.legal blog

GDPR in 2023: Focus areas, expectations and predictions

Written by Johannes Eyolf Aagaard | 8 February, 2023

It's finally here: a new year with an important birthday. In a few moments (25 May), it will be five years since the GDPR came into effect in Denmark. It's safe to say that areas such as data security and privacy protection have not become less important during the half-decade that GDPR has been at the center of privacy and compliance in Denmark and the EU.

There is nothing to suggest that 2023 will be a year of stagnation and "nothing new under the sun" for the birthday boy. Quite the contrary. New legislation and important decisions and trends in society point in one direction - that the GDPR is more topical and relevant than ever before.

We have therefore invited you to a digital New Year's Eve dinner with GDPR on the menu, including focus areas, expectations, and predictions for 2023. In collaboration with
Emil Marburger, a senior lawyer from Bech-Bruun specialising in compliance and data protection law, we have gathered six themes that you can keep in mind in the new year.

Common to the themes we have selected is that they deal with topics where it is about building on top of an existing setup. In other words, the focus areas and predictions below are primarily for those of you who work in an organisation that has basic compliance work under control. If this is not the case, there are other more fundamental tasks that precede the below.

Enjoy.

 

 

1) New Privacy Shield agreement and Schrems III

Does Schrems II ring a bell? It should ring a bell. Back in 2020, privacy activist Maximilian Schrems succeeded in having the so-called Privacy Shield agreement and the old SCCs overturned by the Court of Justice of the European Union and thus also the entire legal basis for transfers of personal data between the EU and the United States and other third countries.

The decision has therefore had a huge impact on how and on what basis it is possible to transfer personal data to the US, and it has placed greater demands on companies and organisations that want to use US data processors.

Since then, both Washington and Brussels have been working on an agreement on a new framework that is compliant with the GDPR and addresses the challenges that led the CJEU to overrule the Privacy Shield. And it could well be in 2023 that a new agreement becomes a reality.

At the end of 2022, US President Joe Biden issued an Executive Order on the new Trans-Atlantic Data Privacy Framework. Politicians in the EU are now also working on preparatory work to implement the agreement so that there is once again a general basis for transferring personal data between the EU and the US.

This process has a deadline of six months, so it is likely that the new agreement will be adopted and ratified to some extent during the spring of 2023.

As background information, one of the major problems with the Privacy Shield agreement was the lack of access to authorities and judicial review in the US and the broad powers that US authorities (e.g. NSA) had to access and use personal data. These are some of the things that are being adjusted and tweaked in the new agreement.

Whether, in Maximilian Schrems' view, it is sufficiently adapted is harder to predict. However, it would be an obvious guess that he is ready to challenge the new agreement in the courts and thus initiate the third edition of the Schrems cases.

 

2) Work on the Digital Services Act (DSA) and Digital Markets Act (DMA)

In 2022, the EU adopted two regulations: the Digital Services Act (DSA) and the Digital Markets Act (DMA). Both the DSA and the DMA may have an impact on your compliance work if you are covered. In the first instance, it is therefore relevant to assess whether your activities are covered by the new regulations or not, and if so, how you should organise your current setup.

If you are covered, the short purpose of the DSA is to address and allocate the duty to moderate, delete and/or rectify online content. This includes introducing stricter requirements for online platform providers, including a number of rules on marketing to children and prohibiting profiling based on sensitive information. As the DSA and DMA are both "special laws", they take precedence over the GDPR.

While the DSA has a broader scope, the DMA is primarily aimed at big tech, including major digital marketplaces and social platforms, where the overall aim is to ensure fair competition and more choices for users. Nevertheless, it is relevant to map whether and to what extent your organisation is covered by the new provisions so that you can adapt your current compliance work accordingly.

3) Preparation for the NIS2 Directive

The NIS2 Directive was adopted last December and Member States now have until autumn 2024 to implement its provisions. However, it is already relevant to check if and how you might be covered.

The new directive is initially an extension of the scope and requirements of its predecessor, NIS1, which is why new sectors and industries must comply with the adopted security and procedural requirements, including, for example, district heating producers, waste management, and food producers. However, there is a distinction between significant entities and important entities, so you need to be aware of which group you may belong to.

