It's worth noting that whilst AdTech and behavioral advertising were enforcement priorities for the DPC and other supervisory authorities, penalties have been levied against businesses across many sectors of the economy; albeit not at the eye-watering levels we have seen with technology firms.
International data transfers have caused significant headaches for firms seeking to transfer personal data out of the European Union. It is an aspect of data privacy that has witnessed substantial change in recent years. In July 2020, the European Court of Justice ruled the existing Privacy Shield arrangement for data transfers between the EU and US to be invalid. Since that decision, known as Schrems II, both jurisdictions have been seeking an alternative mechanism that is GDPR compliant.
A new Data Privacy Framework was approved by the European Union in early July. While welcome, it remains to be seen whether this will be subject to similar challenges from privacy advocates as was the case with its two predecessors. In the interim, companies have had to find alternative approaches, such as the use of Standard Contractual Clauses (known as SCCs)***.
For firms trading with the UK, the British Government has indicated its intention to streamline certain aspects of UK GDPR with the ambition to make current rules less burdensome for businesses ****.