International Data Protection
May 25, 2023 will be the fifth anniversary of the effective date of the European Union’s General Data Protection Regulation (GDPR), a law that led the way (and has frequently set the standard) for scores of data protection laws that have since been implemented around the world. For the past five years, many global companies have been operating in a perpetually reactive privacy compliance posture, with new laws coming online faster than full compliance programs can be built and operationalized. As a result, privacy governance efforts often target specific obligations without developing a holistic approach for meeting all (or even most) requirements of the law. As the data protection legal landscape continues to evolve, global companies need to assess and improve the maturity of their privacy compliance programs as part of ongoing risk management efforts.
Greater Coordination Among European Regulators. Although historically, data protection authorities (DPAs) have largely focused on policing serious infringements brought to their attention through individual complaints, personal data breach notices, or media exposés, we are starting to see a shift in regulatory agendas toward the proactive use of investigative and corrective powers. Throughout 2022, the effectiveness of the European Member State DPAs and their ability to enforce the GDPR were debated in the European Parliament and in the media. Newer laws, such as the European Union’s Digital Services Act and Digital Markets Act, rely more heavily on a centralized regulatory body, and many have proposed that the GDPR might benefit from similar reforms. In response, Member State DPAs are moving toward a more coherent and coordinated GDPR enforcement strategy, including cooperation among the regulators and simplification of their enforcement action processes. As part of this effort, the European Data Protection Board established criteria for determining investigation and enforcement priorities, such as the recurring nature of an alleged violation, whether it intersects with other legal obligations (for example, consumer protection), and the level of risk to individuals.
Enforcement Priorities. Many regulators annually publish their enforcement strategies for the upcoming year or annual reports highlighting their enforcement activities. In Europe, DPAs are clearly prioritizing inspections and sanctions. As a general matter, DPAs expect to see more workforce awareness and internal training to address privacy and data security compliance in an anticipatory manner. The European Data Protection Board has indicated that it will be focusing an upcoming coordinated action on the designation and position of data protection officers – whether they have been properly appointed and are being appropriately deployed within companies.