Data Protection 2021 Roundup

As 2021 draws to a close, the data protection team at Ashurst held a virtual breakfast seminar on Wednesday 24th November where we summarised the key data protection guidance, enforcement, cases and issues which have been gracing our desks over the last 12 months. The webinar recording and a copy of the slides are available at the bottom of this webpage.

We were delighted to hear from Kyra Bowman, from the international transfer team of the Department of Culture, Media and Sport ("DCMS") who gave her insights on developing the UK's international data transfer regime. Over the past 12 months, the DCMS has been developing the UK's cross-border data flow framework in line with the four overarching objectives set out in the National Data Strategy: building trust in data, facilitating cross-border data flows, driving data standards and interoperability and driving UK values internationally. The DCMS recognises that data protection is increasingly a global issue as countries around the world implement their own data protection frameworks - the DCMS will continue engaging with international partners to develop shared standards and interoperable tools to help businesses navigate the ever-changing data protection landscape. The DCMS has identified 6 priority countries to assess for adequacy in the near future, including the US, Australia and Singapore. Recognising the importance of stakeholder engagement, the DCMS has also formed an expert council to help the DCMS better understand businesses' international data transfers needs.

Rhiannon Webster looked at the key ICO guidance that has been released over the last 12 months.  Although there has been much focus on the issues of UK adequacy (granted in June) and the UK's approach to data transfers post Brexit, we must not forget a number of other key pieces of guidance released for consultation or which came into force this year.  The Children’s Code (officially, the ‘Age Appropriate Design Code’) which came into force in September is the first statutory code of practice for children’s data anywhere in the world. It will completely transform the way that companies collect, share and use children’s data, requiring them to offer children a high level of privacy protection by default.  The Data Sharing Code of Practice was also laid before parliament and came into force this year. It contains practical guidance for organisations which will assist in ensuring that data sharing is done in a way that is fair and proportionate and in compliance with data protection law. It also contains some optional good practice recommendations which are not legal requirements, but which the ICO considers promote an effective approach to data protection compliance. Note that the status of these as statutory codes means the courts must consider them where appropriate and it would be a difficult path for the ICO to tread if it wanted to change any of their contents.

Liz Parkin reflected on a year of covid related data protection issues. As businesses look to refocus following the disruption of the past year, we are seeing organisations tackling the ongoing need to monitor remote working and at the same time considering how best to handle a return to the workplace. Our work with clients has highlighted the need to assess carefully the lawfulness of monitoring employees working remotely, consider the underlying reasons and necessity for monitoring as well as what steps may need to be taken to ensure that such monitoring is properly considered and documented form a privacy perspective. Alongside this, returning to the office poses as many data privacy quandaries with businesses looking to protect their workforce whilst balancing the impact their policies may have on individual data privacy rights. This requires remaining alert to the impact of return to work policies, symptom checking/reporting, vaccination requirements and processing of other health data outside of the normal scope of data businesses process, for both employees and visitors.

Sophie Law spoke about three recent data breach judgments. First, Warren v DSG Retail Ltd confirmed that for most accidental data breaches, claimants will now only be able to rely on claims under data protection legislation.  The judgment may have an impact on the recoverability of ATE premiums and, therefore, litigation funding. Second, Rolfe v Veale Wasbrough Vizards reminded claimants that they must be able to show that damage suffered by them is over the de minimis threshold. Finally, in November, the Supreme Court dismissed Mr Lloyd's claim in Lloyd v Google. The Court ruled that: (a) "loss of control" damages are not a form of damages recognised in law and victims of a data breach need to have suffered financial loss or mental distress in order to bring a claim; and (b) claims for damages arising from data breaches cannot be recovered via representative actions.  However, the Court did open the door to an alternative approach to representative claims (although this may not be attractive to funders).  Read more in our briefing here. Overall, those cases show that the Court has been taking a more robust approach to data breach claims: the tsunami that many expected may well be reduced to a trickle.  In addition, the outcome in Lloyd v Google may strengthen calls for legislative reform in this area.

Harry Newton looked at the key enforcement actions taken by the ICO over the last 12 months. The vast majority of enforcement actions have been made under PECR, as opposed to the UK GDPR. In terms of overall industries, perhaps unsurprisingly, there has been a focus from the ICO on the retail, marketing and finance industries, being industries that typically involve large scale marketing activities. As its preferred method of action, the ICO has favoured monetary penalties over enforcement notices, with two thirds of all enforcement actions being monetary penalties. Whilst these monetary penalties do not reflect some of the blockbuster fines seen in Europe, they still go some way to showing that the ICO has been more willing to provide a financial penalty than in previous years. With the UK’s adequacy decision subject to review after four years, the ICO is perhaps looking to demonstrate to the European Commission that that ICO may be toughening up its stance to demonstrate that it is able to robustly regulate processing of personal data in the UK.

Finally, Andreas Mauroschat gave us an update on guidance from the European Data Protection Board and enforcement action from data protection authorities across Europe. In the UK whilst we have battled with subject access requests being used as tools of pre-disclosure and fishing expeditions pre litigation for many years, in Europe this is a relatively new phenomenon.  However we are now seeing access requests being used across Europe as a  strategic tool for purposes unrelated to data protection, such as a "fishing exercise" in connection with a pending dispute or a nuisance to support negotiations in the staged exit of staff members.  More than three years into GDPR, there is still a lack of practical guidance from the EDPB or local regulators on what must be provided to data subjects.  Businesses across Europe are therefore struggling with the uncertainty and cost of compliance.  Like in the UK, Direct marketing continues to be a high risk area from a data protection perspective, with some recent enforcement actions showing the regulators across Europe keenness  to impose penalties in this area.  Businesses with operations across Europe should review their direct marketing to ensure that they appropriately apply opt-in and soft opt-in and have solid consent management and blacklist tools in place.   The key 2021 EDPB guidance was of course, the publication of the new Standard Contractual Clauses and the related recommendations on supplementary safeguards as a result of Schrems II which has resulted in substantial implementation pressure and burden for businesses. However we should not lose sight of the other EDPB guidance of 2021 covering  connected vehicles and mobility apps, data breach notification, targeting of social media users and the concepts of controller and processor. 

It has without doubt been a busy year for data protection practitioners and at times it has been hard to keep pace with the publication of guidance, codes and case decisions all of which have a significant impact on the way an organisation processes data and the risks associated with a data breach.

Looking forward to 2022, we hope to get more certainty on international transfers with the UK international data transfer agreement expected to be released in final form at the beginning of next year.  Meanwhile it's all change at the ICO: as Elizabeth Denham's tenure comes to an end we will have a new information commissioner in place in John Edwards.  The current ICO Regulatory Action Policy (ico.org.uk) comes to an end this year and a new policy will need to be released shortly. We look forward to updating you on that policy and all that 2022 will have to bring in further Data Bytes.