5 TH ANNIVERSARY OF THE GDPR 2018-2023 BDO LEGAL Lessons learned and predictions for the future
2 / 5TH ANNIVERSARY OF THE GDPR
3 /
CZECH REPUBLIC.
BELGIUM.
INTRODUCTION.
JIŘÍ ŠMATLÁK BDO Legal | Czech Republic
PIETER GOOVAERTS BDO Legal | Belgium
jiri.smatlak@bdolegal.cz
pieter.goovaerts@bdo.be
LESSONS LEARNED:
ON 25 TH MAY 2023, IT WILL HAVE BEEN FIVE YEARS SINCE THE GENERAL DATA PROTECTION REGULATION (GDPR) CAME INTO EFFECT.
LESSONS LEARNED:
Czech republic had a reasonably robust data protection framework even before the GDPR was implemented. The positive effects brought about by the GDPR, nevertheless, were and continue to be multiple. The public started to appreciate their right to privacy much more. For many small business owners, introducing a data privacy system has been the first major step of next-wave compliance, despite being rather vocal in protesting it at first. The GDPR certainly aided in reshaping the Czech market into a more consumer-oriented and balanced one, not only in the field of personal data protection.
Data protection has increasingly gained the attention of Belgian businesses as well as the public over the past 5 years. Enforcement of the GDPR has been slow, as the Belgian Data Protection Authority struggles with limited resources as well as its independence after some directors either resigned or saw their mandate ended by the Belgian Parliament, with concerns voiced by the European Commission as well as the EDPB. Focus is therefore on the processing of complaints and reaction to data leaks, rather than proactive action. There were, however, efficient reactions to societal issues, such as guidance and fines related to direct marketing and data brokers, and fines related to non-compliant body temperature checks in Belgian airports during the COVID 19 pandemic.
This European privacy law has significantly improved the protection of personal data in Europe and has had major implications for companies and organisations processing personal data.
To celebrate this anniversary, various BDO legal firms from across Europe are sharing some thoughts about the past and the future of the GDPR and the protection of personal data.
PREDICTIONS FOR THE FUTURE:
For the EU and Czech authorities alike, it will be important to continue efforts to explain the benefits of new legislation before its implementation, otherwise, loud opposers may gain the upper hand and halt development. Just as the public grew accustomed to better data protection, so did those who seek to exploit it. We will be facing new threats jeopardising our privacy. Advanced computer-generated imagery capable of creating life-like deep fakes in mere seconds, algorithm monitoring, analysing, and predicting our behaviour are but some of them. How (and whether at all) it will be possible to protect ourselves from this remains a question that software experts are still trying to answer. Many of these threats come from outside the EU, from jurisdictions where our appreciation for privacy is not shared. We expect this to be the next, perhaps the biggest ever, challenge for EU and national data protection. Many of these threats come from outside the EU, from jurisdictions where our appreciation for privacy is not shared.
PREDICTIONS FOR THE FUTURE:
Due to the fact that data in all its forms is becoming increasingly important, not in the least due to EU legislation on this topic, the awareness of the population is increasing, which in turn incites businesses to ensure compliance with the GDPR. The Belgian DPA seems to continue to set its priorities in line with those set out by the EDPB, i.e., cookie compliance, position of the DPO and smart cities in the short term, while clearly linking the efficiency of its organisation to the budget at its disposal. Rapid growth of innovative technologies, pushed by AI learning, will provide new challenges in the protection of privacy in Belgium, with its heavily data driven service economy.
4 / 5TH ANNIVERSARY OF THE GDPR
5 /
GERMANY.
HUNGARY.
ITALY.
MATTHIAS NIEBUHR BDO Legal | Germany
JÓKAY ISTVÁN BDO Legal | Hungary
GABRIELE FERRANTE BDO Legal | Italy
matthias.niebuhr@bdolegal.de
istvan.jokay@bdolegal.hu
gabriele.ferrante@bdo.it
LESSONS LEARNED:
LESSONS LEARNED:
LESSONS LEARNED:
Since the introduction of the GDPR in Hungary, the Hungarian Data Protection Authority (NAIH) has been particularly active in data protection infringement proceedings, with nearly 70 cases of data protection fines imposed since 2019. While the number of proceedings is high, NAIH clearly follows the principle of gradualism in its assessment of fines - in the early years of the GDPR’s implementation the authority mainly used warnings and low level fines to encourage data controllers to behave lawfully however over the last two years an increase in the amount of fines has been observed. At the same time, data protection awareness in Hungary is increasing, thanks to the NAIH’s procedures and awareness programmes in its regulatory functions, data controllers’ data protection compliance is becoming more complete and adequate. This kind of awareness can also be observed among data subjects in the enforcement and protection of their rights.
