{"id":5520,"date":"2020-11-30T11:30:00","date_gmt":"2020-11-30T11:30:00","guid":{"rendered":"https:\/\/www.infolaw.co.uk\/newsletter\/?p=5520"},"modified":"2021-01-04T13:06:51","modified_gmt":"2021-01-04T13:06:51","slug":"key-data-protection-challenges-for-2021","status":"publish","type":"post","link":"https:\/\/www.infolaw.co.uk\/newsletter\/2020\/11\/key-data-protection-challenges-for-2021\/","title":{"rendered":"Key data protection challenges for 2021"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\">Data globalisation after <em>Schrems II<\/em><\/h3>\n\n\n\n<p>Browsing the web. Using apps. Communicating electronically. Shopping online. Working from home. Life as we know it relies on data flowing across geographical borders throughout the world. However, international data transfers have never been more scrutinised. Following the ruling by the Court of Justice of the European Union (CJEU) in <em>Schrems II<\/em>, it has become clear that legitimising transfers of personal data out of the EU is no longer a paperwork exercise.<\/p>\n\n\n\n<p>In order to ensure that such data transfers are lawful and data globalisation can continue, it is now necessary to undertake \u201ctransfers impact assessments\u201d that consider what data is going where, what protections are in place, and how to overcome any potential unjustified access to personal data by public authorities in a third country. In 2021, these assessments will become commonplace and organisations seeking to transfer personal data out of the EU or the UK will also have to consider what additional safeguards \u2013 such as technical, contractual and organisational measures \u2013 will need to be deployed to ensure that data transfers are lawful. Surveillance is not just a concern for privacy activists, but a key consideration to bear in mind when implementing data protection across borders.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The war on cookies<\/h3>\n\n\n\n<p>Another critical legal challenge for the year ahead arises from a decade old law and its requirement to obtain consent for the use of cookies. After all these years and while we wait for a new e-Privacy Regulation to be agreed, European data protection authorities appear to have declared the war on cookies. Strict guidance accompanied by selective enforcement will lead to a shake-up of the current approaches to cookie consent.<\/p>\n\n\n\n<p>Whether we see any meaningful progress on the adoption of an EU e-Privacy Regulation \u2013 which has been stuck in the Council of the EU for nearly three years \u2013 during 2021 is anyone\u2019s guess. However, it is beyond doubt that there will be increasing pressure for website operators and app providers to implement fully compliant consent mechanisms. That is not to say that the ongoing debate over the validity of \u201ccookie walls\u201d and the use of analytics cookies without consent will not continue, but the consequences of taking a risk-based approach to cookie consent compliance will be more severe than ever before.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The politics of data protection<\/h3>\n\n\n\n<p>The complex legalities surrounding data protection will also be more affected than ever by politics. Energised by the CJEU <em>Schrems II<\/em> decision, politicians, privacy activists and even regulators have actively called for greater data localisation in Europe. Irrespective of whether data localisation is a viable proposition in today\u2019s world, data protection has become a useful tool for data protectionism, so the practical effect of this political trend will be felt by anyone involved in data protection over the coming months.<\/p>\n\n\n\n<p>Beyond Europe, the new US administration is also likely to pay far more attention than the previous one to the direction of travel of privacy and data protection laws around the world. That will likely mean a greater emphasis on regulatory compliance for US-headquartered organisations, particularly those operating internationally, which in turn, will lead to the adoption of more comprehensive and detailed privacy programmes.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The Brexit effect<\/h3>\n\n\n\n<p>Perhaps one of the most difficult challenges to predict in terms of its practical significance and effect is the UK\u2019s final departure from the EU. As the transition period comes to an end in 2021 and the realities of Brexit kick in, it is obvious that it is unlikely to be business as usual. However, the UK Data Protection Act 2018, which introduced the GDPR framework, will remain in place, so the day-to-day data protection obligations will hardly change. The greatest impact of all will be if, in the absence of an adequacy determination by the European Commission, the UK officially becomes an unsafe jurisdiction for EU personal data and, as a result, it is directly impacted by the complexities brought about by <em>Schrems II<\/em>.