Stay Tuned Newsletter – what to expect in terms of content? With this example of a Stay Tuned Newsletter, you can discover it here. All our Stay Tuned Newsletters are written in English.
In addition to our Stay Tuned News video bulletin, this newsletter focuses on trends and developments in data protection land. This edition highlights the the Schrems II trend we’re seeing in authority decisions and looks at which authority might be taking on a leading role in Europe. We close the newsletter with a couple of useful resources that we ran into this month. Enjoy!
Authority New Years’ Resolution for 2022: enforce Schrems II
Authorities in Europe have made plans for this year like everyone else and if the first weeks of 2022 are any indication, enforcing Schrems II more strictly is on top of the list. The Austrian data protection authority took the world by storm with their decision effectively banning Google Analytics. The EDPS also joined in by reprimanding the European Parliament for their use of, among other things, Google Analytics on a COVID page for staff. And just on the verge of 2021, a court in Germany imposed a transfer ban on the Danish company Cookiebot, which used a US sub-processor (Akamei) without conducting the required Transfer Impact Assessment (TIA).
As a DPO, we often find that organizations would rather wait for Privacy Shield II (PSII) than actively seek solutions to their Schrems II concerns. However, recent publications of meeting minutes between Didier Reynders’ cabinet and both Google and Facebook make it clear that we should not expect PSII any time soon.
Time to look for sustainable solutions instead of burying the head in the sand. When an organization relies on US based cloud providers there are basically two options: start working on those Transfer Impact Assessments (TIAs) and look for “supplementary measures” that fulfill the Schrems II criteria, or look for European tools that can replace their US counterparts. While the latter may not be the most popular choice, it may well turn out to be more future proof. Time will tell.
Keep in mind: as authorities step up their enforcement actions this is the time to shine for a DPO by providing guidance for your controller that will help them avoid transfer bans or fines. After all the Belgian DPA also has four NOYB complaints in the pipeline that could lead to the same outcome as in Austria at any moment.
Which data protection authority will be Europe’s leader?
For a long time there was one authority in Europe that stood head and shoulders above the rest in terms of budget, fines, staff numbers and the quality of the guidance they published: the British ICO. Much of their guidance will still be very useful in the coming years but as they are no longer part of the EDPB and the UK GDPR is facing major changes, the relevance of the ICO will slowly diminish. Which authority will take its place?
« Make way for the CNIL », they must have thought in France and not entirely without merit. Since German authorities are fragmented per state and therefore by definition much smaller, there is room for the CNIL to take a leading role and they know it. Both in terms of fines, recently 210 million for Facebook and Google, and in terms of guidance the CNIL stands out. In the latter category, they recently published the RGPD Development Guide (new version in FR, previous version in EN) and guidance on the reuse of data by processors (FR). Interesting guidance, and in Belgium we may be able to handle French, but the CNIL knows that there is a need to communicate in English more often. And so more recent guidance is available in English, such as their cookie guidance, and blog posts about fines are also increasingly in English such as the latest one (300k fine for FREE mobile) in January.
However, there might yet be a challenger: the AEPD. Proud owner of the high score in the number of fines issued. Their decisions are exclusively in Spanish, but recently the AEPD has also been issuing more guidance in English. For example, on anonymization and pseudonymization, and their series on encryption and privacy.
Our own GBA, despite notable firsts in adopting codes of conduct, will not be able to pose a challenge, and neither will the Dutch AP. Another party you would expect to see in this list, Italy’s Garante, barely has an English site and clearly doesn’t seem to aspire a leading role in Europe.
Be that as it may, we as DPOs can only benefit. Privacy is a field in which there is still plenty to discover and all guidance and interpretations are welcome.
We finish off this newsletter with a couple of interesting resources worth checking out:
- DPIA template Vlaamse ToezichtCommissie (NL): https://overheid.vlaanderen.be/sites/default/files/media/VTC/VTC_O_2021_09_sjabloon_GEB_20211214_1.docx?timestamp=1641465834
- A legal study conducted for the EDPB on government access in Russia, China and India (spoiler: not Schrems II compliant): https://edpb.europa.eu/system/files/2022-01/legalstudy_on_government_access_0.pdf
- CJEU factsheet data protection presents an excellent overview of data protection cases including a summary per case (link to EN version, but also available in NL and FR): https://www.echr.coe.int/Documents/FS_Data_ENG.pdf
Stay Tuned, Stay Safe!