The GDPR was meant as the single unified European regime for data protection law, promising more clarity than the multitude of member states and - in the case of Germany - even sub-federal states law provisions on data protection. This promise has only partly been kept. Neither does the GDPR cover all sectors of EU data protection law, as we are still waiting for the harmonisation of important areas such as online data protection (ePrivacy Regulation), nor has the German legislator used the opportunity to cut German legislation. The new German data protection act (BDSG) even added 22 new provisions compared to its pre-GDPR predecessor. Moreover, application of the GDPR and BDSG in Germany is complicated by 17 data protection authorities on state and federal level with not necessarily converging interpretations of the law.
In Italy, Legislative Decree No. 101 of 10 August 2018 was introduced to align the national legislation with the GDPR. However, the regulatory framework for data protection in Italy is still incomplete and lacks comprehensive coverage. The decree refers to various deontological rules, codes of conduct, guarantee measures, general authorisations, and other provisions issued by the Italian Data Protection Authority (known as the “ Garante per la protezione dei dati personali ”), which are not consolidated in a single regulatory source. Moreover, certain aspects remain unclear, such as the internal structuring of the Data Protection Officer (DPO), which continues to raise concerns among Italian companies. Additionally, the management of data breaches in Italy has been hindered by a lack of detailed guidelines from the Garante , resulting in a comparatively low number of reported data breach notifications.
GDPR was meant as the single unified European regime for data protection law
PREDICTIONS FOR THE FUTURE:
PREDICTIONS FOR THE FUTURE:
Significant efforts to strengthen data protection adequacy and awareness are expected to continue in Hungary. While continuous progress can be observed in this direction, the challenge of providing data subjects and businesses with adequate education and information on data protection remains important. The emergence of new technologies and the associated data protection issues and problems are also a major challenge. NAIH is expected in the near future to assist businesses and stakeholders by providing information on the new challenges and opportunities brought about by digital technology.
As the conversation around data protection continues to evolve, the GDPR has emerged as a crucial factor. With data becoming increasingly valuable and central to the new European strategy for data and in general for the new digital legislation from EU, the GDPR’s importance is expected to grow even further in the future. Our expectation is to witness a smoother implementation of the GDPR across small and medium-sized enterprises in Italy, as well as in other EU countries. Among the objectives is to enhance the user experience of consent management systems, moving towards preference management systems that prioritise user choice and control. This includes the introduction of Personal Information Management Systems, which will empower consumers with greater control over their personal data. In addition, cybersecurity and data breach prevention are likely to become even more prominent in the coming years, shifting the focus beyond just consent management.
PREDICTIONS FOR THE FUTURE:
Currently, the EU is rolling out a plethora of legislative instruments in the digital field, ranging from Digital Services Act, Data Act and Data Governance Act to sector specific legislation like the Regulation on the EU Health Data Space. All of this new legislation states that “it shall not affect the applicability of” or is “without prejudice to” the GDPR. However, the new legislation aims not at protecting data but making data available, creating markets and added value. This will mean a huge paradigm shift for EU and German data protection law.
6 / 5TH ANNIVERSARY OF THE GDPR
7 /
NETHERLANDS.
NORWAY.
ROMANIA.
MICHA GROENEVELD BDO Legal | Netherlands
ASTRID EIKENES SKORPEN BDO Legal | Norway
CATALINA DAMASCHIN Tudor, Andrei & Associates
micha.groeneveld@bdo.nl
astrid.skorpen@bdo.no
catalina.damaschin@tudor-andrei.ro
LESSONS LEARNED:
LESSONS LEARNED:
LESSONS LEARNED:
Over the past five years, people have become much more aware of their privacy rights. We have also noticed that the Dutch Data Protection Authority (the “AP”) sometimes upholds opinions that are not shared by other data protection authorities. A good example is its position on legitimate interest. According to the Dutch DPA, a commercial interest cannot be a legitimate interest, although the EDPB has clearly stated otherwise and the GDPR itself mentions that direct marketing may be based upon legitimate interest. This position has sparked much debate, as it limits the ability to process personal data for commercial purposes and a Dutch court has asked the EU court to give its opinion on the matter.
