Covid-19 shook the world as never before and affected the global economy. As social distancing became the new normal, the importance of connectivity, remote working and online transactions became more important. With 2022 around the corner and the economy recovering progressively, we wish to pick up the following developments among those to watch after during the next months.
Clarity at last for data transfers to third countries
In 2022, data controllers and data processors will have gained some more clarity and legal certainty on the transfers of personal data from the European Union to third countries outside the European economic Area. Indeed, following the invalidation of the EU-US Privacy Shield by the Court of Justice of the European Union in July 2020 (“Schrems II Case”) and the uncertain fate of post-Brexit data transfers towards the United Kingdom, 2021 has finally brought important clarifications and thus comforted concerned data exporters.
Following the adoption of a new set of modular standard contractual clauses, the European Commission has provided organisations with pre-approved sample clauses as legal framework to safeguard international data transfers. The latter will without doubt be very welcomed by data controllers and by processors that engage service providers located outside of the European Union for missions involving personal data processing activities. However, the model clauses have not taken away the necessity for exporters and importers to implement, as appropriate, supplementary measures to ensure a level of protection essentially equivalent to that guaranteed within the EEA by the General Data Protection Regulation (the GDPR).
In that context and in light of the uncertainty of the legality of data transfers to the United States and other countries not having been recognized as providing an adequate level of protection for the processing of personal data, the European Data Protection Board provided guidance and recommendations to determine the best course of action.
Thanks to the adoption of the UK adequacy decision by the European Commission, data exporters also have, for now, the guarantee that the UK provides an essentially equivalent level of protection for personal data compared with that of the EU. Hence, transfers to the UK are now free. Nevertheless, that adequacy decision is the first of its kind containing a sunset clause limiting its effects to four years.
As a multilingual, innovative driven and business friendly environment, Luxembourg is an ideal place for hosting European and global businesses, which most often involve cross-border flows of personal data. For example, Luxembourg is the number one hub for global cross-border fund distribution and the largest fund center in the world. It is therefore very important for Luxembourg-based data exporters (among which many investment funds) to have legal certainty regarding the export of personal data to the US and other non-EEA countries.
A stricter CNPD agenda
Speaking of data protection, we anticipate that the agenda of the National Commission for Data Protection (the CNPD) will be more offensive with regard to the enforcement of the GDPR. Indeed the CNPD has recently issued several decisions in which they imposed administrative fines on entities, which violated key obligations on the GDPR. In July 2021 the CNPD fined Amazon with a record €746 million fine after deciding "that Amazon’s processing of personal data did not comply with the EU General Data Protection Regulation". These decisions show that the CNPD did not hesitate to fine businesses further to its recent investigations, when considering that the GDPR was not adequately complied with. In 2021, organisations located in Luxembourg must remain cautious and attentive of their ongoing data processing activities. It is expected that the CNPD will continue to perform occasional investigations on medium sized or large companies in Luxembourg and that further administrative fines will follow.
An upcoming European AI Regulation
Finally, we think that Artificial Intelligence will be among the hot-topics of 2022. The next months will be marked by the legislative process of the Proposal for a Regulation laying down harmonised rules on Artificial Intelligence, which the European Commission published in April 2021. By aiming to set a global standard on how AI systems should be regulated, the Commission has expressed the ambition to limit mass surveillance, discrimatory and biased AI systems.
While this AI Regulation Proposal appears to be an important benchmark setter of the European Union for a global ethical AI, some voices already criticise the proposal as a tool to hinder the development of AI system and thus situate to downgrade the European Union as a competitor next to China, the United States or the United Arab Emirates. It will therefore be of utmost importance to remain attentive to the further development of this Proposal. While it is far from taking effect, it is already certain that this Regulation will have a global impact.
An adapted version of this forecast was published in the Delano October 2021 international supplement.