https://ploum.nl/uploads/Artikelen_en_Track_Records_en_expertise/Privacy/pexels-cottonbro-studio-3205735.jpg

Privacy law in 2022

06 Jan '23

Since the introduction of the General Data Protection Regulation (GDPR) in 2018, new developments within privacy law have followed in rapid succession. The past year (2022) was no exception. Time to look back and provide an overview of a number of important issues.

International transfers of personal data

Even in 2022 - following the Schrems II case - questions about international data exchange remain on the agenda. In January 2022, a decision by the Austrian Data Protection Authority (DSB) caused much commotion. The DSB ruled that the use of Google Analytics (cookies) was not permissible, because it involves the transfer of data to Google in the United States without adequate safeguards. This made it clear once again that it is insufficient to state on paper that adequate safeguards are in place when data is transferred - adequate safeguards must actually be in place. Also read again this blog.

This judgment was the result of consultations of all national regulators united in the European Data Protection Board (EDPB). The Dutch Personal Data Authority (AP) is also part of this. The AP indicated "early 2022" would also come up with an opinion. However, this judgment has not materialized. However, the AP did warn that the use of Google Analytics may not be allowed.

Now that we have reached the end of the year, however, a remedy for data transfers to the U.S. seems to be on the horizon. This in the form of a adequacy decision, the draft of which has now been published, on Dec. 13. When this adequacy decision becomes final, it will be possible to exchange data with U.S. entities without further measures. Of course, this will then only apply to the exchange of personal data with entities in the United States. For other countries outside the European Economic Area (without an adequacy decision), the principle remains that adequate safeguards must be in place.

The commercial interest as a legitimate interest

This topic has been under discussion for quite some time. Unfortunately, full clarity has still not been obtained as to whether a commercial interest can be a "legitimate interest" (as mentioned in Article 6 AVG) on which processing may be based. However, preliminary questions have now been submitted to the Court of Justice. Whether we can expect answers to these in 2023 remains equally exciting, as the Court takes an average of 17 months to respond to preliminary questions. In the meantime, a thorough case-by-case assessment of the processing basis is required. Read more about this in our earlier blog: Is a commercial interest a legitimate interest | Ploum Rotterdam Law Firm.

Personal data shall more quickly fall in a special category

The European Court of Justice ("ECJ") ruled on Aug. 1 that data from which information falling into a special category of personal data can be deduced indirectly (Article 9 AVG) must also be treated as data falling into that special category. This is important because the processing of personal data that falls into a special category is subject to stricter rules (in principle, a processing ban). Read more about this topic here: Perhaps processing special personal data sooner than thought | Ploum Rotterdam Law Firm.

The UBO register

At least in 2022, the ECJ responded to questions raised regarding the UBO register. That register recorded data of UBOs (ultimate beneficial owners of companies). This data could then be viewed by anyone and now that this too much affects the privacy of those included in the register, the provision of this information to an unrestricted public has been stopped by the CJEU. The registry is expected to be restored to limited access by competent authorities soon.

Fines from the Personal Data Authority (AP)

It is notable that the AP published a limited number of fines in the past year, compared to last year. Fines were imposed for, among other things, unnecessarily requesting a proof of identitypoor security of and information about processing, unlawful processing of data and the use of a blacklist and for not carrying out a risk analysis for high-risk processing (camera images). The reasons for which fines have been imposed are quite diverse, but by now we see a number of topics recurring such as security measures, risk analyses, assessing processing grounds, reporting data breaches and facilitating data subjects' rights.

There may also eventually be an adjustment to the AP's current fining policies following a publication by the European Data Protection Board (EDPB) on the calculation of fines. This could well lead to (significantly) higher fines. All the more reason to take another close look at your privacy policy.

Questions?

Do you have questions about processing personal data or would you like to review your organization's processing of personal data? Feel free to contact us at privacy@ploum.nl or read more about our Privacy Helpdesk and the Privacy Quick Scan

Contact

Attorney at law

Lars Boer

Expertises:  IT-Law, Privacy law, Procurement law, Cybersecurity , Technology, Media and Telecom, Commercial Contracts, Start-up and Scale-up,

Share this article

Stay up to date

Click on the plus and sign up for updates on this topic.

Expertise(s)

Met uw inschrijving blijft u op de hoogte van de laatste juridische ontwikkelingen op dit gebied. Vul hieronder uw gegevens in om per e-mail op te hoogte te blijven.

Personal data

 

Company details

For more information on how we use your personal information, please see our Privacy statement. You can change your preferences at any time via the 'Edit profile' link or unsubscribe via the 'Unsubscribe' link. You will find these links at the bottom of every message you receive from Ploum.

* This field is required

Interested in

Personal data

 

Company details

For more information on how we use your personal information, please see our Privacy statement. You can change your preferences at any time via the 'Edit profile' link or unsubscribe via the 'Unsubscribe' link. You will find these links at the bottom of every message you receive from Ploum.

* This field is required

Interested in

Create account

Get all your tailored information with a My Ploum account. Arranged within a minute.

I already have an account

Benefits of My Ploum

  • Follow what you find interesting
  • Get recommendations based on your interests

*This field is required

I already have an account

Benefits of My Ploum

Follow what you find interesting

Receive recommendations based on your interests

{phrase:advantage_3}

{phrase:advantage_4}


Why do we need your name?

We ask for your first name and last name so we can use this information when you register for a Ploum event or a Ploum academy.

Password

A password will automatically be created for you. As soon as your account has been created you will receive this password in a welcome e-mail. You can use it to log in immediately. If you wish, you can also change this password yourself via the password forgotten function.