Dealing with the Schrems II fallout and higher-than-ever fines meant that 2021 brought a lot of change to the data protection landscape. Here are our top picks for the most significant changes from last year.
1. Highest GDPR fines yet
It has been a record year in terms of fines being dished out by EU supervisory authorities, amounting to a total of about 1.1 billion euros. Prominent examples of massive fines were issued against Amazon with a fine of 746 million euros (issued by the Luxembourgish authorities) and against Whatsapp for 225 million euros (issued by the Irish). You can read more about enforcement trends in our previous blog post.
2. EDPB guidance for Schrems II
The 2020 Schrems II judgement by the CJEU invalidated the Privacy Shield framework for data transfer outside the EEA and imposed further conditions on when personal data may be transferred to third countries. In June 2021, the EDPB released the final version of their guidelines on how data transfers abroad need to be assessed. In brief, the legal landscape and data protection practices of the country need to be carefully examined and supplementary measures introduced to help raise the level of data protection for the transferred personal data to a level equivalent to the one offered under EU legislation. Read our posts on the 6 steps to transfer personal data to third countries and European Essential Guarantees for surveillance measures for a summary.
3. Transfer tools in the EU and the UK
On a related note, 2021 also brought us new EU standard contractual clauses that may be used for transfers of personal data. Now the SCCs consist of 2 sets: a transfer tool for transfers outside the EEA, and terms that may be used as a standard data processing agreement. If you have the old SCCs in place you have until 27 December 2022 to replace them (but you should conduct an assessment of the transfer details to ensure that the transfer guidelines following Schrems II are fulfilled – see point 2).
As the EU was working on their transfer tools, the UK’s ICO published their template agreements for data transfers outside the UK for public consultation. In early 2022 the final versions of the Draft International Data Transfer Agreement were published and will enter into force on 21 March 2022 unless the UK parliament raises objections.
4. Adequacy decision for the UK and South Korea
Following Brexit, the UK declared an adequacy decision from its side for data transfers to the EU. Fast forward to July 2021, the EU Commission brought an end to a lot of uncertainty by issuing an adequacy decision for data transfers from the EU to the UK. The EU’s adequacy decision also includes a ‘sunset clause’ that entails that it will automatically expire after four years. Renewal will only happen if the UK continues to ensure an adequate level of data protection.
At the end of the year, the EU and South Korea also concluded mutual adequacy decisions.
5. New data protection legislation in China
In August 2021, China passed a new data protection legislation called the Personal Information Protection Law (PIPL) that entered into effect in November 2021. The law contains many similarities to the GDPR, among others the extraterritorial reach, restrictions on third country transfers, data subject rights and compliance obligations.
That’s 2021 in a nutshell from an industry point of view. If you want to learn about DPOrganizer’s highlights last year, you can learn all about it in our year in review post.