Insights into the Future of Data Protection Enforcement: Regulatory Strategies of European Data Protection Authorities for 2021-2022

The Future of Privacy Forum released a report that brings “Insights into the future of data protection enforcement: Regulatory strategies of European Data Protection Authorities for 2021-2022”.

The European Data Protection Authorities (DPAs) are arguably the most powerful data protection and privacy regulators in the world, having been granted by the European Union’s General Data Protection Regulation (GDPR) broad powers and competences, in addition to independence. With GDPR enforcement visibly ramping up in the past year, it is important to get insight into the key enforcement areas targeted by regulators, as well as understanding what are those complex or sensitive personal processing activities where DPAs plan to provide compliance guidelines or to shape public policy.

Last year, FPF released a report called New Decade, New Priorities: A summary of twelve European Data Protection Authorities’ strategic and operational plans for 2020 and beyond. It outlined EU DPAs’ regulatory priorities for 2020 and the ensuing years, based on the documents of a strategic nature released by such authorities in the first half of last year. Since then, most DPAs have published their 2020 annual reports, as well as novel short or long-term strategies. These shed light on the areas to which DPAs are likely to devote significant regulatory efforts and resources, with a broad scope: guidance, awareness-raising, corrective measures, and enforcement actions.

We have compiled and analyzed these novel strategic documents, describing where different DPA strategies have touchpoints and noteworthy particularities. The report contains links to and translated summaries of 15 DPAs’ strategic documents from DPAs in France (FR), Portugal (PT), Belgium (BE), Norway (NO), Sweden (SE), Ireland (IE), Bulgaria (BG), Denmark (DK), Finland (FI), Latvia (LV), Lithuania (LT), Luxembourg (LU) and Germany (Bavaria). The analysis also includes documents published by the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS). These documents complement or replace the ones that were included in our 2020 report.

Some of our main conclusions include: 

• DPAs tend to rely on a risk-based approach when using their investigative and corrective powers, promising to focus on areas that have the potentially most negative impacts on data subjects.

• DPAs seem to be on a trend to modernize their regulatory approach, several of them proposing sandboxes (e.g., the CNIL and the Norwegian DPA), and pushing for more self-regulation, like the adoption of Codes of Conduct.

• DPAs also plan on dedicating efforts to make GDPR compliance work in practice on a large scale by targeting the empowerment of DPOs and by adopting tailored guidance for SMEs;

• Regulators seem to be responding to recent CJEU case law on online tracking and international data transfers by planning to ramp up their enforcement action in these areas. 

• DPAs seem committed to tackling the privacy and data protection risks posed by the uptake of AI/ML technologies across society, in a sign that the AI Regulation proposed by the European Commission will merely complement protections that are already in place for individual rights. The Bulgarian DPA will focus on ensuring facial recognition and profiling techniques comply with legal standards, while the EDPS promises to develop oversight, audit and assessment capabilities for such technologies.

• The protection of personal data of children is identified as a near term priority by a majority of DPAs, with plans for both guidance and enforcement actions being announced (9 of the 15 regulators included children data as a priority). 

• The EDPB will continue to work for a consistent application of privacy and data protection instruments across the EU, by issue guidance on key concepts (e.g., data subjects’ rights, legitimate interests, scientific research, children’s data) and on data protection compliance aspects of new technologies (e.g. blockchain, PETs, AI/ML, Digital Identity, IoT and payment methods)

• DPAs across the bloc also seem to be aligned with the European Commission’s and the French Government’s plan to achieve a European “digital sovereignty” in the new decade. As such, enhanced enforcement of data protection rules against large foreign tech players may be expected.