1. What have the major developments in the regulatory investigations space been in Data Protection and Cyber Security in the past 12 months?
Last year saw the first tranche of monetary penalties being issued under the GDPR’s strengthened financial penalty regime which can be up to €20m or 4 per cent of the global annual turnover of the relevant business.
In the UK, the first few significant monetary penalties under the UK version of the GDPR ('UK GDPR') were issued in October 2020, with British Airways being fined £20m for a data breach in relation to a cyber-security incident and Marriott being fined £18.4m for its oversight with respect to carrying out proper due diligence of personal data and of previous cyber-attacks when making a corporate acquisition. Whilst neither of the fines reached 4 per cent of the relevant company’s global turnover, both are clearly still significant figures. Elsewhere, in 2019, French regulator CNIL imposed a €50m fine on Google LLC and the Berlin DPA imposed a fine of €14.5m on Deutsche Wohnen SE for non-compliance with general data processing principles.
While several of these fines were significantly reduced when compared with the regulators’ previous notices of intention to fine, it is clear that regulators have been emboldened by the EU and UK GDPR. Additionally, the fines levied by the ICO were reduced on the basis that British Airways and Marriot have invested in, or have committed to invest heavily in their respective IT security systems and both companies had already suffered reputational damage.
Large UK technology companies are also attracting the attention of regulators in areas beyond personal data protection. Soon after the ICO’s report concerning Adtech (the technologies that allow advertisers to place digital advertisements within milliseconds based on individuals’ online behaviours), the Competition Market Authority ('CMA') also reviewed the digital advertising and online platforms market to analyse whether competition, including companies’ use of personal data, is distorted by companies with dominant market power. The CMA further issued advice on how to tackle competition issues in the relevant sectors, following which a Digital Market Unit has been established and has started working in a non-statutory form. It is expected that the UK government will legislate to provide further details on the future powers of the unit.
2. What are the focus points for regulators which businesses should look out for in Data Protection and Cyber Security in the coming year?
Limited Harmonisation in the EU
In the absence of detailed EU-level guidance on the enforcement of the EU GDPR, some EU data protection authorities have started developing their own approach to enforcement action. For example, German data protection authorities published a detailed five-step methodology for calculating GDPR fines in Germany. With efforts to harmonise data protection practices at the European level being interrupted by the COVID-19 pandemic, we expect harmonisation in the EU to be limited in the next 12 months.
Group Litigation Orders
Recent data protection investigations have also paved the way for group litigation. In October 2019, the Court of Appeal handed down the judgment of a representative claim in respect of Google’s unlawful tracking of the internet use of iPhone users. Following Google’s appeal in March 2020, the Supreme Court’s decision is expected later this year. In October 2019, the High Court also granted a group litigation order in respect of the British Airways data breach, which could potentially lead to 500,000 affected customers seeking compensation directly from the airline. Similarly, group litigation claims have been made against easyJet and Marriott in relation to two recent data breaches.
As individuals can recover damages for loss of control of personal data without proving pecuniary loss, despite the COVID-19 pandemic, the possibility remains that 2021 could bring more high-value group litigation claims. It is therefore essential for companies to ensure that key contractual indemnities reflect the increased risk exposure.
Re-focus on pre-pandemic priorities
The pandemic temporarily shifted the ICO’s regulatory priorities over the past 12 months. With the roll-out of COVID-19 vaccines underway, we expect that the ICO will re-focus on the priorities set out in its 'GDPR One Year On' report, including challenges brought about by emerging technologies such as machine learning.
3. What were the major legislative or regulatory changes last year and what can we expect in the next 12 months?
The ICO has published an updated code of practice for data sharing, providing practical advice on responsible data sharing. It has also published several blogs on its investigation into the Adtech sector, which resumed in early 2021 following a temporary pause during the pandemic.
Following the expiry of the Brexit transition period, the UK has transposed the EU GDPR into UK law. However, the UK will become a 'third country' under the EU GDPR, meaning that there will be tighter restrictions on data flows between the UK and EU unless an adequacy decision is granted by the EU. Currently, data transfers between the UK and the EU are permitted to continue on a temporarily basis to allow the EU to assess the sufficiency of the UK’s data protection legislation regime and vice versa.
The ePrivacy Regulation, originally scheduled to come into force with the GDPR, has finally been approved by the Council of the EU and will be further negotiated in trilogue negotiations with the European Parliament and European Commission. The regulation extends the current legal requirements on electronic marketing communications and the use of cookies to the new generation of electronic communications service providers, such as WhatsApp and Skype. Whilst the UK will no longer be required to implement the ePrivacy Regulation, given the regulation’s territorial reach and the international nature of the services within scope, UK business may still need to comply with some of the requirements.
4. What can we learn from international developments in Data Protection and Cyber Security which may have an impact in the UK?
Since coming into force almost three years ago, the EU GDPR has had a worldwide impact. Not only because of its extra-territorial scope, but also because it has served as inspiration for a surge in worldwide data protection reform. In the US, the new California Consumer Privacy Act (CCPA) came into effect on 1 January 2020 – impacting upon qualifying companies that collect the personal data of California residents, even if not physically located in the state. The CCPA has the potential to set the standard for data protection regulation across the US. Similarly, Chinese legislators published the draft Personal Information Protection Law in 2020.
Closer to home, we saw regulators across Europe dealing with the issue of how to impose monetary penalties under the GDPR, including the French data protection authority’s €50m fine of Google and the German regulator’s publication of its fine methodology, discussed above. These kinds of decisions are setting the tone for the enforcement of the EU GDPR as regulators look to apply sanctions consistently across Member States. Despite Brexit, the ICO is likely to take into consideration the approaches of EU supervisory authorities.
The CJEU handed down the long-awaited 'Schrems II' decision in July 2020. Mr Schrems challenged the adequacy of the US Privacy Shield and the existing Standard Contractual Clauses (SCCs), which are the primary legal mechanisms for permitting data flows from the EU to the US. Mr Schrems’ main concern lies in whether the two mechanisms provide EU data subjects with sufficient protection from allegedly unlawful access to their personal data by US intelligence agencies. The CJEU has ruled that the EU-US Privacy Shield is invalid as it does not provide personal data exported to the US with an equivalent level of protection as the EU GDPR does. Whilst the SCCs are held to be a valid mechanism under the GDPR, the court has qualified its use in practice and emphasises that data importers and exporters will need to carry out risk assessments and put in place necessary supplementary measures to ensure the SCCs can be fully complied with in practice. Whilst the European Data Protection Board ('EDPB') has issued guidance on how businesses may carry out the risk assessments mandated by Schrems II, the ICO may issue its own guidance under the UK GDPR. A newer and more user friendly set of SCCs was also published by the EDPB for consultation in 2020, which is also being reviewed by the ICO.
For more information, please contact your usual Business Crime and Regulatory Investments contact.