Implementing data privacy can be challenging for you as an organization. For example, the General Data Protection Regulation (AVG) has many open standards, leaving organizations to rely mostly on their own interpretation of its provisions.
coauthor: Tessa Janssen
But the field is becoming more mature. For example, people are making higher demands on their privacy protection, different standards have been developed for organizations, and additional laws and regulations have taken effect. Also, the Personal Data Authority as regulator is increasingly clear what it expects from organizations. To be well prepared for the future, it is important for you to identify developments in the field of data privacy early on and take action. In this fact sheet we explain the current developments within data privacy and make a prediction of the consequences for the (near) future.
All stakeholders whose data are processed, such as citizens, customers and employees, are increasingly aware of the potential consequences of privacy breaches. Thus, the general view seems to be shifting from "but I don't have anything to hide, do I?" to "what if my personal data is misinterpreted?". Within the public sector, one example of this is the initial rejection of the corona app and corona law, where citizens expressed great concern about the impact on their privacy. Another example is the public reaction to the profiling practices of the Internal Revenue Service.
The Personal Data Authority found that data subjects are increasingly standing up for their privacy rights.(1) A recent survey by the regulator showed a sharp increase in privacy complaints.(2) One of these complaints even resulted in a fine of €830,000 for BKR,(3) because BKR - in the opinion of the Personal Data Authority - set up too high barriers for data subjects to see their personal data.
BDO also sees in practice that many organizations struggle with safeguarding the privacy rights of data subjects. They often rely on an ad hoc approach, in which the process risks within organizations are not properly considered in advance. Data subjects may then be unable to adequately exercise their privacy rights. Organizations would therefore do well to think about how they protect these rights before receiving such requests - or complaints. One solution, for example, is to draw up standardized procedures for handling privacy requests; after all, prevention is better than cure.
In the private sector, the more active attitude of stakeholders recently led to the initiation of the first class action lawsuit. The Consumers Union is trying to force Facebook through the courts to compensate users for alleged privacy violations.(4) In doing so, it is possible for Facebook users to be represented by the Consumers Union free of charge. For now, the appeal has proven to be a successful action, as after just one day, 100,000 individuals had already signed up with the Consumers Union. A court ruling in this case could lead to high damages, not to mention image damage for Facebook. The case could also set a precedent for future mass claims within data privacy. For example, mass claims have also been filed against Oracle and Salesforce.(5) As an organization, you should therefore be aware that such actions will become more common in the future.
In the fact sheet "The AVG and Information Security," we have already talked extensively about ISO 27701,(6) for which organizations can be certified. By obtaining this certificate, an organization demonstrates that it handles personal data in a privacy-friendly manner. In the fact sheet, we concluded that the market will demand more and more certainty about the privacy safeguards from suppliers, among others - a development that had also previously taken place within information security. Certificates with which organizations can demonstrate "AVG compliance" are unfortunately not currently available (yet). The European legislator did create an opening for the development of such certificates in the AVG, namely in Articles 40 to 43. This describes that 'AVG certificates' can be developed by European and national regulators and certification bodies. Recently, the Personal Data Authority announced its cooperation with the Dutch Accreditation Council in this regard.(7) On the website of the Personal Data Authority it can also be read that certification schemes for the AVG certificates are being worked on.(8) Having such a certificate can give an organization a competitive advantage and give data subjects certainty about the protection of their privacy. It is also likely that an organization with an AVG certificate is more likely to stay out of the regulator's crosshairs.
As already mentioned in the fact sheet 'The AVG and supervision by the Personal Data Authority', the Personal Data Authority has so far not applied a strict fining regime.(9) Although a few fines have been handed out, the level of those fines is relatively not so high compared to other European supervisory authorities. It is evident that in the first two years after the application of the AVG, the focus of the Personal Data Authority was generally on providing information and advice to organizations. For example, topics such as Data Protection Impact Assessments, the appointment of a Data Protection Officer and mandatory data breach notification are explained through extensive information and checklists on the Authority's website.(10)(11)
However, this focus of the Personal Data Authority is going to change. The policy document 'Focus AP 2020-2023 data protection in a digital society' states that in the period 2020-2023 the Personal Data Authority will focus more on the focus areas 'data trading', 'digital government' and 'artificial intelligence & algorithms'. Specifically, this means that especially the resale of data and behavioral advertising will be closely monitored. In addition, the responsibility of the government with regard to the responsible handling of (often sensitive and special) personal data of citizens will be monitored, focusing on data security, smart cities and partnerships between organizations. Awareness of the risks inherent in current technological developments is particularly important in the field of artificial intelligence and algorithms.
Moreover, the Personal Data Authority indicates that it will increasingly enforce in the coming years. How the Personal Data Authority will accomplish this is still unclear, as it says it is currently facing a capacity problem. External research indicates that both staffing and budget should more than double.(12) On the other hand, the Dutch government has announced a budget reduction for the coming years. For the years 2021 through 2025, a budget of approximately €18.5 million has been allocated, while the budget for 2020 is €19.3 million. Since this is a provisional budget, the Personal Data Authority - as indicated on its website - remains hopeful for additional budget.(13)
Yet the opinion of the Personal Data Authority does not always prove to be sanctifying. In the Football TV case, for example, it recently emerged that the authority wrongfully imposed a fine of €575,000,(14) because it was of the opinion that a commercial interest could not be subsumed under the 'legitimate interest' basis. However, the judge nuanced this, ruling that the determination that the claimant did not have a legitimate interest had not been made with sufficient care. Moreover, the judge stated that not only legal, but also factual, economic and idealistic interests can qualify as legitimate interests. In addition, it follows that interests may not be excluded in advance. Something that the Personal Data Authority did do with its view on legitimate interest (and still does with regard to the basis of consent in the employer-employee relationship). Hopefully an increase in capacity will also mean that such misinterpretations of the AVG, with major consequences, will no longer occur.
