DPN Advisory Board 2021 predictions
A year ago I predicted more focus on governance and ethics as well as an increase in enforcement and claims. I was right in that there has been an increase in quasi-class actions and ICO fines and indeed increased enforcement in other parts of the EU. In 2021 I still predict more investigations, enforcements, fines and class actions. I do also expect focus on data governance and ethics by design.
The Data Commission of the GLE are looking to develop a Data Charter for governance of data sharing and analytics for public good in London and the EU has also announced a Data Governance Regulation. Watch this space!
The inevitable progress of class actions following data breaches will continue in 2021 (even if the Supreme Court backs Google over Richard Lloyd) but international transfers look to be the year’s hot topic. Businesses will be grappling with how to assess the impact of foreign laws, so they comply with the EDPB’s recommendations on measures to supplement transfer tools and what it looks likely new Standard Contractual Clauses will require of them…and that’s all before the task of re-papering their existing data transfer agreements to incorporate those Clauses.
A post-Brexit change of approach by the UK – possibly with a new Information Commissioner in post – might simplify at least these issues but perhaps not if it jeopardises the UK’s still-elusive (at the time of writing) adequacy decision. All in all, another busy year is guaranteed for privacy practitioners.
Simon Blanchard, Partner, DPN Associates
2020 has been an unexpectedly challenging year for so many people. Data protection teams have had to adapt quickly to change and to emerging requirements for personal data. From track and trace to monitoring employees’ health this has presented fresh privacy challenges and concerns. I predict responsible and ethical use of data, such as in the growing number AI applications, will be a focus in the coming year. And of course, cross border data transfers are likely to remain a key concern as the Brexit transition period ends.
If there was ever a point in my life when I would dearly love to have a crystal ball, it’s now. When it comes to Coronavirus, we’re approaching the end of 2020 with sighs of relief and looking forward to 2021 with anticipation and hope.
Unfortunately, I don’t think the same positivity applies when it comes to data protection. Come 1 January 2021, I fear the UK may not have been granted adequacy status by the EU. This, combined with the death of the Privacy Shield, the Schrems II decision and the resulting development of new standard contractual clauses by the European Commission (with a proposed one year transition period) means that the topic of cross border data flows is going to be high on everyone’s agenda.
Other issues likely to feature strongly in 2021 include; Ad Tech and RTB, wider ePrivacy and of course Elizabeth Denham’s term of office as ICO comes to an end. Any takers?
2021 will be another very busy year for all privacy professionals, with a year full of new privacy legislation ahead of us, we’ll need to be able to answer questions about a lot of changes going on around the globe: PIPL (China), Brexit (UK), Schrems ll (EEA), E-Privacy (EEA & UK) , the EU consultation on DPO qualifications, the roll out of ISO27701 (privacy extension), the EU Data Governance Act, CPPA (Canada), and lots lots more.
Privacy governance structures will also be being tightened up, more DSARs will be received, and we’ll be welcoming a new ICO Commissioner too, who no doubt will have their own views on the UK Data Strategy paper, and the impact of more and more applications involving AI/ML/IOT and automation in general. The EU discussions around voluntary sharing of data and the altruistic use of data will be fascinating too.
I think there is continuing uncertainty around Brexit with the provisions of our exit arrangements still to be finalised. This has seen an increase in data controllers raising concerns about the storage of data within the UK by data processors. This issue has certainly been exacerbated by the recent Schrems II ruling which has seen many organisations concerns heightened with respect to storage of data in the US. With high profile data centres located in the states this could prove problematic for organisations who rely heavily on cloud storage solutions. I also think historic challenges around records management continue to exist with organisations’ overall compliance in understanding exactly what data they hold, how this can be processed and used and how long it can be retained proving challenging. With this in mind I’m really pleased that the DPN opted to be active in this area and trust that our Data Retention Guidance is proving to be a useful tool for the records management challenges that organisations are presented with.
The unstoppable arrival of 2021 puts me in mind of Bert the chimney-sweep in Mary Poppins, standing on a rooftop and observing “Winds in the east, mist coming in. Like somethin’ is brewin’ and ’bout to begin.” And rather like Bert in the Disney film it may well come with an American accent, but this time from the west.
Whilst Brexit dominates the UK agenda, and it certainly will for months to come, the American accent comes from the incoming administration in Washington. The passing of CPRA in California further supports the groundswell of opinion that some type of federal approach to data legislation is inevitable. Students of US politics may also appreciate that Vice President elect, Kamala Harris, has been engaged in privacy legislation since her time as California’s attorney general a decade ago, so it may well be an early policy priority.
My prediction isn’t that we’ll see material change within 12 months. It is that we’ll start to see a different set of signals coming from across the Atlantic and this in turn will change the landscape around the scope and use of personal data within the advertising and marketing sector. In 2020 the sector has been dominated by the policy decisions of Google and Apple. It’s now the turn of lawmakers.
I can see three themes emerging:
1: There will be many more opportunities for people to be able to control access to their data from their own devices. Whether it’s the ad tech solutions, such as permutive which manages ad serving or the Government’s COVID app, individuals have more control over how their data is used. This will grow.
2: As the rules become more difficult to understand and enforce, the movement towards data ethics and doing the right thing will grow. Regulators will never be able to keep up with technical innovation so producing more outcomes based guidance is the way to go.
3. There will be toing and froing about granting data adequacy to UK, post Brexit. We all know it should be relatively easy but that’s unlikely to be the case with much debate about government surveillance.
All the best for 2021!
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.