Funny how things go. This is my 30th "A view from Brussels" since joining the IAPP. When I started this column last February, I had a bit of apprehension about whether I would find something meaningful, newsworthy, entertaining, and ideally insightful to say about privacy. In Europe. On a weekly basis. Blame it on the nervousness of starting a new job at the time. As I sit at my desk today to write column number 30, I genuinely wonder how I will fit everything I have to say in 500 words or less.

Predictions

Any year is a busy year in the privacy world but in what way will it be busy is the real question. The IAPP team has put its thinking cap on to share its predictions for 2023. A few things we can bet on — we will see more rules and increasingly complex environments for privacy, and Europe will be no exception. This means that privacy programs will have to keep up and adapt. Organizations will have to do more with (maybe, probably) less: many expect privacy teams to be resources constrained due to economic headwinds but still have to ensure their organization rolls out new systems and technologies — artificial intelligence, I am looking at you — in a way that addresses the privacy risks associated.

Our Research and Insights team will discuss these and many other predictions during an upcoming IAPP LinkedIn Live session, “Privacy in Practice: Our top three for 2023,” scheduled for 18 Jan.

Sweden

Every six months, the EU political center of gravity shifts from one member state to another as the Presidency of the Council of the European Union rotates. Following the Czech Republic, Sweden took over the reign on 1 Jan. and will assume that role until 30 June. In the EU landscape, Sweden is a progressive country on the social scale, forward-looking on trade and economic affairs, and innovation and business-friendly. It has also been a relatively discreet member state in EU policy-making in the past few years when many were expecting, even hoping, Sweden would fill the gap left by the U.K. after Brexit. Sweden has many files to advance this semester as Brussels still debates its AI Act, the Data Act and health data space proposals, among others relevant to our community.

A little trivia about the Swedish data protection authority: the Integritetsskyddsmyndigheten, or IMY, has about 120 employees, mostly lawyers. Its nine units each cover a different area of work, whether public sector, health care and education; businesses; security audit; or IT, digitization and security. According to IMY, half of the Swedish population was still unaware of the EU Genera Data Protection Regulation four years after its entry into force. In its Digital Privacy 2022 report, IMY recommended basic knowledge of data and privacy protection issues should be part of the digital competence and included in the school curriculum. It also recommended the government take initiatives to increase digital awareness with the elderly and support the development and uptake of privacy-enhancing technologies. 

For your reading list 

This week, the Court of Justice of the European Union issued a couple of interesting decisions. One, in particular, is focused on the EU GDPR right to access under Article 15(1)(c). The case originated in Austria, where a citizen requested the Austrian Post to disclose to him the identity of the recipients to whom it had disclosed his personal data.

The CJEU found that “where personal data have been or will be disclosed to recipients, there is an obligation on the part of the controller to provide the data subject, on request, with the actual identity of those recipients.” It adds a caveat that “the controller may indicate only the categories of recipient if it is impossible to identify the recipients or the request is manifestly unfounded or excessive.”

I will admit to not having read the full text of the judgment, but if I ever do, I will certainly look for the reason why the court essentially says it is OK and even required, that more personal data be processed about individual B in order to satisfy individual A’s right to access.

And last but certainly not least, the now infamous European Data Protection Board and the Irish Data Protection Commission decisions on Meta’s Facebook and Instagram use of contract as a legal basis for targeted advertising have been formally published. The IAPP has already amply reported on the decisions, and more analysis is to come from our team, so watch this space — and the IAPP website news section. In the meantime, here is some additional reading material for you: