The EU was particularly active in furthering its digital strategy in 2021, and will likely continue this high level of activity into 2022.  Below, we briefly summarize last year’s key legislative and regulatory updates from the EU across the following areas:

  1. data transfers;
  2. cookies (and alike) and unsolicited marketing communications;
  3. cybersecurity;
  4. open data;
  5. intermediary services; and
  6. artificial intelligence.

Finally, in point seven (below), we list a number of guidance documents issued by the European Data Protection Board (“EDPB”) in related areas.

1.      Data Transfers

The GDPR’s rules on data transfers was one of the main areas of policy and regulatory focus in 2021. We expect more developments in this area in 2022.  Below, we outline what we consider to be last year’s five main developments in this area.

First, the European Commission issued two (adequacy) decisions: one for the UK and another for South Korea.  The Commission granted the UK adequacy decision on June 28, 2021, three days before the expiry of the EU-UK trade agreement’s 6-month period during which personal data could freely flow between the EU and UK.  The UK adequacy decision covers transfers governed by (1) the GDPR and (2) the Law Enforcement Directive (as explained in more detail in our blog post here).  On December 17, 2021, the European Commission issued an adequacy decision for South Korea, which had earlier that year obtained a favorable opinion of the EDPB (see our blog post here).  EU controllers and processors may freely transfer personal data to the UK and South Korea (without having to implement any of the transfer mechanisms of Chapter V of the GDPR).

Second, on June 4, 2021, the European Commission published the final version of its new standard contractual clauses (“SCCs”) for the international transfer of personal data, as well as standard Article 28 GDPR clauses for contracts between controllers and processors.  The international transfer standard clauses entered into force on June 27, 2021. However, organizations may continue using the old SCCs in new agreements until September 27, 2021, and have until December 27, 2022 to introduce the new SCCs into existing agreements that relied on the old SCCs.  (Find more information about the SCCs in our blog post here.)

Following the release of the new SCCs, a number of regulators announced that they would start enforcing the implementation of the new clauses.  Notably, on June 1, 2021, the German supervisory authorities announced the launch of a “nationwide investigation” into German companies transferring personal data outside of the European Economic Area (see our blog post here).

Third, on June 18, 2021, the EDPB released a final version of its recommendations on measures that supplement transfer tools to ensure compliance with the GDPR, where organizations transfer personal data from the EEA to a country outside the EEA.  The recommendations set out the following six-step process on how to handle transfers: (1) know your transfers; (2) identify the transfer tools you are relying on; (3) assess whether the GDPR Article 46 transfer tool you are relying on is effective in light of all circumstances of the transfer; (4) adopt supplementary measures; (5) take procedural steps if you have identified effective supplementary measures; and (6) re-evaluate all transfers at appropriate intervals (see a summary of the guidelines in our blog post here).

Fourth, on July 14, 2021, the EDPB issued draft guidelines on codes of conduct as tools for transfers.  These guidelines complement the EDPB’s earlier guidelines on codes of conduct and monitoring bodies.  They focus on the requirements for a code of conduct to be approved as a legal mechanism for transferring personal data outside the EEA to third countries that do not provide an adequate level of data protection (see a summary of the guidelines in our blog post here).

Fifth, on November 19, 2021, the EDPB published draft guidelines on the interplay between the application of the GDPR’s territorial scope and its provisions on international transfers.  The guidelines clarify the meaning of the term “transfers” under the GDPR (see a summary of the guidelines in our blog post here).

2.     Cookies (and alike) and Unsolicited Marketing Communications

The EU ePrivacy Directive currently regulates cookies and similar technologies, as well as unsolicited marketing.  The EU seeks to replace the ePrivacy Directive with an ePrivacy Regulation, which aims to achieve a greater level of harmonization.  The European Commission approved a first draft of the ePrivacy Regulation in January 2017.  The draft regulation has since been under discussion in the Council of the EU.

