Data globalisation after Schrems II
Browsing the web. Using apps. Communicating electronically. Shopping online. Working from home. Life as we know it relies on data flowing across geographical borders throughout the world. However, international data transfers have never been more scrutinised. Following the ruling by the Court of Justice of the European Union (CJEU) in Schrems II, it has become clear that legitimising transfers of personal data out of the EU is no longer a paperwork exercise.
In order to ensure that such data transfers are lawful and data globalisation can continue, it is now necessary to undertake “transfers impact assessments” that consider what data is going where, what protections are in place, and how to overcome any potential unjustified access to personal data by public authorities in a third country. In 2021, these assessments will become commonplace and organisations seeking to transfer personal data out of the EU or the UK will also have to consider what additional safeguards – such as technical, contractual and organisational measures – will need to be deployed to ensure that data transfers are lawful. Surveillance is not just a concern for privacy activists, but a key consideration to bear in mind when implementing data protection across borders.
The war on cookies
Another critical legal challenge for the year ahead arises from a decade old law and its requirement to obtain consent for the use of cookies. After all these years and while we wait for a new e-Privacy Regulation to be agreed, European data protection authorities appear to have declared the war on cookies. Strict guidance accompanied by selective enforcement will lead to a shake-up of the current approaches to cookie consent.
Whether we see any meaningful progress on the adoption of an EU e-Privacy Regulation – which has been stuck in the Council of the EU for nearly three years – during 2021 is anyone’s guess. However, it is beyond doubt that there will be increasing pressure for website operators and app providers to implement fully compliant consent mechanisms. That is not to say that the ongoing debate over the validity of “cookie walls” and the use of analytics cookies without consent will not continue, but the consequences of taking a risk-based approach to cookie consent compliance will be more severe than ever before.
The politics of data protection
The complex legalities surrounding data protection will also be more affected than ever by politics. Energised by the CJEU Schrems II decision, politicians, privacy activists and even regulators have actively called for greater data localisation in Europe. Irrespective of whether data localisation is a viable proposition in today’s world, data protection has become a useful tool for data protectionism, so the practical effect of this political trend will be felt by anyone involved in data protection over the coming months.
Beyond Europe, the new US administration is also likely to pay far more attention than the previous one to the direction of travel of privacy and data protection laws around the world. That will likely mean a greater emphasis on regulatory compliance for US-headquartered organisations, particularly those operating internationally, which in turn, will lead to the adoption of more comprehensive and detailed privacy programmes.
The Brexit effect
Perhaps one of the most difficult challenges to predict in terms of its practical significance and effect is the UK’s final departure from the EU. As the transition period comes to an end in 2021 and the realities of Brexit kick in, it is obvious that it is unlikely to be business as usual. However, the UK Data Protection Act 2018, which introduced the GDPR framework, will remain in place, so the day-to-day data protection obligations will hardly change. The greatest impact of all will be if, in the absence of an adequacy determination by the European Commission, the UK officially becomes an unsafe jurisdiction for EU personal data and, as a result, it is directly impacted by the complexities brought about by Schrems II.
Another effect of Brexit will be in relation to the role of the Information Commissioner’s Office (ICO) – not so much within the UK itself, but towards Europe and the world. No longer part of the European Data Protection Board (EDPB), the ICO will be free from the interpretative restrictions of the EDPB, but at the same time, it will be unable to effectively influence the thinking of its European counterparts or to participate in the One Stop Shop of regulatory supervision. This will be very directly felt by any global business that has its main European operations in the UK.
Ransomware as a business model
Regrettably, the growth in ransomware that we saw in 2020 is here to stay. Cybersecurity threats are a challenge for every organisation, but ransomware attacks – where criminal hackers are able to penetrate and encrypt an entire system of business applications and databases demanding large amounts of money in exchange for the decryption keys – can be devastating for the victim while very lucrative for the perpetrators.
Accordingly, we should expect more agonising discussions about whether the requirement to notify data protection authorities (or indeed individuals) about ransomware incidents has been triggered and, if so, when.
The growth of representative actions
An added touch of drama for data protection professionals will result from often unexpected legal actions claiming damages derived from data protection infringements. Opportunist tactics will become more sophisticated as representative actions mature. So privacy and data protection litigation will become a new and active field to explore.
The Covid-19 aftermath
Finally, if there is a wish for 2021 that the entire world shares, it is that the battle against Covid-19 will be won. As the prospects of an effective vaccine become more real, a myriad of data-driven initiatives that were rushed in to deal with the pandemic – from the collection of employees’ health data to the Covid-19 apps – will begin to be phased out. However, the scrutiny around secondary data uses and unjustified data retention will certainly increase.
In addition, the prospect of immunity passports or similar approaches to facilitate the return to normality and activities like mass entertainment or international travel will re-focus the attention given to the pandemic, so the need for data protection impact assessments in this context will continue.
All in all, 2021 will hopefully turn devastation into much needed growth and prosperity, but the data protection challenges ahead will definitely test the resilience that we have all learnt to practice in 2020.
Eduardo Ustaran is co-director of the Privacy and Cybersecurity practice of Hogan Lovells and an internationally recognised expert in privacy and data protection law. Email eduardo.ustaran@hoganlovells.com. Twitter @EUstaran.
Image Public Domain via Piqsels.