The privacy issue is not only in the Netherlands, but keeps us busy worldwide. On July 16, for example, the "Privacy Shield," which was supposed to guarantee a reliable level of data protection for data traffic between Europe and the United States, was declared invalid by the European Court of Justice in the Schrems II ruling. A ruling with immense consequences for both the public and private sectors because a "Privacy Shield" may no longer be used as a basis for the transfer of personal data from the European Economic Area to the United States. There is no transition period in the Schrems II ruling, which means that from one moment to the next, an existing exchange of data to a third country such as the United States no longer complies with the AVG. In addition to declaring the 'Privacy Shield' invalid, the ruling by the European Court of Justice is also critical of the use of Standard Contractual Clauses ('SCC') which raises the question of whether the use of model contractual clauses is sufficient to comply with the AVG. The day after the ruling, the European Data Protection Board (EDPB) attempted to clarify matters by means of frequently asked questions.(15) Nevertheless, entrepreneurs were at a loss due to the lack of practical guidance. Meanwhile, on November 11, the EDPB published recommendations on the transfer of personal data after Schrems II. The recommendations form a 'roadmap' of six steps that companies can follow. These recommendations are open for public consultation.
The Personal Data Authority indicates that the current SCC can still provide a valid basis for transfers to third countries under the strict condition that a company takes sufficient additional measures to ensure the security of the transfer.
Importer declares that there is no national legislation that interferes with rights and obligations under the processor agreement, SCC and/or AVG.
Enter into a disclosure requirement regarding material changes to (sub)processor documentation.
The European Commission has also published a new draft model processor agreement.(16) It is open for consultation until December 10 this year. In practice, there are many negotiations on processor agreements, so such a model could be a good starting point for negotiations. It is notable that the articles in this model cannot be deviated from, but only additional agreements can be made (as long as these obviously do not deviate from the other agreements). It is also striking that in this model a separate annex should be added in which extra (security) measures are taken in case special personal data are processed.
We are waiting for both the "roadmap"(17) and the model contract provisions to be published in final form. Until then, BDO can help draft and review your processor agreement.
The current rules for telecom companies are laid down in the 2002 e-Privacy Directive. With the current digital developments, this directive is no longer appropriate and will be replaced by the e-Privacy Regulation. The e-Privacy Regulation deals with the regulation of electronic communication services, which mainly consist of the transmission of signals. It also includes personal communication services, such as WhatsApp, Skype, etc. Through the e-Privacy Regulation, the aim is to ensure data protection regarding electronic communications, better align with the AVG and harmonize regulations. In particular, the regulation regulates regulations regarding direct marketing, the placement of cookies and the use of metadata obtained on the Internet. In practice, this will mean that we are increasingly moving toward an opt-in system, where active consent from the user is required.
The European Data Protection Board (EDPB) emphasizes that "the e-Privacy Regulation should not be seen as an obstacle to the development of new technologies and services, but on the contrary is needed to provide a level playing field and legal certainty for market participants."
Despite delays caused by the COVID-19 pandemic, a new proposed text for the e-Privacy Regulation was recently published. This text was discussed by the European Council on Nov. 11, 2020. The goal is to reach an agreement on the final text of the e-Privacy Regulation by the end of 2020. If agreement is reached, the regulation will be directly applicable in every member state of the European Union, including the Netherlands.
To stay abreast of the latest developments with associated implications for electronic communication services, it is critical for organizations to keep a close eye on developments surrounding the e-privacy regulation.
Especially in Europe, privacy is playing an increasingly prominent role within our society. The awareness among citizens in Europe - partly due to the arrival of the AVG - is growing enormously. Europe is seen as the front runner with regard to privacy legislation and awareness of this. We expect this to remain so for the time being. Privacy could therefore eventually become a unique selling point of Europe, allowing Europe to serve as a safe haven for online privacy for organizations. Other parts of the world also seem to be moving slowly. This can be seen, for example, in the introduction of the California Consumer Privacy Act (CCPA) on Jan. 1. While the purpose of the CCPA is similar to the AVG, this California law is not yet equivalent to the level of protection of the AVG. The main difference is that California assumes an opt-out system as opposed to the European opt-in system. So Europe remains the leader in data privacy for now.
Data privacy remains a field that is constantly evolving worldwide. In the future, we expect data privacy to play an increasingly prominent role within organizations as awareness of privacy rights in society continues to grow. In practice, however - partly due to the Schrems II ruling - there are still some stumbling blocks to overcome. Thus, we hope that Europe will act more decisively and take a more active role in providing pragmatic solutions for organizations.
(1) https://www.privacy-web.nl/nieuws/forse-stijging-privacyklachten-in-2019
(2) https://www.privacy-web.nl/nieuws/sterke-toename-van-privacyklachten
(3) https://www.privacy-web.nl/nieuws/boete-voor-bkr-vanwege-kosten-bij-inzage-persoonsgegevens
(4) https://www.privacy-web.nl/nieuws/consumentenbond-en-data-privacy-stichting-dagvaarden-facebook-voor-privacyschending
(5) https://www.privacy-web.nl/artikelen/ap-bemoedigt-private-handhavingsinitiatieven
(6) https://www.privacy-web.nl/artikelen/de-avg-en-informatiebeveiliging
(7) https://www.privacy-web.nl/nieuws/samenwerking-ap-en-rva-goedkeuring-avg-certificaten
(8) https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/avg-certificaat#hoe-kan-ik-een-avg-certificaat-aanvragen-6514
(9) https://www.privacy-web.nl/cms/files/2021-01/ad2043-fs-2-jaar-avg-toez
See also: The AVG and information security
More articles from BDO
