2016 left us with a "brand new" EU General Data Protection Regulation (GDPR). But as soon as 2016 came to an end, we - lawyers - started looking for what is coming next in the data protection world. Here my personal predictions on the privacy legal issues for 2017.
Companies need to get ready to the GDPR, but shall watch the upcoming position of data protection authorities
It is true that the GDPR was approved in 2016 and it will come into full effect from 2018, however the road in the middle is the one that matters the most! 2017 is definitively the year of the GDPR.
In fact, also because of the high sanctions in case of non-compliance, the great majority of companies are starting to organize their agenda in order to (i) map the personal data currently processed and (ii) assess "what to do next" to be compliant with the new provisions.
The Article 29 Working Party, a EU body composed of representative of the national data protection authorities (DPAs), already started issuing guidelines on the measure to be adopted in order to comply with the GDPR. More in particular on December 13, Article 29 Working Party issued three guidelines: one on the role of the Data Protection Officer, on the right to data portability and on the identification of the lead supervisory authority (see here for more information).
We might therefore expect that Article 29 Working Party will follow the same approach also in 2017 continuing in issuing guidance and clarification of the most tricky topics of the Regulation. Such approach would be of help to the companies that are facing the challenge of the implementation of GDPR.
Privacy by design and privacy by default are still ambiguous, but this will entail an opportunity
The implementation of the GDPR also entails the application of the principles of privacy by design and privacy by default which made their first official appearance in the Regulation.
However the practical consequences of such principles are not yet clear. As mentioned above, 2017 is the year of clarifications from the Article 29 Working Party, so it is likely that the topic will be dealt with soon. This also because some national authorities already started in citing the principals in their official documentation, however leaving some doubt on their concrete application.
It is likely that DPAs will take an official position on the matter during the course of 2017. However, the current "limbo" creates an opportunity to have validated by DPAs innovative solutions ensuring compliance with above principles, without major disruptions. When the official guidelines will be issued, such opportunity will be considerably reduced.
Online privacy reform will come into place
In order to contribute to the review of the ePrivacy Directive, during 2016, the European Commission's Directorate-General for Communication Networks, Content and Technology commissioned a survey to assess the general opinions of EU citizens with regard to online privacy.
The results, which were published at the end of last year, are clear: more than nine over ten respondents declared that it is important that their personal information recorded on their computer, smartphone or tablet can only be accessed with permission, and that confidentiality of e-mails and online instant messaging shall be guaranteed. In addition to the above, in a large majority of European countries, respondents agree that there should be a range of measures available to protect their privacy and that it is unacceptable for companies to monitor online activities.
Such position seems to be in line with the principles that inspired the GDPR. So it comes as no surprise that data subjects are becoming every day more aware of their privacy.
The consequence for 2017 is that legislators will have to listen to the necessities of the data subjects, bearing however in mind that a number of companies run their business on data and that the process of such data can, in certain cases, be positive (and not detrimental) for users.
Given such finding it does not come as a surprise that - as our colleagues underlined here - the 2002 ePrivacy Directive might be soon replaced by a new Regulation. A version of such draft document has now been published and it seems to introduce a number of stringent obligations to companies and organization that use metadata, tracking software or other tools to monitor online behavior.
Even though the road ahead seems to be still long, if (or when!) approved the regulation might be another great change in the privacy world.
We are looking forward for an interesting 2017!