While GDPR concentrates on personal data, NIS2 is broader and has a more general focus on security for sectors that are so critical to society that their security measures should be subject to enhanced requirements. Nevertheless, the way you think about compliance in NIS2 is not far from the way you think about compliance in the GDPR.

If your organisation is therefore covered, you should - if you have not already done so - start working on maturity assessments, analyse these maturity assessments, ensure management and organisational anchoring, conduct an ongoing risk assessment, implement preparedness, prepare written documentation, etc. The result should be a plan and a contingency plan for the implementation of the "necessary and mitigating measures" that will seek to reduce the risk and that can be complied with in practice.

One of the major focus areas in NIS2 is the expectations for preparedness and the reporting requirement for security incidents, which is subject to a shorter deadline of 24 hours in NIS2 (compared to 72 hours in GDPR), and that this must be done to the Centre for Cyber Security. This may also include escalation to the EU Cybersecurity Agency, ENISA, to ensure cross-border preparedness. It is therefore important that you have your internal preparedness under control.

 

4) More decisions in sight

There was no shortage of interesting decisions in 2022. At the end of the year, the German Data Protection Authority ruled that Microsoft Office 365 could not be used in accordance with the GDPR in public authorities/institutions, and a couple of municipalities in Denmark were ordered to suspend the use of Google Workspace in teaching.

In 2023, there are also some rather interesting judgments and decisions in the pipeline. Among other things, we are awaiting the judgment in the case of TAXA 4x35, which has received a significant fine reduction in the courts for their breach of the GDPR, while the Public Prosecution Service has already announced that the case will be appealed. The judgment comes in the wake of a similar case with IDdesign, which also had its fine significantly reduced.

We are also still awaiting the case where Danske Bank has been fined DKK 10 million. Common to all cases is that they center on erasure.

From abroad, it should be mentioned that the Irish Data Protection Authority has made its mark with a significant decision against Meta, which included both a fine of DKK 2.9 billion and an order to adapt the legal basis for the processing regarding behavioral marketing.
You can read more about it here. The decision may be of great importance for all companies working with this type of marketing.

 

5) Danish Data Protection Agency's focus areas in 2023 and new guidelines

On 2 February, the Danish Data Protection Agency published its focus areas for the new year. You can read more about them by clicking here. In 2023, special focus will be placed on the following themes:

  • Protection of Children

  • Data Protection Officers - designation and Role

     

  • Manufacturing companies focusing on customised products with direct delivery to citizens

  • Parliament and parliamentary institutions

  • Processing of personal data of website visitors

  • TV surveillance

  • Authorisations to disclose information from research

  • Processing of personal data in pan-European information systems

  • The Law Enforcement Act.

Several of the above points are linked to and are an extension of the general themes and winds that are currently blowing in relation to compliance, including, among other things, the DSA's provisions on marketing to children.

The guidance from the EDBP on the processing of personal data in connection with clinical trials The guidance from the EDBP on the processing of personal data in clinical trials, which should have been completed in the autumn of 2021, will hopefully come this year and address the topic of permissions to disclose information from research. For a pharma country like Denmark, this is particularly relevant, as it is expected, among other things, that questions regarding the allocation of responsibility will be standardised across the EU.

A particularly interesting point is that in 2023 there will be a focus on data protection officers, including their appointment and roles in the organisation. This means that you as an organisation will need to be able to document how and on what basis you have selected your DPO, as well as their mandate and powers. You must also be able to explain which tasks the DPO is responsible for and how his or her recommendations are implemented and complied with. However, it should be mentioned that the EDPB on the European scene has announced that there will be a guide on the role of the DPO, which is why this will largely be an interpretative contribution to the above.

It can also be mentioned that the Danish Data Protection Agency will issue a new guide on marketing and processing personal data as well as an update of the existing HR guide.

 

6) A busy regulatory system

There is no doubt that the EU legislative machinery was busy in 2022, but there is no sign of it slowing down in the new year. A large number of new regulations and directives are currently on the drawing board, including, for example, the Data Act, the Regulation on Harmonised Rules for Artificial Intelligence (Artificial Intelligence Act), the e-Privacy Regulation, the Regulation on Horizontal Cybersecurity Requirements for Products with Digital Elements (Cybersecurity Resilience Act) and others.

