In honor of Data Privacy Day 2023, we’d like to share some “privacy predictions” from our eyeo Security and Privacy team. Data privacy is a rapidly expanding and critical sector that affects the entire online community. At eyeo, we understand that privacy drives user empowerment while enabling advertisers and publishers to fairly monetize. Technological solutions that incorporate privacy and data protection fundamentals are vital in creating a modern, sustainable and prosperous web. As promised, here’s what to look out for in the coming year:

Prediction #1: Brace yourself, Schrems III is coming!

by Harmonie Vo Viet Anh, Security and Privacy Manager

After the decision of the Court of Justice of the EU (CJEU) invalidating the “Privacy Shield” (so called decision “Schrems II”) because of US surveillance, the European Commission drafted a new adequacy decision. In the Schrems II decision the CJEU considered:

• that the requirements of US domestic law, and in particular certain programs enabling access by US public authorities to personal data transferred from the EU to the US for national security purposes, result in limitations on the protection of personal data which are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law,
• and that this legislation does not grant data subjects actionable rights before the courts against the US authorities.

However, these changes, made in the executive order 14086 after the invalidation of the “Privacy shield” to address these requirements, are minimal:

• the new executive order uses the wording of EU law ("necessary" and "proportionate" as in Article 52 of the Charter of Fundamental rights of the EU) instead of the previous term "as tailored as feasible" used in  Section 1(d) of PPD-28. But since this new wording does not have the same legal implication as in the EU, the limitation of the bulk surveillance might not be efficient in practice.
• there will now be a two-step procedure, with the second step being in front of a “Data Protection Review Court”. But, this will not be a “Court” in the normal legal meaning of Article 47 of the EU Charter or the US Constitution, but a body within the US government's executive branch. As this court is not a judicial body, it is unlikely that it can be recognized as such in application of the EU Charter.

This new deal between the US government and the European Commission would still not help the US fulfill the requirements of the CJEU in the Schrems II decision in order for the US to achieve an adequate level of data protection. So even if this new adequacy decision about the US is published by the EU Commission, we are very likely to face a new invalidation of this third deal. 

Prediction #2: Gear up! Time for more compliance (The ePrivacy Regulation)

by Yamini Chandar Sha, Privacy & Data Protection Counsel

Look out more regulations coming your way! The most awaited regulation on privacy and electronic communications may likely come into force in 2023. European bodies are in a trialogue negotiation to conclude the draft on ePrivacy Regulation and this means there is something in store for users and digital service providers. 

The Regulation, if it comes into force, will supersede the ePrivacy Directive and will be lex-specialis, also taking precedence over GDPR. Of the many changes brought in by the draft regulation, the ePrivacy Regulation seeks to simplify the procedure of obtaining consent through the user’s browser settings, meaning users may not be confronted with cookie consent banners everytime they access a website. 

The latest draft by the EU Council also allows the use of cookie walls if the service providers can offer an equivalent cookie-less service that does not require consent. This obliges digital service providers to prepare their organizations to be privacy compliant. Assuming the ePrivacy Regulation comes into effect in 2023, the estimated applicability of the Regulation would be sometime in 2025, after a 24 month transition period from the 20th day of its official publication. 

Prediction #3: AI will shake up how privacy is done

by Cornelius Witt, Group Data Protection Officer

“2023 Is Artificial Intelligence's Big Year” or “Why 2023 will be the year of AI” were some of the many headlines predicting that AI will be a gamechanger in 2023. However, what is often overlooked is how new and disruptive AI models will meet data protection requirements. Regulators and researchers are raising important questions about how privacy is ensured when more and more data processing shifts to algorithmic-based machines and computer systems. 

Most AI applications are based on automated decision making, which triggers several legal requirements under GDPR: 

-Companies will need to explain to individuals in a way they understand how their AI
applications work (“right of explanation”). 

-At the same time, users have a right to require a human to review a decision made by
an AI. 

And these are just two, of many, highly relevant compliance - and ethical - questions when it comes to AI and privacy.

There has been unrest for years amongst users about the quality and types of ads they see online. But now more than ever privacy is becoming part of the equation. Users are growing more aware and concerned about their online privacy and are demanding ways to protect that privacy. Almost half of all ad-blocking users (45 percent) cite "protecting their privacy" for the reason they use an ad blocker and over 36 percent use one "to stop companies from collecting their personal data" (source GWI). 

Growing concerns about privacy are changing the web as we know it and it's time for not only regulators to take action, but there are opportunities for advertisers and publishers to contribute to a sustainable online environment where privacy is respected.

Learn more about eyeo’s stance on privacy-related topics and how we’re enabling users with the means to control and protect their privacy.

Image by rawpixel.com on Freepik