ICT regulation 2020

ICT Regulation in 2020: What to expect? An Aphaia Perspective


Aphaias Managing Partner Bostjan Makarovic and Partner Cristina Contero Almagro weigh in on ICT regulation in 2019 and offer their predictions and hopes for 2020.


To say it has been an eventful 2019 for data protection, ICT Governance and ePrivacyspecifically within the EU and United Kingdomwould be an understatement. Indeed, with 2019 being the first full year with the GDPR, it proved to be a year of lessons, policy implementations, new developments, court rulings and fines all centred on honouring the privacy and rights of individuals in todays highly technical, online based era. In fact, Privacy Affairs reports a total of 150 fines totaling 103,852,871 for the year, with a 50 million sanction on Google being the largest fine of the year.


So, with 2019 winding down to give way to 2020, we sat down with Aphaias Managing Partner Bostjan Makarovic and Aphaia Partner Cristina Contero Almagro for their professional insights on the year passed and their expectations and projections for 2020.


From a data protection and AI ethics standpoint How would you describe 2019? What would you pinpoint as two of the most impactful occurrences in regards to ICT regulation in the year just past?


Bostjan: 2019 has been the year when the topic of AI seems to have found a special place in the EU’s regulatory landscape. In addition, important new practical questions on the intersection of privacy and AI regulation have emerged, say in relation to smart billboards.


Cristina: AI Ethics standpoint: I would say 2019 has been a turning year. On 8 April 2019, the High-Level Expert Group on AI presented their Ethics Guidelines for Trustworthy Artificial Intelligence, which was part of a series of four documents. In April we also became members of the European AI Alliance, a multi-stakeholder forum for engaging in a broad and open discussion of all aspects of AI development and its impact on the economy and society, which allows us to interact with the AI-HLEG. The first AI Assembly took place on 26th June in Brussels and we were invited to attend, so we did. The Policy and Investment Recommendations on AI and the piloting process of the AI Ethics Guidelines were launched at this event. This year has also been the year of our YouTube channel, and we hope to keep working on our vlogs during 2020.


Data protection standpoint: 2019 has been the first whole year with the GDPR, as it started to apply in May 2018. We have been able to learn from the fines and the guidelines launched both from Member States DPAs and EU bodies, as the EDPB. One of the most expected event of this year was the publication of the cookies guidance from DPAs (ICO in UK, AEPD in Spain, CNIL in France, etc.), although we will still have to wait for the new ePrivacy Regulation.



As we look ahead to 2020, from your analysis what are some expectations? Do you foresee any changes or implementations that would be have a big effect on the way businesses operate?


Cristina: I personally hope that EU Guidelines rise awareness of the importance of ethics, and that this addresses the approval of code of conducts for the industry. We also expect a revised ePrivacy Regulation proposal as part of the forthcoming EU Croatian Presidency. 


It would be also great to see how 2020 becomes the year of 5G, as it will definitely impact the way we do businesses, and our lives as such, plus it is closely linked to data protection and AI Ethics. There is a lot of work to do there. It is challenging and we are looking forward to this becoming a reality. Smart cities, self-driving cars, AR… there is a whole world outside waiting for 5G!


We cannot forget about Brexit, that may severely impact data protection and AI ethics across Europe.


Bostjan: In the second half of 2020, the new European Electronic Communications Code (EECC) will directly affect both communications services and telecoms infrastructure providers across the EU. I am also wondering whether in 2020 European Commission might seriously start looking into the possibility of a mandatory regulatory framework for AI, in addition to that of GDPR.



What advice would you give to online businesses and companies utilizing AI to ensure they get on top of the changes coming in 2020?


Cristina: With no doubtsThey should contact Aphaia! (just kidding). What I would advise that they look at the past and hear their customers. Look at the past because, with the example of GDPR for instance, it is easy to see how costly not doing the right thing from the beginning is, and hearing their customers, because the audience is demanding trustworthy AI, and they may not see a negative impact of not providing it for now, but it is just a matter of time, ‘adapt or die’.



Bostjan: As Cristina pointed out, getting timely compliance advice is crucial. GDPR requirement for ‘data protection by design and by default’ already requires businesses to look into privacy matters at the point of the development of the product, not once it has been finalised or even launched. In the second half of 2020, many online businesses providing voice, chat or messaging platforms will also need to ensure they comply with the EECC.



Do you need assistance in ICT policy or regulation? Aphaia provides  GDPR and UK Data Protection Act 2018 consultancy services, data protection impact assessments,  Data Protection Officer outsourcing , AI ethics assessments and telecoms policy and regulation consultancy services.


GDPR territorial scope

The European Data Protection Board publishes guidelines on the territorial scope of the GDPR.

The European Data Protection Board (EDPB) has recently published guidelines on the territorial scope of the GDPR, in order to clarify the cases where GDPR applies according to Article 3. Territorial scope of the GDPR is defined based on two main criteria: the “establishment” criterion (1) and the “targeting” criterion (2).

  • -Processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

The concept of establishment extends to any real and effective activity, even where it is minimal, exercised through stable arrangements. It may include activities carried out over the internet even if there is only one single employee or agent with presence in the Union, where he or she acts with a sufficient degree of stability.