<\/p>\n\n\n\n<p>Another effect of Brexit will be in relation to the role of the Information Commissioner\u2019s Office (ICO) \u2013 not so much within the UK itself, but towards Europe and the world. No longer part of the European Data Protection Board (EDPB), the ICO will be free from the interpretative restrictions of the EDPB, but at the same time, it will be unable to effectively influence the thinking of its European counterparts or to participate in the One Stop Shop of regulatory supervision. This will be very directly felt by any global business that has its main European operations in the UK.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Ransomware as a business model<\/h3>\n\n\n\n<p>Regrettably, the growth in ransomware that we saw in 2020 is here to stay. Cybersecurity threats are a challenge for every organisation, but ransomware attacks \u2013 where criminal hackers are able to penetrate and encrypt an entire system of business applications and databases demanding large amounts of money in exchange for the decryption keys \u2013 can be devastating for the victim while very lucrative for the perpetrators.<\/p>\n\n\n\n<p>Accordingly, we should expect more agonising discussions about whether the requirement to notify data protection authorities (or indeed individuals) about ransomware incidents has been triggered and, if so, when.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The growth of representative actions<\/h3>\n\n\n\n<p>An added touch of drama for data protection professionals will result from often unexpected legal actions claiming damages derived from data protection infringements. Opportunist tactics will become more sophisticated as representative actions mature. So privacy and data protection litigation will become a new and active field to explore.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The Covid-19 aftermath<\/h3>\n\n\n\n<p>Finally, if there is a wish for 2021 that the entire world shares, it is that the battle against Covid-19 will be won. As the prospects of an effective vaccine become more real, a myriad of data-driven initiatives that were rushed in to deal with the pandemic \u2013 from the collection of employees\u2019 health data to the Covid-19 apps \u2013 will begin to be phased out. However, the scrutiny around secondary data uses and unjustified data retention will certainly increase.<\/p>\n\n\n\n<p>In addition, the prospect of immunity passports or similar approaches to facilitate the return to normality and activities like mass entertainment or international travel will re-focus the attention given to the pandemic, so the need for data protection impact assessments in this context will continue.<\/p>\n\n\n\n<p>All in all, 2021 will hopefully turn devastation into much needed growth and prosperity, but the data protection challenges ahead will definitely test the resilience that we have all learnt to practice in 2020.<\/p>\n\n\n\n<p><em>Eduardo Ustaran is co-director of the Privacy and Cybersecurity practice of <\/em><a href=\"http:\/\/hoganlovells.com\">Hogan Lovells<\/a><em> and an internationally recognised expert in privacy and data protection law. Email <\/em><a href=\"mailto:eduardo.ustaran@hoganlovells.com\">eduardo.ustaran@hoganlovells.com<\/a><em>. Twitter @<\/em><a href=\"https:\/\/twitter.com\/EUstaran\">EUstaran<\/a><em>.<\/em><\/p>\n\n\n\n<p><em>Image Public Domain via <a href=\"https:\/\/www.piqsels.com\/en\/public-domain-photo-jrdhr\">Piqsels<\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Data globalisation after Schrems II Browsing the web. Using apps. Communicating electronically. Shopping online. Working from home. Life as we know it relies on data flowing across geographical borders throughout the world. However, international data transfers have never been more scrutinised. Following the ruling by the Court of Justice of the European Union (CJEU) in [&hellip;]<\/p>\n","protected":false},"author":10,"featured_media":5521,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48,11],"tags":[],"class_list":["post-5520","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-data-protection","category-privacy"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.8 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\r\n<title>Key data protection challenges for 2021 - Internet for Lawyers Newsletter<\/title>\r\n<meta name=\"description\" content=\"Data globalisation after Schrems II Browsing the web. Using apps. Communicating electronically. Shopping online. Working from home. Life as we know it\" \/>\r\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\r\n<link rel=\"canonical\" href=\"https:\/\/www.infolaw.co.uk\/newsletter\/2020\/11\/key-data-protection-challenges-for-2021\/\" \/>\r\n<meta property=\"og:locale\" content=\"en_GB\" \/>\r\n<meta property=\"og:type\" content=\"article\" \/>\r\n<meta property=\"og:title\" content=\"Key data protection challenges for 2021 - Internet for Lawyers