area and it is now a board-level issue at many organisations.

But while understanding of the GDPR has improved, key issues around its interpretation and application are far from settled. The past five years have illustrated that data protection in Europe is a dynamic area requiring companies to be nimble, understand the EU and local context and have robust strategies in place.

On GDPR’s fifth birthday, we round up some of the big lessons we have learned from the first five years of implementation to help companies tackle the next five years:

Be willing to adapt

When GDPR was introduced many companies assumed that they could create a privacy policy, file it away and then largely forget about it. In reality, GDPR is constantly evolving.

We see new technologies, such as artificial intelligence, emerging, new guidance being issued on a national and EU level and new data protection cases hitting the courts. It means that companies need to be ready to adapt their policies and governance on an ongoing basis.

One clear example of how GDPR has evolved is in the area of data transfers.

Back in 2018, companies had a level of stability in how they moved data between the EU and US. Many companies relied on the transatlantic ‘Privacy Shield’ agreement as a legal basis to transfer data. Others relied on the European Commission’s standard contractual clauses (SCCs) as the legal basis to transfer data to the U.S. and other third countries.

That all changed in July 2020 when the Austrian privacy activist Max Schrems won his court case at the European Court of Justice (ECJ). The ruling invalidated the Privacy Shield agreement and provided further binding case law on how companies assess the impact of national security laws in third countries when using SCCs. For the past three years companies have faced much uncertainty about how to safely and legally transfer personal data to the US and compliance costs have increased significantly.

For the past three years, the U.S. Government has been negotiating terms for a new framework to replace the Privacy Shield with the EU Commission. On October 27, 2022, President Biden signed an Executive Order that will hopefully lead to a new EU-US privacy framework. The new arrangement addresses the two main issues raised in the ECJ ruling regarding national security data collection and redress mechanisms for EU residents.

The European Commission, together with the member states and data protection authorities including the European Data Protection Board, will proceed to assess and approve the new framework. The U.S. will establish a new Data Protection Review Court to ensure compliance by agencies and companies, and update the privacy principles under the new arrangement.

It is unclear how long these processes in the EU and US will take, but we are hopeful that U.S. and European governments will reach a new agreement on data transfers within the next few weeks. Max Schrems has also indicated he will challenge the new proposed legal framework in the EU courts.

Even if the new framework is passed it will likely come under legal scrutiny by the ECJ. This serves to illustrate how even GDPR issues that appear to be settled can and do change. We expect this to continue as new technologies become more widely adopted in the years to come.

As such, companies need to similarly keep an eye on how the privacy landscape is evolving and be nimble in adapting their own policies and governance.

Take note of the local context

When GDPR was first introduced, many business leaders hoped it would provide a consistent and harmonised approach to data protection across Europe.

In many ways, it has achieved this. Businesses now have more clarity about what is expected of them, particularly when it comes to being transparent around how data is used and what customer consent is needed to collect personal data.

But there is still a great deal of nuance in the way that different national data protection authorities interpret the GDPR, investigate breaches and identify emerging themes. It means that we see many different ‘flavours’ of GDPR across the bloc.

For instance, local regulators in Germany, Spain, France and Belgium regularly issue their own guidance on specific GDPR topics. While in Luxembourg and Ireland, the regulators have taken a more hands-off approach, seeking guidance at European level from the Data Protection Board.

Different regulators also have different priorities for the coming years. In Belgium, the regulator is focused on the use of biometric data by employers. While in France, the regulator is looking at data collection through smart cameras in the lead up to Paris hosting the Olympic games in 2024. And, at a European level, the authorities are prioritising compliance with the rules on data protection officers.

These nuances in local GDPR interpretation mean that companies need to work with advisers who have a good grasp of the distinct local context of each European jurisdiction as well as broader EU initiatives in order to understand what is expected of them.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Allen & Overy LLP | Attorney Advertising

Written by:

Allen & Overy LLP
Allen & Overy LLP
Contact
more
less

Allen & Overy LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide