This Monday was the second anniversary of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) coming into force.
The third year of these historic laws is set to be even more eventful than the first two. The combination of Covid-19, the UK’s exit from the EU, some major case law developments and continued enforcement action mean this will continue to be a fascinating and fast evolving area of the law.
Most organisations adapted quickly and – for the most part – well to enable large-scale working from home when the lockdown started in March. However, we are still advising many clients on the privacy implications of projects initiated in response to the pandemic. This includes advising on:
Projects of this nature are likely to continue throughout the next 6 to 8 weeks.
The optimistic reader might also expect to hear news of the ICO’s final determination on the fines levied against British Airways (BA) and Marriott for their headline-grabbing data breaches in 2018.
In July 2019, the ICO issued a notice of its intention to fine BA and Marriott £183million and £99million respectively. However, it has twice extended (by agreement with the companies) the deadline for it to confirm the fines and this is likely to happen again as a result of Covid-19, perhaps until late summer.
It also appears likely that the level of the fines will be reduced as a result of the pandemic, given the extraordinary impact it has had on the aviation and tourism industries in particular. Enforcement action taken by the ICO must be proportionate and dissuasive. Given the major reduction in revenue for both BA and Marriott as a result of Covid-19, the ICO may consider that the levels of the fines it deemed appropriate in July 2019 are now disproportionately high.
The ICO has confirmed on a number of occasions in recent weeks that while the obligations under the GDPR and DPA remain in force (and so the maximum fines remain available, especially where there are aggravating circumstances), the ICO will nonetheless adjust its approach to enforcement action during the pandemic period. Specifically, the ICO will act “in an empathetic and pragmatic way that reflects the impact of coronavirus”.
Organisations the world over will watch with interest as the ICO determines what enforcement action to take in response to the data breach recently announced by easyJet, in which the data of nine million customers was hacked. This is sure to be a real test of the extent to which the ICO’s approach has been adjusted.
Data protection case law does not come much bigger than Schrems II. The Court of Justice of the European Union (CJEU) will issue its judgment on the legality of the European Commission’s standard contractual clauses (SCCs) for transfers of personal data to the USA. If the court decides that the SCCs are invalid, then thousands of organisations that currently rely on them will need to implement new safeguards to govern the transfer of personal data to the USA (and potentially other countries).
The judgment is also likely to touch on the validity of the EU-US Privacy Shield adequacy decision, and the role of data protection supervisory authorities in relation to international transfers. Again, any adverse finding (for example that the Privacy Shield is invalid) would have a similarly disruptive impact on any organisations in Europe that transfer personal data to the USA.
The Advocate General issued his Opinion on this case in December 2019 (see our earlier update, here). While the CJEU often follows the path set by the Advocate General, given the major importance of the issues being considered in this case, it is without a doubt the must-watch case of the summer.
While lots of employees are embracing the benefits of working from home, many do not have the ability to do so, given the nature of their work, or are looking forward to returning to the office.
Whenever employers are able to welcome their staff back into the workplace, there are bound to be numerous privacy and security issues to consider. These will range from technical challenges (e.g. ensuring network security if moving from a static desk model to hot-desking, and deploying new user devices and infrastructure to support the changes in working practices) to matters concerning the health and wellbeing of staff.
As well as data protection challenges (e.g. do employees need to report on their Covid-19 status if there is a second wave of the virus?), there will also be employment law and health and safety issues to consider. All in all, the mass return to work in the months ahead is likely to be just as impactful on employers as the rapid change in working practices brought about by the start of lockdown.
Many data protection officers and privacy practitioners are anticipating a major surge in the number of data subject access requests (DSARs) in the late summer/early autumn (and possibly for some months afterwards).
This will in large part be linked to the job retention/furlough scheme coming to an end, as employers need to make difficult decisions regarding potential redundancies. Where employment claims arise, DSARs are quick to follow. Find out more about handling DSARs in our podcast.
It is also likely that claims management companies (CMCs) will align themselves to aggrieved groups of employees. This could mean an increase in the unwelcome phenomenon of bulk DSARs, where a CMC issues a DSAR to an employer on behalf of tens if not hundreds of individuals on the same day.
Managing DSARs on this scale requires a well-resourced, well-prepared team who are ideally supported by technology solutions to enable efficient processing of the requests.
Organisations would be well advised to design their contingency plans now, so that they can respond to a large increase in activity. Our view is that those plans are extremely likely to be called upon.
As the year draws to a close, and we reach the end of the Brexit transition period, data protection teams across the UK and Europe will inevitably turn their attentions to international data transfers.
Organisations should already have completed data mapping exercises to determine if their businesses rely on the transfer of personal data between the EU and the UK, and have given some thought to the approach they will take to ensure that such transfers can continue after 31 December.
In the absence of any agreement with the EU to the contrary, when the transition period ends the UK will become a “third country” for GDPR purposes. This means that organisations based in the EU will need to ensure that they implement appropriate safeguards to enable the lawful transfer of data from the EU to the UK – the UK will no longer automatically be considered as “adequate” by the EU.
In practice, this is likely to mean that many organisations will need to implement the European Commission’s SCCs, to meet the appropriate safeguards test. However, it is difficult for businesses to implement solutions for their international data transfers at this stage, for two principal reasons:
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at March 2020. Specific advice should be sought for specific cases. For more information see our terms & conditions
How will the office of the future work? WebinarRead more
Data Controllers cannot sub-contract their obligations under data...Read more
Employees and the use of mobile phones at workRead more
Pubs, bars and restaurants: how to collect customer details upon...Read more
Adtech: Assessing the lawful basisRead more
Social Housing monthly law update - April 2020Read more
Supreme Court hands down judgment in Morrisons data breach claimRead more
Confronting the challenges of vendor management in biometricsRead more
Scale-up insights: episode four - getting to grips with dataRead more
As businesses adjust to new ways of working and plan for an uncertain future, we keep track of the emerging legal and regulatory issues.Read more
Keeping you up to date with the latest guidance on regulatory change and legal impact of the coronavirus pandemic.Read more
While future trading relationship with the EU is negotiated, we will be in a 'status quo' transition period until 31 December 2020. Follow our latest updates.Read more
Our Senior Managers Regime hot topic features news and insight to help banks, building societies, investment firms and UK branches of foreign banks prepare for the new regime.Read more
The clock is ticking for firms to prepare for moving from LIBOR to sterling risk-free rates. Follow our insights and events for strategic advice.Read more
We approach a brave new world of Gigabit full-fibre fixed communications, 5G mobile technologies, data driven markets enabled by true AI, with the potential for huge commercial and social growth and benefits. Follow our...Read more
Open Banking is driving innovation in banking and customer experience but also presents new challenges around security and data protection.Read more
As the UK moves towards a carbon neutral future, electric vehicles are the new watchword. We explore what this means for the energy market and investors through a series of legal insights.Read more
Prepare your business for the new General Data Protection Regulation with expert insight from our data protection and privacy team.Read more
Data protection law is changing rapidly and mistakes can lead to significant financial penalties and reputational damage. We can help you secure your data and use it to its maximum potential.Read more