Judging by the flurry of events at the end of 2022 and at the start of the new year, 2023 is going to be yet another watershed year for privacy law. In this update we recap on what has happened in the last couple of months and scan the horizon in preparation to meet the challenges ahead.
IAB Transparency and Consent Framework (TCF)
A great place to start and let’s do that with a recap, as much has happened. In January this year, the Belgian APD surprisingly “validated” the IAB’s compliance plan to remedy deficiencies in the TCF’s alignment with GDPR. Good news, yes – and you can read our blog post on the topic here.
There remain however fundamental open points such as the IAB’s regulatory standing under GDPR in administering the TCF. Controller? Processor? Neither? TBD, and is to be determined by Europe’s supreme court, the CJEU. That process takes time and will not be resolved prior to the cessation of the remediation period granted by the Belgian APD which expires 11 July 2023.
The IAB have therefore sought certain “interim measures”, making the following comment:
“This formal request turned out to be indispensable as the APD has not shown any clear willingness to engage in dialogue with IAB Europe following its decision, and seems unlikely to provide guidance between now and 11th July 2023.”
Determination of the open points will be welcomed by all TCF participants. The IAB’s remediation plan is materially contingent on which side the CJEU lands, but the steps that need to be taken are not just with the IAB, but all vendors, CMPs and publishers. As Townsend Feehan, IAB Europe CEO, notes:
“Companies will have wasted resources and made changes to their business practices, while consumers will be negatively impacted and misled through multiple adjustments.”
Indeed. Let’s all hope for the “serene completion of the remaining legal proceedings”. IAB’s press release in full is here.
EU-US Data Privacy Framework (DPF) – International Data Transfers
Members of the European Parliament (MEPs) are against the European Commission (EC) granting an adequacy decision to the US based on the proposed DPF. The basis for the objection is the same as has always been, that the DPF “fails to create actual equivalence in the level of protection” mandated under GDPR. The EDPB very likely share the same concerns (as do NOYB, naturally).
This is a tough one to square the circle on. The European Parliament Committee on Civil Liberties have stated that the EC should only consider adequacy when “meaningful reforms were introduced, in particular for national security and intelligence purposes” by the US. In times of such geopolitical unrest, it is difficult to envisage an appetite for reform. However, there are certain aspects which are in the control of lawmakers and offer hope, such as a federal law on privacy in the US. The susceptibility of change to an executive order does not instil great confidence, but there have been advances in what is deemed proportionate when it comes to accessing personal data which are set out in the executive order, albeit not in consumer-friendly language.
The EC are not bound to follow the advice of the MEPs, and it is still likely that adequacy will be granted – but as was the case with Privacy Shield, where there is not consensus there remains the possibility of legal challenge. The stand-off cannot continue indefinitely, as industry certainly has not stood still. Jetty Tielemans, Senior Westin Fellow at the International Association of Privacy Professionals (IAPP) sums it up well:
“The current impasse on transfers of personal data from the EU to the US is one of the top concerns of many economic operators, on both sides of the Atlantic Ocean. This situation simply must be resolved.”
Some useful links to get more detail: great resources from the IAPP on the EU-US DPF here, and the Draft Motion for Resolution issued by the Committee on Civil Liberties here (it is only 6 pages long, worth a read).
Yes, more of those adequacy decisions. The US is not the only country vying to be deemed adequate by the EC – the UK is also hopeful of joining the club. The EC published a draft adequacy decision at the end of 2022, and we now await feedback on the draft decision from MEPs and the EDPB. Their input will likely be more favourable than the US decision, but may not be the case for NOYB given the UK’s divergence from Europe on some fundamental privacy matters.
The UK however is pressing on with granting its own adequacy decisions, South Korea being first past the post in 2022. This year the UK government will continue to advance discussions with Singapore, Australia, India, and the eagerly anticipated alliance with the US (which you can read about here).
Upcoming legislation and regulatory guidance
The Data Protection and Digital Information Bill will go out for consultation in the first half of this year, and it remains to be seen how much the text will be amended from its current form. Some change is likely, bit given the current adequacy arrangements between the UK and the EU, swathing changes are not expected.
The ICO issued updated guidance on privacy in direct marketing in December 2022, with some very useful and common-sense approaches. The guidance is available here. We expect further communications from the ICO this year in line with the commitment made in its ICO25 plan – you can see those commitments here and we will provide further updates this year as those plans develop.
MediaMath Updates for 2023
We will continue to keep you updated on what is happening in our industry for 2023 and beyond, to help prepare for the legislation coming our way – European legislation such as the Data Governance Act, the Data Act, Digital Services Act and the Digital Markets Act [(which we will create a specific blog post for in the coming months)] will almost certainly influence, to one degree or another, UK legislation. In the meantime, we hope you found this update on the EU and UK landscape…..adequate.