Many of them are still only proposals, so the final content and timetable are not yet known. Nevertheless, it is a sign that the EU legislative bodies have a great focus on and interest in the area and that there will certainly not be less to do in the coming years for those of you who work with compliance. Quite the contrary.

 

Summarising and takeaways

As you can imagine, there's plenty to get stuck into in the new year. In addition to the themes we have already covered, there are a number of other important headlines that you can also note on the agenda for 2023. They all stem from technological developments and what is happening on the political and security scene right now. We have chosen to summarise and briefly describe them in this section.

Third-country transfers
In general, third-country transfers are a topic that is very much driven by technological developments, and since the Privacy Shield decision in Schrems II, it is an area that - as far as transfers to the US, in particular, are concerned - are associated with a non-negligible amount of compliance work.

One of the things that are important to consider is the so-called Transfer Impact Assessments (TIA). As a data controller, have you prepared a TIA? What considerations and analyses have been carried out? What is the conclusion? And why?



Audit and supervision of processors
Another point that has been on the Danish Data Protection Agency's agenda for the last couple of years, but you should still consider writing behind your ear in relation to GDPR and compliance in 2023. GDPR and compliance in 2023, is the work with control and supervision of data processors. In other words, the work of ensuring that the data processors you use actually fulfill their obligations, cf. your data processing agreement.

It is your duty as a data controller to continuously ensure that your data processors observe the necessary security measures and that they comply with both your data processing agreement and the GDPR in general.



Cookies
Cookies and their use continue to become more and more relevant in compliance contexts. In the last couple of years, both the EDPB and the CJEU have focused on cookies and valid consents in connection with the storage of cookies, including, for example, a ban on "cookie walls" for collecting consents.

Cookies are generally an area where technological development is growing enormously fast with winds blowing in different directions - e.g. with the phasing out of third-party cookies, possibilities for server-side tracking, interface to when personal data is processed, etc. It should therefore also be an area that you focus on in 2023, as it is also explicitly stated as one of the Danish Data Protection Agency's focus areas for the coming year.



Security and security breaches
If there is one topic that has probably become more relevant than ever before when we talk about compliance and privacy, it is cyber security. The general threat level has perhaps never been higher than now, and regulatory development in the area is very much underway. This places demands on organisations and the way you secure your personal data.

So, have you implemented adequate security measures? Have you prepared risk assessments/DPIAs? Have you tested your procedures in case of data leaks and breaches? How do you handle attacks and attempts to compromise your IT infrastructure? Have you ensured awareness in your organisation?

In general, cyber and data security should be very high on your list of priorities for 2023, especially if you work in a 'vulnerable' sector and/or process particularly sensitive personal data. The prospects for a more stable political climate are not just around the corner, so it's good practice to get your security belt and braces on before the damage is done.

 

What next?

The question is how you and your organisation should respond to the above.

The boring and somewhat vague answer is that it depends on who you are. All compliance work is difficult to put into a formula, and it depends extremely much on your organisation's maturity, risk profile, and structure, and there are also differences depending on whether you are a public authority or a private company. Of course, you do not need to initiate a full NIS2 or DSA implementation if you are not covered.

However, it is always a requirement that you have your internal organisation in order, which means that 2023 and the many new obligations and legal developments are an obvious opportunity to either revisit and update your existing GDPR documentation or prepare completely new documentation.

In this connection, it is our experience that most Danish organisations have a solid written basis in areas such as privacy policies, Article 30 inventories, internal procedure descriptions, and the like, but these are often not updated regularly.

Similarly, areas such as auditing of data processors, preparation of risk assessments, "annual wheel" for ongoing compliance initiatives and allocation, etc. have been down-prioritised or otherwise put on hold.

At the risk of repeating ourselves, 2023 should be the year when you embark on the next phase of your compliance work and focus on operational implementation.

Compliance is not a project that can be parked, but a continuous journey that requires maintenance and where there is always room for improvement.