It has been an intense year so far and one that promises to continue to be just as exciting moving forward for two reasons. Italy once again plays a leading role in enforcement actions, not only by its data protection authority, the Garante, but also by its antitrust authority. As far as enforcement is concerned, the Garante is always on the top of the enforcement statistics at a worldwide level.
The Garante recently aligned itself with the decisions of the French and Austrian DPAs on the subject of Google Analytics and data transfers to the U.S. All this while we anxiously await the new trans-Atlantic agreement and adequacy decision for data transfers between the EU and the U.S.
Another noteworthy development concerned well-known social network TikTok and its decision to switch from the legal basis of consent to that of legitimate interest for personalized advertising. After a discussion with the Garante, this choice was put on hold, but it reopened the major issue of choosing the right legal basis in the complex context of social media, especially when it must also take into account the likely presence of minors, for whom no suitable standard has yet been found to establish their age and consequent lawful access to the platform.
The Autorità Garante della Concorrenza e del Mercato, Italy's antitrust regulator, also came to the fore recently with its investigation of Google for its alleged failure to facilitate the right to data portability provided for in Article 20 of the EU General Data Protection Regulation. The case stems from a complaint filed by direct marketing platform Weople, which built a platform — a sort of virtual wallet — allowing users to collect their personal data, make requests to companies that have it, and then monetize its use while maintaining control over it. This episode revives an old debate on the appropriateness of considering personal data as a tradeable good rather than as the object of a right. The right to portability was in fact created to prevent data subjects from being locked into one service and being able to easily take their data to another. Whether it is appropriate to use Article 20 as leverage to maximize profit on the use of such data, even for the benefit of the data subject, is a chapter yet to be written.
Moving outside Italy, it is easy to see how the thermometer has risen in Europe, not only literally, but also in the data economy. In recent months, a block of new regulations have been approved that will soon change the landscape of the data economy, as well as that of the relationship between users and platforms. I am of course talking about the already approved Digital Services Act, Digital Markets Act, Data Governance Act, the long-awaited Artificial Intelligence Act, Data Act, European Health Data Space, the new rules on digital labor platforms, as well as the always elusive update of the ePrivacy Regulation.
All these regulations will, in some way, present themselves as "lex specialis" of the GDPR. With the DSA and DMA, as well as in some amendments to the AI Act, we have seen elements that will come in handy in the European Commission's forthcoming review of the GDPR, as far as enforcement rules are concerned. The European Data Protection Supervisor himself recently called for a change of pace and procedures with regard to large platforms, which have so far benefited from the enforcement bottlenecks, in favor of a greater central role for the European Commission, as envisaged by the DSA and DMA.
It seems obvious to me that never before has the role of privacy pros been more central to managing the new challenges of the data economy.
If you want to comment on this post, you need to login.