Even after these four years, EU legislative and regulatory authorities have not been idle:
a) The European Data Protection Board (EDPB) has issued a guideline for “calculation of fines.” It is of course relevant to those who are at risk of being given administrative fines, even if the content of the new guideline is largely in line with practice for calculation of fines which was in place prior to the guideline being issued.
b) The EDPB has also presented guidelines for police authorities' use of face recognition technology for consultation in mid-May. It is characteristic of the present time that the use of AI and detection technology is now regulated.
This is a good thing from a privacy pespective. Several police authorities in Europe use or intend to use face recognition technology. The technology can of course be used for many different purposes, such as identifying people on watch lists or monitoring a person's movements in public space. It is good to take a critical look at such use, which can be very intrusive.
c) In mid-May, the European Commission also published its "Q&A" for the 2021 Standard Contractual Clauses (the SCCs). In total, it consists of as many as 44 questions and useful answers. The answer to perhaps the most relevant question is whether the SCCs can be used to regulate the transfer of data to controllers or processors where the importer of personal data is already subject to the GDPR? EDPB's answer is simply "no". This has quite far reaching consequences because the GDPR to a large extent actually has effect outside the EU/EEA.
One consequence is that the Commission is now drafting standardised contract formulations that can be used for such transfers. In the meantime, it will be exciting to see how national data protection authorities handle this.
d) In the second half of May, the Council of the European Union and the European Parliament agreed on measures to ensure a high level of data security for all Member States. The measures will be codified in a new directive often called "NIS2". It will replace the current “NIS” Directive (Network and Information Systems).
The new directive will set a number of new and/or strengthened requirements for particularly important companies, such as banks, energy companies, telecoms and transport, to invest heavily in computer security systems to prevent hacking and computer crime. Public enterprises will also be required to make similar investments and measures.