Evolving Enforcement Priorities in Times of Debate – Overview of Regulatory Strategies of European Data Protection Authorities for 2023 and Beyond

Today, the Future of Privacy Forum released a report that explores “Evolving enforcement priorities in times of debate – Overview of regulatory strategies of European Data Protection Authorities for 2023 and beyond.” It is the third in a series that explores European DPAs’ evolving regulatory priorities, following the 2021 Report “Insights into the Future of Data Protection Enforcement: Regulatory Strategies of European Data Protection Authorities for 2021-2022,” and the 2020 Report “New Decade, New Priorities: A summary of twelve European Data Protection Authorities’ strategic and operational plans for 2020 and beyond.”

At a time where the effectiveness of the EU General Data Protection Regulation (GDPR) enforcement model is being challenged by the European Parliament, Data Protection Authorities (DPAs), civil society, and policymakers, the European Data Protection Board (EDPB) has launched several initiatives to reform the way DPAs are working together. This includes aligning DPAs’ national enforcement strategies, selecting cases of strategic importance for regulators to pursue in a coordinated fashion, and launching yearly coordinated enforcement initiatives dedicated to specific topics. The European Commission also seems to agree that the cooperation between DPAs should be improved, as its Work Program for 2023 plans “to harmonize some national procedural aspects.”

On the other hand, the majority of national DPAs have recently reported a shortage of adequate human and financial resources, which impacts the performance of their supervisory duties. Nonetheless, they seem increasingly willing to closely cooperate with other DPAs – both bilaterally and multilaterally – and also regulators from other fields. They also seem ready to ramp up investigatory and sanctioning efforts, both on their own initiative and following individuals’ complaints. In this regard, it is noteworthy that the highest nine administrative fines since the GDPR became applicable in May 2018 were issued between July 2021 and December 2022.

Since the 2021 edition of the Report, most DPAs have published their 2021 and 2022 annual reports, as well as novel short or long-term strategies. These documents shed light on the areas that DPAs are likely to devote significant regulatory efforts and resources for guidance creation, awareness-raising, and enforcement actions.

For this year’s Report, FPF compiled and analyzed these novel strategic documents, describing where different DPAs’ priorities have common trends or notable deviations. The report also contains links to and translated summaries of strategic documents from nine DPAs in Belgium (BE), the Czech Republic (CZ), Denmark (DK), Estonia (ET), France (FR), Ireland (IE), Spain (ES), Sweden (SE), and the United Kingdom (UK). The analysis also includes documents published by the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS). These documents should be read together with other complementary multi-year strategies that FPF included in its 2020 and 2021 reports.

Some of the main conclusions include:

• The EDPB is expected to publish its harmonized views on topics that were included in its 2021-2022 Work Programme but that did not result in concrete guidance at the time of writing. Such themes include the “legitimate interests” lawful ground, scientific research, children’s personal data, and several emerging technologies, such as blockchain, novel techniques for anonymization and pseudonymization, cloud computing, AI/machine learning, digital identity, Internet of Things (IoT), and payment methods.
• DPAs intend to clarify several data processing activities and aspects of the data protection framework through guidelines and public facing activities, including the completion of DPIAs, dissemination of information about data subjects’ rights, and upskilling of DPOs and other privacy professionals.
• DPAs will also seek to promote the approval and adoption of Codes of Conduct (CoCs) and certification mechanisms as ways to enable organizations to easily demonstrate compliance with the EU’s privacy acquis.
• DPAs like the French CNIL will seek to improve their collaboration with other sectoral regulators (such as competition authorities), something that DPAs will be expected to do in the context of emerging regulations, such as the EU’s Digital Markets Act (DMA).
• Topics and sectors included in several DPAs’ agendas, from both guidance and enforcement angles, include international data transfers, the appointment and position of the Data Protection Officer (DPO), the processing of minors’ personal data (including in online schooling environments), the use of personal data-driven AI systems, advertising technology, and direct marketing activities.