In 2021, we saw some progress in the Council’s discussions concerning adoption of a final version of the ePrivacy Regulation.  However, these discussions were not as fruitful as one may have hoped and, thus, the ePrivacy Regulation continues to be in draft form.

The Council released the new version of the draft ePrivacy Regulation on January 5, 2021.  This draft version substantially amended the previously rejected drafts (find a summary of the main changes in our blog post here and more information in our podcast here).  But on March 9, 2021, the EDPB issued a statement on the draft ePrivacy Regulation pointing out to several deficiencies.

After several months of standstill, on November 4, 2021, the Council and the European Parliament agreed to a number of amendments to the draft ePrivacy Regulation, in particular to the sections concerning: (1) direct marketing; and (2) remedies, liability and penalties (see our blog post here).  Germany appears to have given up waiting for the draft ePrivacy Regulation to be enacted and has in the meantime implemented new rules on cookies and direct marketing (see our blog post here and here; the German law went into force on December 1, 2021).

3.     Cybersecurity

Amid a flurry of activity in the cybersecurity space last year, below we highlight the three most notable regulatory developments relating to the EU’s rules in this area.

First, throughout 2021, the Council of the EU and the European Parliament negotiated the adoption of new EU cybersecurity rules, which were published on December 16, 2020 (see our blog post here).  The EU plans to adopt a revised Directive on measures for a high common level of cybersecurity across the Union (“NIS2”) and a Directive on the resilience of critical entities (“Critical Entities Resilience Directive”).  The Directives aim to (1) reflect the technological developments of the past years and (2) provide a better response to the new and emergent cybersecurity threats.  On December 3, 2021, the Council agreed on a draft version of the NIS2 Directive (see latest available version here).  Notably, this latest draft reduced the maximum fines Member States must permit competent authorities to impose, from EUR 10 million or 2% of the worldwide annual turnover of the undertaking involved (whichever higher) to EUR 4 million or 2% of the worldwide annual turnover of the undertaking involved (whichever higher).  The Council and the Parliament are now in negotiations to reach a compromise text, which is planned for 2022.

Second, on January 19, 2021, the EDPB issued for public consultation draft guidelines on examples regarding data breach notification.  The guidelines aim to assist data controllers in responding to and assessing the risk of personal data breaches, providing “practice-oriented, case-based guidance” which draws from the experiences of European supervisory authorities since the GDPR went into effect (see our blog post here).  The EDPB released a final version of these guidelines on January 3, 2022, which includes limited changes to the draft version.

Third, the EDPB issued two statements on the new draft provisions of the second additional protocol to the Council of Europe Convention on Cybercrime (also known as Budapest Convention): one on February 2, 2021 (see here) and another on May 4, 2021 (see here).  The second additional protocol aims to strengthen the convention’s capability to combat cybercrime.  Among other provisions, it “provides a legal basis for disclosure of domain name registration information and for direct co-operation with service providers for subscriber information, effective means to obtain subscriber information and traffic data, immediate co-operation in emergencies, mutual assistance tools, as well as personal data protection safeguards” (find more information here).

4.     Open Data

Below, we outline the two main open data regulatory initiatives in the EU last year.

First, throughout 2021, the Council and the European Parliament further negotiated the adoption of the draft Data Governance Act, which had been published by the European Commission on November 25, 2020 (see our blog post here).  The proposed act aims to facilitate data sharing across the EU and between sectors.  In particular, it sets out rules relating to the following: (1) conditions for reuse of public sector data that is subject to existing protections, such as commercial confidentiality, intellectual property, or data protection; (2) obligations on “providers of data sharing services,” defined as entities that provide various types of data intermediary services; (3) the newly-introduced concept of “data altruism” and the possibility for organisations to register as a “Data Altruism Organisation recognised in the Union”; and (4) establishment of a “European Data Innovation Board,” a new formal expert group chaired by the Commission.  On March 11, 2021, the EDPB and the European Data Protection Supervisory issued an opinion on the draft Data Governance Act pointing out several deficiencies.  After more amendments to the draft, on November 30, 2021, the Council and European Parliament reached a provisional agreement on the Data Governance Act.  The provisional agreement is subject to Council and European Parliament’s formal approval, which is expected in Spring 2022.