We have seen that many Norwegian entities (including the public sector) find it challenging to ensure compliance with the GDPR. The national legislation that should clarify the lawfulness of processing of personal data in specific situations is underdeveloped and some actors are in a position of having to choose between not complying with the GDPR or not complying with other legislation. We have at the same time seen that several of the decisions from the Norwegian Data Protection Authority have been overruled by the privacy appeals board. A public report related to personal data protection in Norway was released in 2022. The report highlighted risks and challenges in several areas, and some of the most debated subjects following the report are personal data protection within the school sector, related to technology and related to consumers.
These past five years have highlighted the importance of raising awareness about data protection rights and obligations among individuals and organisations in Romania. The legislator adopted legal provisions adapted to the national context to facilitate the implementation of the new GDPR regulations. While the National Supervisory Authority for the Processing of Personal Data (“ANSPDPC”) has adapted to changes generated by the GDPR by strengthening its administrative capacity for the effective application of the new regulations. Its endeavors have increased trust and improved protection for individuals’ personal data. ANSPDPC has observed compliance with the GDPR and sanctioned acts such as unauthorised disclosure or access to certain personal data and non-observance of obligations imposed by the GDPR. The decisions, guidelines and interpretations of the new regulations have helped change the way in which individuals see the protection of their personal data, making them more proactive.
PREDICTIONS FOR THE FUTURE:
PREDICTIONS FOR THE FUTURE:
Some expect that “privacy” will cease to exist in the future, but given the effects of the GDPR and the EU’s digital strategy we expect that privacy will continue to be protected in the future. A balance will have to be found between upholding privacy and using personal data for commercial purposes, but we expect that the EU court will confirm that the AP needs to adjust its position and allow the use of personal data for commercial interests.
We have recently seen that the Norwegian Data Protection Authority has reached out to both the public and the private sector for dialogue. Our impression is that they seek to identify and understand challenges related to the interpretation and use of the GDPR. We hope that this can contribute to improved and more specific guidelines from the authority. We have also seen that personal data protection is more often debated in public, and we hope that this will raise awareness for all relevant stakeholders, including the legislator.
PREDICTIONS FOR THE FUTURE:
It is thought that the new data protection challenges will arise from technological advancement, namely artificial intelligence. In this context ANSPDPC will likely introduce further guidelines and amendments to ensure the effective protection of personal data in line with emerging trends and risks and will steadily become more proactive in monitoring compliance and imposing penalties for violations. However, what at first glance may represent a challenge, will in the end be a solution and play a significant role in data protection practices, enabling more efficient and secure handling of personal data.
A balance will have to be found between upholding privacy and using personal data for commercial purposes.
8 / 5TH ANNIVERSARY OF THE GDPR
9 /
SLOVAKIA.
SPAIN.
SWITZERLAND.
MAREK PRIESOL BDO Legal | Slovakia
ALBERT CASTELLANOS BDO Legal | Spain
KLAUS KROHMANN BDO Legal | Switzerland
priesol@bdoslovakia.com
albert.castellanos@bdo.es
klaus.krohmann@bdo.ch
LESSONS LEARNED:
LESSONS LEARNED:
LESSONS LEARNED: Switzerland is obviously not a member state of the EU.
Discussions on data protection and privacy in Slovakia are still very much alive, even though five years have already passed since the GDPR came into effect. The COVID 19 pandemic increased Slovak residents’ awareness of their privacy rights, since measures adopted to stop the pandemic led to a large-scale testing of proper protection of personal data concerning health, mainly with respect to the mass population antigen testing organised by the Slovak government in October and November 2020, vaccination, body temperature measurement of all employees before coming to work and introduction of an app developed by the Slovak government for smart tracking quarantine of infected persons (which was not fully implemented due to large resistance from the public on such personal data processing). Discussions are being held recently also with respect to personal data of beneficial owners compulsorily published in the Slovak Register of Public Sector Partners following the case C-37/20 and C-601/20 regarding no unrestricted access to data of beneficial owners to general public.
The GDPR was received in Spain as a mechanism to guarantee citizens’ confidence in the control over their data without the price to be paid for innovation implying a waiver of their rights. Although the legislator has tried to implement the GDPR through the Spanish Data Protection Act, it is a difficult task due to the variety of Spanish sectorial laws that have an impact on data protection (i.e., Whistleblowing Act, Telecommunications Act). As a result, the Spanish Data Protection Agency has detected relevant omissions in the regulatory field, which is evident when observing the sanctioning activity of the Agency, positioned as one of the most active in this area at EU level. Considering the above, we should ask ourselves whether the GDPR is a clear enough regulation and whether it is adequate to achieve its objective in its current state.
