Happy Data Privacy Day 2022! On this day in 1981, the first modern privacy treaty was concluded between the countries of the Council of Europe. As a result, 28 January has become a day on which attention is drawn to privacy in Europe, but also worldwide. Always a good reason for us to look ahead: below five privacy predictions for 2022!
New rules for cookies
At the beginning of the last decade, we were promised that by 2016 new rules would be introduced regarding cookies. Finally, the same rules would apply throughout the EU. With that, we would also finally be freed, at least that’s the hope, from the endless stream of cookie consent pop-ups on websites. But 2016 came and they couldn’t agree on the rules. 2017, ’18, ’19, ’20 and ’21 came and went and we did not dare to predict when this file would be completed.
See you this year! This year we dare it: the ePrivacy Regulation will be adopted in 2022 and will come into force shortly after. So the rules are going to change. Presumably, a more specific description is given of how permission must be requested for cookies and related techniques to track people over the internet (for example, that the buttons for ‘consent’ and ‘no permission’ must be presented exactly the same). Enforcement will probably change, as will the amount of fines for violations. The question is whether this will come in time, or as mustard after a meal, for a number of years now it has been heard that cookies for advertising purposes will be abolished.
More protection against digital technology
Shortly after taking office at the end of 2019, the European Commission announced its six priorities for the period 2019 – 2024. One of those six priorities is called A Europe Fit for a Digital Age and oversees how we in the European Union use digital technologies. to develop and regulate. In the latter area, we are now seeing the first results: regulations and directives (ie: European legislation) in areas such as Artificial Intelligence (AI), robots, digital markets and services. In fact, in all areas where we use digital technologies.
The prediction in this area for 2022 is that we will have a discussion about the interaction between privacy and other fundamental rights that will be protected by these new regulations. For example, all rules, including privacy, require organizations to be transparent – but can we handle so much transparency, or do we have to digest an abundance of information and do we no longer see the forest for the transparent trees? And if we start deploying robots that are much more independent than the current generation, who also ‘see’ things with their cameras and store them en masse… then we have robot legislation for that that guarantees our physical safety, but what about our privacy? Because many new EU rules will take their final form in 2022, we will increasingly be confronted with these kinds of issues.
Privacy: it’s the government’s turn
Privacy is not something that only applies to advertisements, or where new technologies are used. It also plays an important role in the relationship between citizen and government. We’ve seen quite a few slips by the government when it comes to privacy in recent years. Think of blacklists and the SyRI system. So there are plenty of opportunities for the government to show in future files that privacy does count.
Take road pricing, for example. The new cabinet wants to introduce this by 2030, which means that you have to start designing that system now. A typical example of something that can be done very privacy-friendly, but also very privacy-unfriendly. Think about it: you can opt for a system in which you as a government only get to know the kilometers driven in a certain period (privacy-friendly) or you can design a system in which you as a government get the exact details about which vehicle has driven where and when. (privacy unfriendly).
Another example is our digital identity. Legislation and tools are on the way that will allow us to better identify a person’s real identity in an online environment. Then comes the tendency that we have to identify ourselves everywhere online, while many things can really be done anonymously or without a verified identity. It is therefore also an important task for the government to ensure that it not only ensures that this border is guarded in its interaction with citizens, but also that this means is not used inappropriately by others, which we can also do without can.
Privacy regulation as a European export product
It has been a trend for some time, but it may well reach its peak in 2022: more and more countries outside the EU are adopting privacy laws and regulations that are very similar to our GDPR. We see this in the Middle East, in Asia in countries such as South Korea and India and, for example, also in Australia, which wants to modernize its current law and bring it into line with the GDPR. We expect regulatory privacy news from all those countries in 2022. This is a favorable development for a number of reasons. In most cases, people in those countries can speak of progress in protecting their privacy. In addition, the fact that others are taking over is a signal of recognition of what we are doing here in the EU. Finally, it will become easier to exchange personal data with those countries, because we agree on how we handle this data.
What won’t change in 2022: No overarching GDPR-style privacy legislation will be passed in the United States this year. People are talking about it more than ever, but the time is not yet ripe for it. At least that’s our prediction. We also expect less privacy-friendly news from the United Kingdom. Before Brexit, the GDPR also applied in the UK, but the country is now threatening to let go of that standard, under the guise of stimulating innovation.
Enforcement by the public
How to enforce privacy laws and regulations is a topic that is increasingly on the mind. The Dutch Data Protection Authority, the government organization charged with this enforcement, has been struggling with a shortage of people and resources for years. This leads to dissatisfaction and an apparent arbitrariness in enforcement. If an authority has to choose where to enforce and where not, there will always be complaints about it. Against this background, we increasingly see organizations and individuals attempting to defend their privacy rights themselves. For example, by bringing alleged violations of the GDPR directly to the court. In recent years we have already seen that a mass claim was filed against Salesforce and Oracle (rejected by the judge in December 2021) and also against the GGD (still pending).
Prediction one in the field of enforcement: in 2022 at least 3 more such cases will be started. Prediction two in the field of enforcement: of all claims that are pending or initiated, at least one will succeed. But that will take a while and so we will know more at the end of this year. Or will it just be 2023? Time will tell!