Second, to complement the Regulation on Data Governance (see above), the European Commission is currently preparing a proposal for a so-called Data Act, which was initially expected towards the end of 2021.  With this Data Act, the Commission intends to create a data economy that fosters data flows between countries and sectors.  Several aspects in the planned proposal could potentially have an impact on the research sector, such as: (1) making private-sector data available for use by public sector; (2) investigating the potential benefits of B2B data sharing for the research sector; (3) revising intellectual property rights in the Database Directive; (4) providing safeguards for non-personal data in an international context; and (5) establishing more competitive markets for cloud computing services.

The Commission conducted a public consultation on its Inception Impact assessment of the Data Act, the results of which were released on December 6, 2021.  The impact assessment was rejected by a committee within the Commission end of 2021 and the Commission is still working on a new draft.

5.     Intermediary Services

Throughout 2021, the Council of the EU and the European Parliament further negotiated the adoption of the draft Digital Services Act and the draft Digital Markets Act.

The draft acts lay down rules for intermediary service providers (e.g., Internet access providers, cloud providers, search engines, social networks, and online marketplaces) covering areas such as: (1) liability of mere conduit, caching and hosting services; (2) content moderation; (3) transparency of services and electronic communications; (4) transparency of online advertising; (5) openness and interoperability of the services to businesses and consumers; and (6) fair competition between service providers (see our blog post here).

On November 25, 2021, the Council reached an agreement on the draft acts.  Also in November 2021, the EDPB issued a statement on the draft acts citing a number of deficiencies.  On January 20, 2022, the European Parliament agreed on several amendments to the draft version of the Digital Services Act (see our blog post here).  As a next step, the Parliament will discuss these amendments with the Council, with the goal of reaching a compromise text that both can adopt.

6.     Artificial Intelligence

We have addressed last year’s developments with respect to artificial intelligence in a separate post: see here.

7.      Guidance in Other Areas

Health Research

On February 2, 2021, the European Data Protection Board issued a response to the request from the European Commission for clarifications on the consistent application of the GDPR to health research (see our blog post here).  The Commission’s questions covered the following seven topics: (1) legal basis for processing of health-related data for scientific research purposes; (2) further processing of previously collected health data; (3) the notion of broad consent; (4) transparency of data processing; (5) anonymization; (6) processing of special categories of data on a large scale; and (7) international cooperation.

On February 26, 2021, the European Commission released a report on the EU Member States’ laws governing the processing of health data.  The report discusses three general types of health data uses: (1) primary use for health care services; (2) secondary use for public health purposes; and (3) secondary use for scientific research purposes (see our blog post here).

Virtual Voice Assistants

On July 7, 2021, the EDPB adopted its final guidelines on virtual voice assistants, which discusses how the GDPR and the ePrivacy Directive apply to these devices (including the software they integrate).

Automated Vehicles

On March 9, 2021, the EDPB adopted its final guidelines on processing personal data in the context of connected vehicles and mobility related applications.  The guidelines discuss how the GDPR and the ePrivacy Directive apply to automated vehicles (including the software they integrate).

Targeting of Social Media Users

On April 13, 2021, the EDPB adopted guidelines on the targeting of social media users.  The Guidelines aim to clarify the roles and responsibilities of social media providers and “targeters” with regard to the processing of personal data for the purposes of targeting social media users (see a summary of the guidelines in our blog post here).

Storing Credit Card Data

On May 19, 2021, the EDPB adopted recommendations on the legal basis for storing credit card data for the sole purpose of facilitating further online transactions. The guidelines discuss how the GDPR and the ePrivacy Directive apply to the storage of this information.

*          *          *

We will continue to closely monitor the regulatory and policy developments in the EU – please watch this space for further updates.