IAPP Europe Data Protection Congress 2022, Europe’s #1 gathering of data protection professionals has returned for its 11th year in Brussels last week. High-profile experts led discussions on strategic developments in regional and international data privacy. Data protection expert of ECOVIS ProventusLaw Milda Šlekytė has participated in this congress and prepared a brief summary of the most important topics covered by different experts.
Artificial intelligence
Artificial intelligence (AI), on the one hand, is part of evolution; on the other, it has so many issues. The new EU data regulation – Data Act, Digital Services Act, Digital Market Act, Data Governance Act, AI Act – is upcoming and brings a lot of homework for lawyers, companies, and EU Member States. For example, the Digital Services Act will require online intermediaries to amend their terms of service, handle complaints better, and increase their transparency, especially regarding advertising. Providers of online platforms and search engines will be required to publish information on the usage of their services (Statement) on their website, with an initial Statement to be posted by 17 February 2023 at the latest. Small enterprises will be exempt from this obligation; however, they will still need to compile the information to be provided to the EU Commission and a new regulatory body, the “Digital Services Coordinator,” upon request.
The ethics of AI is a one more important topic for many researchers, experts, tech companies, and politicians. At the forefront of this discussion are questions about transparency, accountability, and how AI will interact with human society as a whole. To avoid the pitfalls that befell other inventions in the past, such as nuclear weapons or chemical fertilizers, there needs to be a clear understanding of the limits of technology. However, there are still no final answers on this topic as it is probably difficult to find. Still, we all have to know that soon, it will be very hard to separate the real content from synthetic content online, so such discussions and regulations are more than necessary.
Data transfer to the USA
The new EU – US data privacy framework and the next steps for data transfers were an important topic during the IAPP Europe Data Protection Congress 2022 too. While the politicians, lawyers from different institutions, and other persons from government bodies say that this time the data transfer mechanism will be suitable and sufficient, Max Schrems again thinks about challenging it because of the following key areas of concern:
- Applying a correct proportionality test on US surveillance law under Article 8 Charter of Fundamental Rights of the European Union (CFR). In accordance with noyb.eu, the fact that negotiators do not plan to seek amendments to US statutory law in relation to material surveillance, but instead plan to replace Presidential Policy Directive 28 on Signals Intelligence Activities with a new executive order that would include the words “necessary and proportionate” is not enough,
- Creating meaningful judicial redress under Article 47 CFR – in accordance with noyb.eu, the plan for the US executive to form a new “body” within the executive branch to deal with potential violations of US law and executive orders is not compliant with Article 47 CFR – as the new body will be part of the executive branch with “limited independence”,
- The need to update commercial privacy protections – noyb.eu raised concerns that there are no planned updates to the Privacy Shield Principles, which noyb.eu states “is hugely problematic”, as the principles are not in line with the GDPR requirements. More about all concerns you can read here .
It seems that we will probably have Schrems III’s decision if the approach stays the same. However, it may not happen, as we have to wait and see the final EU-US agreement and the next steps of M. Schrems. Meanwhile, the companies having data transfer to the US or any other third countries shall follow the strict requirements such as knowing your transfers, verifying the transfer tool your transfer relies on, assessing data transfer to third countries, identifying and adopting supplementary measures, etc.
Cookies
Different data protection authorities are issuing their opinion or guidelines on cookie compliance (opinions from Italian, Ireland, France, and Spain DPA on cookie compliance, Lower Saxony DPA on cookie consent requirements, guidelines on Google Analytics by German DPA), and different decision are made courts (CJEU – Judgement from 1 October 2019 – C-673/17 (Planet 49), German Supreme Court – Judgement from 25 May 2020 – I ZR 7/16 (Planet 49), etc.), multiple fines regarding the use of cookie. The topic is trendy and relevant for many companies. The recommendations are known to almost everyone (consent before using cookies, clear affirmatory action, the time limit for consent, transparency, documentation of consent, etc.).
However, still, many companies face the problematic use of cookies, especially with Google Analytics. We all have to remember that it is crucial to make permanent cookies audit and cooperate with all departments of the company. During such audits, you could see that two similar cookies are doing the same thing, and one is not necessary at all. As well, as the market is offering different products instead of Google Analytics, the companies could consider different solutions instead of Google Analytics.
Personal data and technologies in sports
The 2022 World Cup is the biggest sporting event in the world, attracting many people from all countries. The organizers and FIFA seek to improve football fans’ experience both on and off the pitch. The use of technology is a part of our daily life; however, with such use of technologies, we face another issue – the proper use of personal data. Sports performances, connected stadiums, anti-doping tests, sports licenses, and sports betting, all activities that lead sports federations, clubs, broadcasters, betting operators, and other private companies to collect, use, control, and sometimes even monetize sports data. Also, biometric data could be used to analyze the performance of the athletes, and biometric data of fans could be used to register them, watch them, etc. As we can see, personal data, technologies, and sports are very related, and due to that relation, sports clubs and sports events organizers have to be careful when dealing with personal data. All sorts of personal data processing must be lawful, the necessary consents shall be collected, privacy notices shall be provided, the used solutions shall be tested before it is put into the use, and sufficient data security shall be guaranteed.
All in all, we all have to remember that when we talk about privacy, it is not only a right written in legal acts. GDPR does not create it. Following on of the speaker of the congress, Alessandro Acquisti, Professor of Information Technology and Public Policy, Heinz College, Carnegie Mellon University, we instinctively want our privacy in our bedroom (by drawing curtains to ensure it), and we instinctively leave a group of people to take a personal call. The right to privacy comes from different cultures and different religions through centuries.
The International Association of Privacy Professionals (IAPP) is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, promote and improve the privacy profession globally.
The content of this article is intended to provide a general guide to the subject matter. The expert should be consulted for the assessment of the specific situation. If you need assistance in matters regarding the issues related personal data protection, please consult the experts of ECOVIS ProventusLaw.
This review was prepared by internationally certified ECOVIS ProventusLaw data protection expert, senior associate Milda Šlekytė