Newsletter\" \/>\r\n<meta property=\"og:description\" content=\"Data globalisation after Schrems II Browsing the web. Using apps. Communicating electronically. Shopping online. Working from home. Life as we know it\" \/>\r\n<meta property=\"og:url\" content=\"https:\/\/www.infolaw.co.uk\/newsletter\/2020\/11\/key-data-protection-challenges-for-2021\/\" \/>\r\n<meta property=\"og:site_name\" content=\"Internet for Lawyers Newsletter\" \/>\r\n<meta property=\"article:published_time\" content=\"2020-11-30T11:30:00+00:00\" \/>\r\n<meta property=\"article:modified_time\" content=\"2021-01-04T13:06:51+00:00\" \/>\r\n<meta property=\"og:image\" content=\"https:\/\/www.infolaw.co.uk\/newsletter\/wp-content\/uploads\/2020\/11\/global-data.jpg\" \/>\r\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\r\n\t<meta property=\"og:image:height\" content=\"600\" \/>\r\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\r\n<meta name=\"author\" content=\"Eduardo Ustaran\" \/>\r\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\r\n<meta name=\"twitter:creator\" content=\"@nickholmes\" \/>\r\n<meta name=\"twitter:site\" content=\"@nickholmes\" \/>\r\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Eduardo Ustaran\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\r\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.infolaw.co.uk\/newsletter\/2020\/11\/key-data-protection-challenges-for-2021\/\",\"url\":\"https:\/\/www.infolaw.co.uk\/newsletter\/2020\/11\/key-data-protection-challenges-for-2021\/\",\"name\":\"Key data protection challenges for 2021 - Internet for Lawyers Newsletter\",\"isPartOf\":{\"@id\":\"https:\/\/www.infolaw.co.uk\/newsletter\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.infolaw.co.uk\/newsletter\/2020\/11\/key-data-protection-challenges-for-2021\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.infolaw.co.uk\/newsletter\/2020\/11\/key-data-protection-challenges-for-2021\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.infolaw.co.uk\/newsletter\/wp-content\/uploads\/2020\/11\/global-data.jpg\",\"datePublished\":\"2020-11-30T11:30:00+00:00\",\"dateModified\":\"2021-01-04T13:06:51+00:00\",\"author\":{\"@id\":\"https:\/\/www.infolaw.co.uk\/newsletter\/#\/schema\/person\/404f6d488d10c16d7ff8e0ed61b72189\"},\"description\":\"Data globalisation after Schrems II Browsing the web. Using apps. Communicating electronically. Shopping online. Working from home. Life as we know it\",\"breadcrumb\":{\"@id\":\"https:\/\/www.infolaw.co.uk\/newsletter\/2020\/11\/key-data-protection-challenges-for-2021\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.infolaw.co.uk\/newsletter\/2020\/11\/key-data-protection-challenges-for-2021\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.infolaw.co.uk\/newsletter\/2020\/11\/key-data-protection-challenges-for-2021\/#primaryimage\",\"url\":\"https:\/\/www.infolaw.co.uk\/newsletter\/wp-content\/uploads\/2020\/11\/global-data.jpg\",\"contentUrl\":\"https:\/\/www.infolaw.co.uk\/newsletter\/wp-content\/uploads\/2020\/11\/global-data.jpg\",\"width\":1024,\"height\":600},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.infolaw.co.uk\/newsletter\/2020\/11\/key-data-protection-challenges-for-2021\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.infolaw.co.uk\/newsletter\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Key data protection challenges for 2021\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.infolaw.co.uk\/newsletter\/#website\",\"url\":\"https:\/\/www.infolaw.co.uk\/newsletter\/\",\"name\":\"Internet for Lawyers Newsletter\",\"description\":\"Edited by Nick Holmes\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.infolaw.co.uk\/newsletter\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.infolaw.co.uk\/newsletter\/#\/schema\/person\/404f6d488d10c16d7ff8e0ed61b72189\",\"name\":\"Eduardo Ustaran\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.infolaw.co.uk\/newsletter\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/1ef91770d99a0f1fa392d42d3218e9158c1b68366c13435e0adf5845d570b0fb?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/1ef91770d99a0f1fa392d42d3218e9158c1b68366c13435e0adf5845d570b0fb?s=96&d=mm&r=g\",\"caption\":\"Eduardo Ustaran\"},\"description\":\"Eduardo Ustaran is co-director of the Privacy and Cybersecurity practice of Hogan Lovells and an internationally recognised expert in privacy and data protection law. Email eduardo.ustaran@hoganlovells.com. Twitter @EUstaran\",\"url\":\"https:\/\/www.infolaw.co.uk\/newsletter\/author\/eduardoustaran\/\"}]}<\/script>\r\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Key data protection challenges for 2021 - Internet for Lawyers Newsletter","description":"Data globalisation after Schrems II Browsing the web. Using apps. Communicating electronically. Shopping online. Working from home. Life as we know it","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infolaw.co.uk\/newsletter\/2020\/11\/key-data-protection-challenges-for-2021\/","og_locale":"en_GB","og_type":"article","og_title":"Key