This is the fifth summer after the GDPR entered into effect. Privacy is far from perfect, but overall, privacy has become better than it was. Although, I also agree that some of the documentation requirements in the EDPB's guides are (unnecessarily) extensive and difficult to relate to. I have often thought that people's personal data is used in ever new areas and that one of the most important things is that we get information about how it is used. So, it is not such a big deal if not everyone cares, it is perfectly OK that just some do.
What has been most important in the first half of the year? I think we have seen four important topics.
The very largest fine has now been given to Meta for breaching the rules on transfers to third countries/the USA – an estimated NOK 14 billion. The fine will be disputed, of course, but going forward, companies risk being affected by the fact that this is intended to be a "signal fine", which is a warning to others. I don't think that the "barber on the corner" will be affected, but for many large companies this is important. And if you do not get a fine, but are told to stop the transfers you have? In practice, it is as bad as a fine for most.
Another very important case is the now so-called SRB case regarding pseudonymised personal data. Could it be that life has been breathed into the Breyer judgment from 2016 and that data that the holder cannot re-identify, can be considered anonymous and "escape" GDPR? The consequences can be large. The deadline for filing an appeal against the SRB judgment expires after this newsletter has been written. Many have said that this view of pseudonymized data is a more pragmatic interpretation of the GDPR. I think it is unlikely that there will be less work if it becomes the new standard – because then one must document and assess what possibilities for re-identification the recipient of pseudonymised personal data has. But obviously – it is tempting to consider pseudonymised data as anonymised. Together with good colleagues, I had an article about this in Digi, which may be worth reading (in Norwegian). Read it here: https://www.digi.no/artikler/debatt-slipper-pseudonymiserte-personopplysninger-unna-gdpr/532313
For readers in Norway, it is also worth noting that the Privacy Appeal Board (Nw.: Personvernnemnda) has become less important. This is shown through the case about SATS, where the possibility of appeal to the Privacy Appeal Board was replaced by having to lodge a complaint with the courts – because the case had relevance to several countries and then the national Privacy Appeal Board cannot be used. There are many Norwegian and Scandinavian companies that have similar activities abroad, as SATS has. And it is more expensive to lodge complaints to the court system than to the Privacy Appeal Board. However, this has become a reality and we see it in several cases from the Norwegian Data Protection Authority.
The trend from the data protection authorities and court practice is that the right of access is interpreted quite literally in relation to the underlying principles of privacy and transparency. This entails good privacy protection – but it may come as a surprise to some data controllers. Imagine that you have to disclose all the data processors you use and where the personal data is located. A challenge – yes, for the vast majority.
Below you will find my comments on some of the other most exciting cases in the last month. I'm sure that a lot will happen in the autumn as well.
I wish you a really good summer!