Believe it or not, the baby turns 3 today! And like with every three-year-old, there is a lot to watch out for.
Granted, when GDPR was born it was after a 2-year gestation (transition) period. What followed were many sleepless nights with the new baby when it was born on May 25, 2018; not to mention the sleepless nights in the run up to the birth. Some parents (organisations) were running around frantically trying to figure out what the heck was going on, few parents were over-prepared and some, well, some were coasting. We then hit the Terrible (Schrems) Two’s when tantrums prevailed (i.e. Privacy Shield held invalid) and we cut our first teeth (the first fines). And so, we find ourselves raising this rowdy toddler, who will no doubt create more life-altering changes when it hits teenage years! There is certainly more to follow…
All jokes aside, the privacy space has seen a lot of changes (ups and downs) in these last three years:
- Invalidation of Privacy Shield
- first fines and decisions against organisations that fail to comply
- new laws in other territories mirroring the obligations under GDPR
And it will continue to be interesting to work in this space:
- Will there be a Privacy Shield 2.0?
- What will the new Standard Contractual Clauses look like?
- How will Facebook react to the Irish High Court decision to block the transfer of data to the US?
- What will be the impact for other controllers and processors in the wake of the Irish decision to block Facebook’s transfers to the US?
- What will the Biden administration do in terms of a federal privacy law in the US?
- Will we see more adequacy decisions?
- What kind of certifications will be created and adopted for use?
- How will the first codes of conduct shape data processing and international data transfers (in particular)?
And so, as this toddler finds its feet in the world, there is only one thing we can do to wish it along: sing together “Happy Birthday, GDPR!!!”