Nevertheless, the GDPR had a strong influence in Switzerland. In 2016 a legislation project was started for a total revision of the Swiss Federal Act on Data Protection. After lengthy discussions in Parliament, on 25 September 2020 the new law was finally enacted and will enter in force on 1 September 2023. The completely revised Data Protection Act (DPA) is based on very similar concepts to the GDPR, however, it also has clear deviations. For example, the sanction regime under the DPA is based on penal sanctions instead of the administrative fines as per the GDPR. Moreover, in-keeping with the tradition of the drafting of Swiss laws, the articles of the DPA are phrased in a more general and less specific manner. This gives, on the one hand, more room for interpretation and development of the law, however on the other hand, there is less guidance and surety for future practice.
PREDICTIONS FOR THE FUTURE:
PREDICTIONS FOR THE FUTURE:
The main initiative to be considered will be the data processing developed around AI components. A challenge in Spain will be the implementation of the proposed Artificial Intelligence Regulation of the European Parliament and the Council. The challenges to be considered will be: Understanding the functioning of AI systems and their impacts on people. Allowing and guiding the development of AI that respects personal data. Auditing and controlling AI systems and protecting people. In this regard, Spain has already considered the creation of the State Agency for the Supervision of Artificial Intelligence, to design a strategy to regulate and protect the rights of the data subjects.
PREDICTIONS FOR THE FUTURE:
The new Swiss DPA will uplift data protection in Switzerland to new levels. Impressed by the sanctions given under the GDPR, data protection gained more respect and attention. Looking deeper into the matter, the sanction system of the Swiss DPA seems to be vague and the future will show whether such a system will in fact enable the enforcement of data protection violations or the experiment to introduce sanctions in this area will turn out to be a damp squib.
The balance between the fight against money laundering and sufficient protection of personal data must be found and it is the duty of the competent Slovak authorities to comply with given CJEU judgment. It is necessary that personal data is not degraded only to the level of a “source” but is still understood as a unique identifier associated to a specific person that must be protected.
The new Swiss DPA will uplift data protection in Switzerland to new levels.
10 / 5TH ANNIVERSARY OF THE GDPR
FOR MORE INFORMATION:
This publication has been carefully prepared, but it has been written in general terms and should be seen as broad guidance only. The publication cannot be relied upon to cover specific situations and you should not act, or refrain from acting, upon the information contained herein without obtaining specific professional advice. Please contact the appropriate BDO Member Firm to discuss these matters in the context of your particular circumstances. Neither the BDO network, nor the BDO Member Firms or their partners, employees or agents accept or assume any liability or duty of care for any loss arising from any action taken or not taken by anyone in reliance on the information in this publication or for any decision based on it. The provision of professional services under the BDO brand is the sole preserve of each of the BDO Member Firms in their own country. For legal, regulatory or strategic reasons, not all BDO Member Firms provide legal services. Neither BDO LLP (UK) nor BDO USA LLP (USA) provide legal advice. Where BDO does not provide legal services, we work closely with “best friend” external law firms. BDO is an international network of professional services firms, the BDO Member Firms, which operate under the name of BDO. Each BDO Member Firm is a member of BDO International Limited, a UK company limited by guarantee that is the governing entity of the international BDO network. Service provision within the BDO network is coordinated by Brussels Worldwide Services BVBA, a limited liability company incorporated in Belgium with its statutory seat in Zaventem. Each of BDO International Limited, Brussels Worldwide Services BVBA and the member firms of the BDO network is a separate legal entity and has no liability for another such entity’s acts or omissions. Nothing in the arrangements or rules of the BDO network shall constitute or imply an agency relationship or a partnership between BDO International Limited, Brussels Worldwide Services BVBA and/or the member firms of the BDO network.
MENNO WEIJ HEAD OF GLOBAL IP/IT
& PRIVACY WORKING GROUP BDO LEGAL | NETHERLANDS + 31 6 109 190 24 menno.weij@bdo.nl CAROLINE MACDONALD COORDINATOR | LEGAL SERVICES BDO GLOBAL OFFICE T: +34 686 339 922 caroline.macdonald@bdo.global
BDO is the brand name for the BDO network and for each of the BDO Member Firms.
© BDO, May 2023.
Page 1 Page 2-3 Page 4-5 Page 6-7 Page 8-9 Page 10Made with FlippingBook interactive PDF creator