The past year again saw plenty of news for the privacy professional: from the Pegasus scandal in the Israeli surveillance industry, to rulings by regulators on Google Analytics, to the commotion surrounding the data-hungry and mandatory apps for visitors of the Qatar World Cup – 2022 was an eventful year in the world of privacy.
However, there was also plenty of positive news this past year, and that deserves to bementioned. Take, for example, the developments related to new European legislation such as the DSA and DMA, which should make online life a little safer. Or the EU Data Boundary announced by Microsoft, which should keep personal data of European cloud customers within the EU. On Data Privacy Day, we look back on the past year and take a brief look ahead to what this year might bring us.
Perhaps the most eye-catching news was that the Austrian, Norwegian, French, Italian and Danish regulators all determined that Google Analytics was in breach of the GDPR. The breach consisted of the alleged unlawful transfer of personal data to the United States. The Dutch Supervisory Authority has yet to issue its final decision.
While we're on the subject of international transfers of personal, we can’t ignore the developments regarding the new Privacy Shield. After President Joe Biden signed the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities in October, the European Commission published a draft adequacy decision for international data transfers to the U.S. in December. The big question here, of course, is how long will it be before Max Schrems appears in court again.
In addition to the already mentioned DSA and DMA, which will soon come into force,the European Data Governance Act (DGA) came into force in June. The DGA is to boost the sharing, availability and reuse of data. As such, the DGA also touches on privacy and will undoubtedly touch on the work of privacy professionals in the coming years.
In the past year, the regulators haven’t been idle either as a number of large fines were issued. Meta, parent company of Facebook, Instagram and Whatsapp, took the crown with a total of €687,000,000 in fines handed out by the Irish regulator (DPC).
The most fines were handed out by the Spanish regulator (AEPD): a whopping 199. The map below provides an overview ofthe fines (TOT = totalfines in EUR; the number in parentheses refers to the number of fines).
Disclaimer 1: Figures shown do not represent a complete overview of fines issued. Figures based on data from www.enforcementtracker.com
In closing, we can't resist taking a moment to look at ourselves. Because there was plenty of newsworthy work performed at Privacy Company in 2022. How about the DPIA and HRIA (Human Rights Impact Assessment) on the use of Facebook pages by the Dutch government, the DPIAs for SURF and Rijk on Zoom, Microsoft Teams, OneDrive and SharePoint Online – which even made the New York Times this month(!). And to top it all off, last year we celebrated our 8th anniversary (hip hip...!).
In 2023 we look forward to developments regarding the new Privacy Shield, the Artificial Intelligence Act and its oversight by the Personal Data Authority and other new European legislation such as the Data Act. But we’re especially looking forwardto doing more important work this year in order to do our part and make the world a bit better and more privacy-friendly.
By Jacoline and Evan