Data privacy will remain risky and unpredictable for firms doing business across borders
This article was first published on International Data Privacy Day (that's 28 January for civilians) but the awkward truth for the business community is that data handling will remain stubbornly high up the agenda throughout 2022.
We are now one year on from the introduction of the UK GDPR in a post-Brexit Britain. Two years on from the start of a global pandemic, which forced a discussion around the tension between public health and data privacy. And over three years on from the GDPR coming into force across Europe, and by extension the world. Yet the passing time has done nothing to diminish the intense focus on data in a rapidly digitising global economy in which information is a crucial commodity. But if nothing is simple about the flux of privacy law and regulation, our predictions for what's in store in 2022 will at least leave you forewarned.
UK Data Protection Reform
2021 was the year the UK Government hinted it might think outside the box in data protection regulation. In September 2021, the UK Department for Digital, Culture, Media and Sport (DCMS) published a wide-ranging consultation on data protection reform. The consultation is the first step in government plans to deliver on ‘Mission 2’ of the National Data Strategy, underpinned by a desire to boost innovation and economic growth for UK businesses while strengthening public trust in data use. The proposals were expansive, seeking to create an adaptable and dynamic set of rules underpinning trustworthy use of data. They mark a move from the trend of recent years for prescriptive frameworks towards a more outcome-focused regime, to reduce burdens on business. The consultation closed in November 2021, with the results expected this spring. For further detail about the reform proposals, see our post.
A new UK regulator
On 4 January 2022, John Edwards began a five-year term in his new role as UK Information Commissioner, succeeding Elizabeth Denham CBE. The new regulator spent the past eight years as New Zealand Privacy Commissioner, before that working as a barrister. The new Information Commissioner’s agenda and priorities will become clearer during his first full year in the role. However, it seems likely that one of his early priorities will be the introduction of the Age Appropriate Design Code to protect children online, together with the Online Safety Bill.
The fallout from enforcement – Privacy notices and cookies
2021 saw significant enforcement action – including fines of EUR746 million, EUR225 million and EUR150 million. Interestingly, these fines did not result from big data security breaches but rather we have seen a regulatory focus on data protection principles – particularly transparency – and cookies. While in the UK at least, it is possible that current rules around cookie consents may be relaxed as a result of data reform proposals described above, it seems likely that this kind of enforcement could trigger widespread updates to privacy notices and cookies practices in 2022.
Testing EU cooperation on GDPR
Although 2021 has seen significant EU GDPR regulatory action, it has also shone a spotlight on differences between Member State regulators' enforcement stance. In the 2021 WhatsApp enforcement action, objections raised by EU regulators to the Irish Commissioner’s proposed enforcement resulted in a referral to the European Data Protection Board for resolution. In December 2021, MEPs also sent a letter to EU Justice Commissioner Reynders to raise concerns about Irish enforcement of GDPR. What is clear is there is a significant discrepancy between EU supervisory authorities. Could 2022 be the year the GDPR’s cooperation mechanism is tested to its limits? Or could we see individual Member State regulators forging their own path?
International data transfers – Volume 1 (EU SCC re-papering)
On 27 September 2021, the new EU standard contractual clauses (SCCs) came into force for the transfer of personal data from the EEA to third countries under the GDPR. From that date, the SCCs have been used for any new agreements entered into that rely on model EU data transfer clauses to legitimise the transfer of personal data from the EEA to third countries under GDPR. Existing agreements incorporating the old EU SCCs remain valid and provide safeguards until 27 December 2022, meaning that for many organisations 2022 is likely to involve the not-insignificant task of 're-papering' agreements relying on the old EU SCCs and replacing them with the new equivalents.
International data transfers – Volume 2 (the UK position)
In August 2021, the UK Information Commissioner published a consultation on international data transfers. The regulator published a draft agreement to address transfers of personal data outside of the UK; a draft international transfer risk assessment guidance note and tool; and a draft UK addendum for inclusion to the EC's standard contractual clauses. The consultation closed on 7 October 2021 and we expect to see legislative proposals in 2022, which will finally give organisations certainty on the UK approach to international data transfers. However, this is unlikely to end the saga depending upon the results of the UK Government's own data protection reform consultation (see above). For more analysis on the ICO’s proposals, see our blog post.
International data transfers – Volume 3 (Safe Harbor 3.0?)
Shortly after the Schrems II judgment, the US Department of Commerce and the EC began discussions on an enhanced EU-US Privacy Shield framework to comply with the ruling. However, discussions do not seem to have progressed much during 2021 and, without root-and-branch reform of US surveillance law, it remains unclear how any such framework would avoid the fate of its predecessors the Privacy Shield and US Safe Harbor. Could 2022 be the year governments in multiple jurisdictions manage to find a way through the legal complexities raised by the Schrems II judgment to allow the international transfer of data on a practical level?
ePrivacy and cookies
We have covered the proposed ePrivacy Regulation in our previous data protection predictions and yet the question remains as to whether 2022 will be the year this legislation makes it through the process. Even without the proposed new EU regulation, some EU agencies have made their focus on cookies very clear – the French data watchdog CNIL has recently taken significant enforcement action against both Google and Facebook for breaches of cookie rules. The UK's recent consultation on data protection reform also addressed the area, questioning the viability of current rules on cookie consents. As a result, whether via legislation, policy reform or regulatory action, it seems clear that cookies will be a frequent dish in 2022.
Tech vs data regulation – The race continues
2021 saw continued focus from organisations and regulators on innovative technologies and, in particular, AI. Commercial application of AI has surged alongside attempts by data regulators to keep pace, protect the privacy of individuals, and ensure fairness in an increasingly AI-driven world. An example of this was the UK Information Commissioner’s 2021 consultation on the use of the beta version of its AI and data-protection risk mitigation and management toolkit. Expect even more focus in 2022 on the use of AI and innovative technologies against the backdrop of changing data privacy legislation. For more on the ICO's AI review, see our previous article.
Data class actions reborn?
In November 2021, the Supreme Court overturned the Court of Appeal’s decision in the high profile Lloyd v Google case. A ruling against Google would have likely opened the floodgates for class actions for loss of control of personal data to be brought on behalf of huge numbers of individuals. The case was pursued under the 1998 Data Protection Act, rather than the GDPR, which superseded it. While there may be read across to the current UK GDPR regime, Lord Leggatt specifically stated he was not considering the later legislation and this could potentially leave the door open for future loss-of-control claims under GDPR. After Morrisons in 2020 won a court battle that rejected its liability for a data breach and now Lloyd v Google, could 2022 see another data class action reach the courts? For more analysis on the Lloyd v Google ruling, see our recent article.
A version of this article first appeared in our Data Notes blog, which has all the latest news and commentary from our team