Data protection requirements are becoming more complex in the European Union once again, and the European Court has begun to make significant decisions regarding the future of data protection. Estonian companies will not escape the impact of these changes, being forced to review their current practices, said Krete Paal, CEO of the Estonian data protection startup GDPR Register.
This year, several new requirements will be added to the field of data protection, resulting from both new directives from the European Union and European case law. “New legislation and court decisions will shape the field of data protection in Estonia as well, and to avoid clashing with GDPR requirements, our companies must adjust the personal data protection routines that have already been established,” said Krete Paal, head of the data protection-focused startup company GDPR Register.
The European Union is taking a closer look at data protection, as the wider spread of artificial intelligence increases risks. However, entrepreneurs are expected to be ready to align their security measures with the increased risks. It is predicted that cyberattacks using artificial intelligence will become more complex and automated. “Hackers may use artificial intelligence to analyze large datasets and organize guided phishing attacks to extract sensitive information. This increases risks and directly affects data protection,” explained Paal.
The cybersecurity regulations coming into effect this year will force companies to be more transparent about their breaches and attacks that have occurred. The upcoming European Union NIS2 directive and the Cyber Resilience Act set stricter standards for cyber defense, containing several new cybersecurity obligations in terms of security and incident reporting.
By October, Estonia must also transpose the directive’s requirements into national laws. “This means that affected companies should monitor developments, as they will become mandatory,” emphasized Paal. In addition, it must be considered that the directive may also indirectly affect companies through suppliers or third parties. “In any case, the data controller is responsible for the data, bearing responsibility for the actions or inactions of its partners in processing personal data,” added Paal.
The jurisprudence of the European Union is constantly changing
The privacy law jurisprudence of the European Union is continuously evolving, and this year, a series of significant court decisions are expected that will also impact Estonian companies. “For example, representative actions have gained momentum in the European Union, and the new Representative Actions Directive paves the way for even more types of actions,” said Krete Paal.
One important court decision shaping the future of data protection concerns the definition of “anonymity” in data sets and its criteria. In addition, European case law focuses on the burden of proof for plaintiffs in cases of moral damages and the association of privacy breaches with a legal entity without identifying the perpetrator within the company. The European Court is also expected to clarify companies’ transparency obligations related to automated decision-making processes.
The GDPR Register, created by an Estonian startup and developed in cooperation with IT experts, makes complying with GDPR requirements simple and logical, helping companies and institutions efficiently manage processes, operations, and documents associated with GDPR regulation.