Making predictions for the year ahead is possibly as desirable as unreliable. In a world of unlimited data and advanced science, it would be tempting to think that the future is already written. Algorithms and artificial intelligence will show us what lies ahead with immaculate accuracy. Or perhaps not. At least not yet. To say that the world is in turmoil is an understatement and the same is true of the world of privacy and data protection, which makes predicting the future particularly tricky. But since the urge to plan, budget and prepare for what is likely to happen next is so real, now is a good time to pause, reflect about what’s going on, and make some predictions for 2018.
The Year of the GDPR
One thing is for sure: On 25 May 2018, the EU General Data Protection Regulation will finally become applicable and enforceable. That’s an easy prediction since that date is stated in the GDPR itself. The question is what that will actually mean in practice. In other words, what could possibly be the effect of the most complex and least understood data protection law ever created once it kicks in when, at the same time, the exploitation of personal data is one of the greatest corporate ambitions of our time?
We know that regulators have been preparing for that moment from Day One. Others probably less so.
Another certain fact is that any lack of preparation for the GDPR will not be due to the amount of noise it has already generated. Much has been said about the strengthening of consent, the introduction of new rights and the stratospheric monetary penalties that await the transgressors. Hundreds of pages of carefully thought out guidance have been written by the regulators. Meanwhile, the mainstream media are constantly contributing to the debate – and perhaps to the panic – around the impact of the GDPR. However, not much has been said about a simple fact: Given that we are still interpreting the most essential aspects of the 22-year-old EU Data Protection Directive – which was far more basic – what are the chances of understanding, let alone complying with, all of the nuances of such a monster law as the GDPR?
The reality is that very few (if anyone) will be truly and fully compliant with the GDPR when the time comes. I have witnessed the mammoth efforts made by many to try and meet the requirements of the new law, but as the deadline for compliance approaches, the level of anxiety is only set to increase. As 2018 gets going and regulatory action becomes more and more focused, we will get a better view of where the priorities should lie. If I had to choose some, building a comprehensive framework of internal policies, developing a workable system of data protection impact assessments, appointing a pragmatic DPO, preparing for cybersecurity breaches, tightening vendor agreements, and legitimizing international data flows would be at the top of my list.
The Big e-Privacy Debate
But the GDPR should not completely distract us from one of the biggest debates of our time. This year will witness a public policy debate like no other. Should the privacy of our digital lives prevail over the digital economy or the other way round? This is how high the stakes are at the moment as far as the reform of the EU e-privacy framework is concerned.
A year ago the European Commission introduced a proposal for a new e-Privacy Regulation. By the end of 2017, the European Parliament had made it very clear that it would not settle for anything other than the highest standards of privacy protection. So this year it will be the Council of the EU that takes the center stage and sets out its preferred position. Expect a fair amount of discrepancy with the Parliament and a risk-based approach along the lines of what happened with the GDPR.
We may or may not get a proposed draft from the Council before the end of the year, but we can rest assured that the Brussels legislative machinery will be operating at full steam in an attempt to bridge public policy objectives with the realities of the 21st century. In the meantime, regulators from around the world will become increasingly concerned about the direction of travel of technological innovation, so it would not be surprising to see them joining forces across continents to tackle “data maximisation” practices.
To Brexit or Not to Brexit
While regulators are more likely than ever to team up for global investigations, in the U.K. we still need to deal with the small matter of Brexit and its repercussions for data protection. This year will be decisive in determining whether Brexit will happen at all. Assuming that it does, a key question is: What it will mean for international data flows and for U.K.-headquartered multinationals seeking to operate within the one-stop-shop framework? No one will work harder than the U.K. Information Commissioner to ensure that as far as possible the benefits of EU data protection continue to apply.
But ultimately, this is The wisest move would be for the U.K. to seek some form of “adequacy by default” for transfers of data originating from the EU. This would be justifiable on the basis that both data protection frameworks will be identical as the U.K. is posed to implement the GDPR in full. Logic suggests that if the Brexit negotiations are sufficiently constructive, this should be a non-issue and the U.K. will be regarded as a safe jurisdiction for personal data, as it is today. In turn, the U.K. will probably create a U.K.-U.S. Privacy Shield, mirroring the arrangements that the U.S. already has in place with the EU and Switzerland.a political decision outside anyone’s control beyond those sitting at the “Brexit deal” negotiating table.
Keeping an Eye on the CJEU
Finally, I have the sense that the most earth-shattering developments on the privacy front will come from the judiciary. In particular, the Court of Justice of the EU has its plate full of pending cases on crucial issues ranging from the applicability of the law to the viability of various international data transfers mechanisms.
As the ultimate arbiter on EU data privacy matters, the CJEU has become a powerful global guardian of rights. While laws take a while to get adopted and may formally or informally include transitional periods, once a court like the CJEU makes a decision, its application is instantaneous and if that decision happens to contradict a long-held view or interpretation, the effect is spectacular.
With that in mind, let’s prepare ourselves for a truly spectacular year.
This article was first published on IAPP’s Privacy Tracker.