Data Privacy Day – how are you celebrating?
28 January 2021
How are you celebrating Data Privacy Day?
At Bedell Cristin we're looking back at the data protection headlines from 2020 and looking forward at what's to come in 2021. What do you need to know?
Invalidation of the EU-US privacy shield
2020 saw the EU-US privacy shield deemed inadequate by the EU courts, meaning that it can no longer be used as a mechanism for transferring personal data from the EEA to the US. The silver lining was that the judgment confirmed the validity of using standard contractual clauses for the international transfer of personal data, with one caveat: before using them, the parties must make an assessment, on a case by case basis, of whether such clauses would actually provide the appropriate level of protection.
Broadly speaking, the privacy shield enabled the free flow of personal data into the US so long as the recipient had committed to GDPR-equivalent data protection standards by registering as a participant in the US's privacy shield framework. The register was public and easy to check online. The invalidation means that anyone transferring personal data to the US on the strength of the privacy shield has had to look to other acceptable mechanisms for doing so, and quickly, as there was no grace period.
Privacy issues arising out of Covid-19
Along with everything else, the pandemic threw up issues of data privacy. Businesses had to ask staff to report symptoms and illness, but how much could they ask and who could they tell? Also, with home-working becoming the norm, how could they ensure that staff continued to adhere to good data privacy practices. A 'Jersey COVID Alert' app was launched and had a good take-up (close to 50,000 users since launch).
Helpfully, the Jersey Office of the Information Commissioner (the "Jersey OIC") was quick to provide guidance to businesses. Reassuring them that data protection legislation permits processing (including disclosure) of personal data in cases where it is deemed necessary for the protection of public health, so long as there are appropriate safeguards in place to protect the rights and freedoms of data subjects. They also confirmed that they would not take action against those businesses that have tried to comply with their usual data protection practices, but have been hampered in their efforts by the pandemic. Likewise, the app featured reassuring privacy by design, using anonymization so that no personal identity information was captured. And the app architecture documents were made openly accessible, providing transparency for those computer-savvy enough to inspect the source code.
The Brexit deal was finalised, and we learned what its implications would be for cross-border data flows between the UK and the EU. In a nutshell, nothing is to change for at least six months (data can flow as freely as it did before), with the EU committed to securing a positive adequacy decision for the UK in the near future.
Jersey had already amended its legislation to prevent the UK from becoming a 3rd country post-Brexit, but it is a relief to see that the EU is not likely to cast the UK out into the cold, which would have put a strain on our own relationship with the EU and our own status as an 'adequate jurisdiction'. Like a child with divorced parents, we would not want to be asked to choose between them!
The roll-out of the Covid vaccines will bring hope to many that we may return to something approaching 'normal life' soon. But it will also bring more questions from a data privacy perspective. Will it be permissible to ask people (staff, job applicants, other people attending your workplace) whether or not they have been vaccinated?
New standard contractual clauses
The European Commission is expected to adopt new standard contractual clauses ("SCCs") early in 2021. That is, new SCCs for international transfers and new SSCs for data controllers engaging data processors. The new SCCs will be more comprehensive, reflecting the higher standards introduced in 2018 by the General Data Protection Regulation (the "GDPR"), but also addressing some of the issues coming out of the EU court's decision on the EU-US privacy shield (see above). A 12 month grace period is anticipated, within which businesses relying on SCCs for international transfers will need to update their existing contractual frameworks to the new standards.
As time passes since the implementation of the GDPR (and equivalent legislation outside the EU) the expectation is that data protection authorities will have less of a focus on awareness, information and encouraging compliance and more of a focus on enforcement. That said, due regard will surely be had to the continued strain placed on businesses due to the pandemic. This was seen last year in the reduction of data breach fines by the UK Information Commissioner's Office against British Airways and Marriott, where the economic effect of the Covid-19 pandemic on the two businesses was taken into account. See also the reassurances given by the Jersey OIC, mentioned above.
Don’t forget, the deadline for renewing your registration with the Jersey data protection authority is 28 February 2021.
If you would like any further information, please get in touch with your usual Bedell Cristin contact or one of the contacts listed.