Data will continue to shape the regulatory and compliance agenda in 2021
Data is a central aspect of digitalisation and continues to drive value and innovation, despite tightening regulation and continued uncertainty around data transfers In an eventful year, data-related issues didn’t take a step back during 2020. The pandemic required many businesses to engage in rapid digital transformation. At the same time, companies needed to introduce proportionate public health measures into day-to-day business while respecting fundamental data protection principles. Covid-19 aside, three themes stood out during the year in relation to data and will continue to drive the agenda in 2021:
- Regulatory enforcement gathered pace and, in our view, will continue to do so.
- Regulation increased around data transfers.
- Legislators' began to focus on how to encourage and regulate data exploitation more generally (beyond personal data controls).
Implementing adequate technical and organisational measures – especially in the new remote-work environment – remains crucial. This was evident in the British Airways case in the UK, where the Information Commissioner's Office (ICO) identified an insufficiency of technical and organisational measures. The importance of taking appropriate precautions to mitigate the risk of an attack occurring (for instance, due to the lack of two factor authentication and the compromise of a single username and password) cannot be overstated. The regime around administrative fines is continuing to develop. The 1&1 Telecom GmbH decision of the Bonn Regional Court should be kept in mind in this regard. The court provided angles for challenging the focus of regulators – in this case, German – on turnover as a starting point when calculating fines, and reduced the administrative fine from €9.6m to €900,000. Until European fining guidelines are established, stakeholders will have to follow developments on the applicable guidelines, such as the ICO’s Draft Statutory Guidance 2020.
More than ever, digital sovereignty is a major challenge for the European Union. Against this background, the Schrems II decision caused headaches for all companies who transfer personal data to the US. In addition to invalidating the EU-US Privacy Shield for the transfers of personal data to the US, it questioned all data transfers to non-EU countries based on other transfer tools.
Following this decision, the European Data Protection Board provided draft guidance for international transfers of data with different steps to follow, and the European Commission published updated Model Clauses. Both of these remain subject to the outcome of public consultations. In the meantime, considerable uncertainty remains as to how best to legally transfer personal data outside the European Economic Area. Consequently, some European companies are starting to think afresh about where their data is – and should ideally be – hosted. Some global companies may need to rethink their internal organisation and structure in order to assess whether they need to transfer personal data globally, and if so, how they can legally do so. It remains to be seen whether EU-based providers will gain an advantage from this in the longer term.
Opening up access to data, whether this data is personal or non-personal data, can create opportunities for technological advancement and the deployment of new products and services. However, natural tensions exist between opening up access to data and protecting intellectual property rights, confidentiality and individuals' privacy. The EU's proposed Data Governance Act aims to address some of these challenges through an enabling legislative framework and trusted data sharing mechanisms. There are four areas to the proposal: the reuse of public sector data subject to rights such as data protection legislation, intellectual property, trade secrets or other commercially sensitive information; a regime for data intermediaries; data altruism; and the development of a European Data Innovation Board. On the one hand, businesses acting as data intermediaries would face additional compliance requirements as a result of the Act's regulatory framework, and would no longer be able to use gathered data for their own ends. On the other, other businesses, particularly smaller enterprises, may be presented with opportunities to benefit from data they wouldn't otherwise have access to.
What's coming up?
From our perspective, 2021 will see a continued focus on opening up access to data and harmonised compliance across the EU, to facilitate cross-border data sharing, while seeking to protect commercial interests and privacy. The only certainty concerning international transfers of personal data seems to be that there is no certainty: Both exporters and importers of personal data will need to carry out a case-by-case analysis rather than just relying on template documentation such as Standard Contractual Clauses.