In the context of” involves all those processing activities taking place outside the Union that are inextricably linked to the activities of a local establishment in a Member state. “Inextricable link” is therefore the criterion to determine the application of the GDPR in the context of an establishment in the Union, but EDPB considers that it should be analysed on a case-by-case basis and additional elements like revenue-raising in the EU should also be taken into account.

EDBP underlines that a non-EU controller having a processor in the Union does not imply that such controller is processing data in the context of an establishment in the Union, because the processor merely provides a service, which does not qualify as activity “inextricably linked”.

  • -Processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, or the monitoring of their behaviour.

EDBP stresses the location of the data subject in the territory of the Union as the determining factor to be assessed at the moment when the relevant trigger activity takes place, while nationality or legal status of a data subject are not relevant to this extent. This criterion will not apply when the processing of personal data relates to an individual alone.

In addition, this criterion will only trigger the application of GDPR where the conduct on the part of the controller or processor clearly demonstrates its intention to offer goods or services to a data subject located in the Union, which would be ascertained based on some elements such the designation by name of a Member State with reference to the good or service offered, the use of EU search engines, the features of the marketing campaigns or the existence of specific addresses, telephone numbers, domain, currency or language for the EU.

  • -Furthermore, GDPR will as well apply to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessment, and Data Protection Officer outsourcing.

ICO strengthens commitment to technology and innovation

ICO strengthens commitment to technology and innovation with appointment of new executive director

ICO’s commitment to technology and innovation while protecting people’s privacy has been strengthened with a high-profile appointment. Simon McDougall is joining the ICO as Executive Director for Technology Policy and Innovation – leading new approaches to information rights practice and promoting the legally compliant processing of personal data as a core element of new technologies and business systems.

Mr McDougall is currently Managing Director of Promontory – a risk management and regulatory compliance consulting firm acquired in 2016 by IBM, where he founded and led a global privacy practice. He has extensive experience of working across a wide range of sectors and jurisdictions on privacy, compliance, digital initiatives and innovation.

He is a well-known international figure in the world of information rights, serving on the Board of Directors and the European Advisory Board at the International Association of Privacy Professionals (IAPP) along with many other consultative and advisory groups.

Mr McDougall said: “I am honoured to have the opportunity to join the ICO and lead their work in this critical area. Technological change continues to accelerate, and it is vital that the ICO remains constructively and robustly engaged as organisations innovate in the use of personal data.”

Technology is a key area for the ICO, as demonstrated by the following:

  • The publication of our first Technology Strategy, outlining how the ICO will adapt to technological change as it impacts information rights and how we’ll plan ahead for the arrival of new technologies. It explains our eight technology goals and how we intend to achieve them.
  • Making artificial intelligence (AI) one of our top three priorities for 2018/19. This includes a new Technology Fellowship programme with a two-year post-doctoral appointment to investigate and research the impact of AI on data privacy. Our updated, award winning paper on AI, Big Data and Machine Learning has been key in highlighting many of the issues and challenges facing society.
  • Plans for a regulatory ‘sandbox’ to enable organisations to develop innovative products and services while benefitting from advice and support from the ICO. We intend to consult on implementation this year.
  • Adding cyber incidents as a sixth strategic goal in the ICO’s Information Rights Strategic Plan.

Elizabeth Denham, Information Commissioner, said: “We have ambitious plans for our work in the crucial area of technology and also to ensure we are an innovative regulator, open to new ideas and new ways of doing things. As a globally respected figure in the world of privacy and innovation, Simon is a great fit for this new role, which will strengthen our expertise and responsiveness to new challenges and opportunities.”

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services and Data Protection Officer outsourcing.

Zoe Wong on Depop user community and its privacy awareness

As part of our interviews with clients, this time we are with Zoe Wong, director of Finance and operations of Depop, who will be talking to us about the community of users on its platform, how it has evolved and the perception of these in relation to privacy.

1. Why is Depop unique? To an outsider, it might look like a mixture of Instagram and eBay but there is more to it, correct?

Depop  has a very unique community of young creatives, so the items found on our platform are often unique pieces with their own story behind them. Depop has become, not just a place to buy and sell, but it has also offered young people an alternative career path – many are now full-time Depop sellers and start their own business. The Instagram-like marketplace means that it’s become more than just about shopping, the social element means that users also come to Depop to discover and connect with like-minded individuals.tividad, lo que implica que es una experiencia que va más allá de la venta; el componente social permite a los usuarios conectar con personas similares que comparten los mismos intereses e inquietudes.

2. Your target generation of consumers that have grown up with social media may be less concerned about online privacy than the previous ones. Is that really the case, or do they simply perceive privacy differently?

I think that our users are very aware, but they definitely have a different perception around online privacy. In the past, users may have been more concerned with things like identity security but in the age of social media, users are less concerned about putting their details on a public profile but more aware of how their data is being used and whether it’s being sold. They’re much more aware of their rights and they’re not afraid to challenge companies on their activities – I think it’s a fascinating evolution that will change how companies view transparency & social responsibility.


Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessment, and Data Protection Officer outsourcing.