data protection challenges for 2021 - Internet for Lawyers Newsletter","og_description":"Data globalisation after Schrems II Browsing the web. Using apps. Communicating electronically. Shopping online. Working from home. Life as we know it","og_url":"https:\/\/www.infolaw.co.uk\/newsletter\/2020\/11\/key-data-protection-challenges-for-2021\/","og_site_name":"Internet for Lawyers Newsletter","article_published_time":"2020-11-30T11:30:00+00:00","article_modified_time":"2021-01-04T13:06:51+00:00","og_image":[{"width":1024,"height":600,"url":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-content\/uploads\/2020\/11\/global-data.jpg","type":"image\/jpeg"}],"author":"Eduardo Ustaran","twitter_card":"summary_large_image","twitter_creator":"@nickholmes","twitter_site":"@nickholmes","twitter_misc":{"Written by":"Eduardo Ustaran","Estimated reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.infolaw.co.uk\/newsletter\/2020\/11\/key-data-protection-challenges-for-2021\/","url":"https:\/\/www.infolaw.co.uk\/newsletter\/2020\/11\/key-data-protection-challenges-for-2021\/","name":"Key data protection challenges for 2021 - Internet for Lawyers Newsletter","isPartOf":{"@id":"https:\/\/www.infolaw.co.uk\/newsletter\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infolaw.co.uk\/newsletter\/2020\/11\/key-data-protection-challenges-for-2021\/#primaryimage"},"image":{"@id":"https:\/\/www.infolaw.co.uk\/newsletter\/2020\/11\/key-data-protection-challenges-for-2021\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-content\/uploads\/2020\/11\/global-data.jpg","datePublished":"2020-11-30T11:30:00+00:00","dateModified":"2021-01-04T13:06:51+00:00","author":{"@id":"https:\/\/www.infolaw.co.uk\/newsletter\/#\/schema\/person\/404f6d488d10c16d7ff8e0ed61b72189"},"description":"Data globalisation after Schrems II Browsing the web. Using apps. Communicating electronically. Shopping online. Working from home. Life as we know it","breadcrumb":{"@id":"https:\/\/www.infolaw.co.uk\/newsletter\/2020\/11\/key-data-protection-challenges-for-2021\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infolaw.co.uk\/newsletter\/2020\/11\/key-data-protection-challenges-for-2021\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.infolaw.co.uk\/newsletter\/2020\/11\/key-data-protection-challenges-for-2021\/#primaryimage","url":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-content\/uploads\/2020\/11\/global-data.jpg","contentUrl":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-content\/uploads\/2020\/11\/global-data.jpg","width":1024,"height":600},{"@type":"BreadcrumbList","@id":"https:\/\/www.infolaw.co.uk\/newsletter\/2020\/11\/key-data-protection-challenges-for-2021\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infolaw.co.uk\/newsletter\/"},{"@type":"ListItem","position":2,"name":"Key data protection challenges for 2021"}]},{"@type":"WebSite","@id":"https:\/\/www.infolaw.co.uk\/newsletter\/#website","url":"https:\/\/www.infolaw.co.uk\/newsletter\/","name":"Internet for Lawyers Newsletter","description":"Edited by Nick Holmes","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infolaw.co.uk\/newsletter\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Person","@id":"https:\/\/www.infolaw.co.uk\/newsletter\/#\/schema\/person\/404f6d488d10c16d7ff8e0ed61b72189","name":"Eduardo Ustaran","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.infolaw.co.uk\/newsletter\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/1ef91770d99a0f1fa392d42d3218e9158c1b68366c13435e0adf5845d570b0fb?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/1ef91770d99a0f1fa392d42d3218e9158c1b68366c13435e0adf5845d570b0fb?s=96&d=mm&r=g","caption":"Eduardo Ustaran"},"description":"Eduardo Ustaran is co-director of the Privacy and Cybersecurity practice of Hogan Lovells and an internationally recognised expert in privacy and data protection law. Email eduardo.ustaran@hoganlovells.com. Twitter @EUstaran","url":"https:\/\/www.infolaw.co.uk\/newsletter\/author\/eduardoustaran\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-json\/wp\/v2\/posts\/5520","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-json\/wp\/v2\/comments?post=5520"}],"version-history":[{"count":3,"href":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-json\/wp\/v2\/posts\/5520\/revisions"}],"predecessor-version":[{"id":5571,"href":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-json\/wp\/v2\/posts\/5520\/revisions\/5571"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-json\/wp\/v2\/media\/5521"}],"wp:attachment":[{"href":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-json\/wp\/v2\/media?parent=5520"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-json\/wp\/v2\/categories?post=5520"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-json\/wp\/v2\/tags?post=5520"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}