In my last column, I looked back on 2020 from the perspective of information law. It is no exaggeration to say that no one had predicted a year like 2020. So I’m looking forward to what we can expect next year.
Inevitably, some of the trends seen in 2020 will continue. Despite the positive news about the development of some vaccines, COVID will be with us for the foreseeable future. Also, new information challenges may arise as vaccines are deployed and testing improved. Will companies start asking customers to provide proof of vaccination as a condition of service? Does the government choose to issue vaccination certificates to lucky people? These scenarios will continue to test the data method in 2021.
But if 2020 was all about COVID, we can’t anticipate 2021 without talking about Brexit. The UK’s data protection law has been rewritten for the second time in less than three years. Beginning January 1, 2021, the UK will no longer be required to comply with EU law. The GDPR will no longer be automatically applied in the UK as a European regulation. Instead, you need to get used to talking about the UK’s successor, the GDPR. This is especially difficult for UK-based companies that offer goods and services directly to EU consumers. This is because we need to continue to comply with the EU GDPR for EU-based customers while adapting to the new UK GDPR for UK customers.
Fortunately, the UK GDPR is very similar to the EU GDPR. In fact, this is primarily a cut-and-paste job, with minor changes to replace the EU reference with the United Kingdom and remove the requirements for international cooperation and the international role of the ICO. One exception to this is for international data transfers. In my last column, I mentioned the Schrems II decision announced last July. As a result, the EU-US Privacy Shield has been abolished. Unfortunately, things will get even more complicated in 2021. UK-based companies that have customers in the EU or use EU-based service providers need to understand the new rules for international transfers. As the UK is no longer part of the EU, new restrictions will apply to data transfers from the UK to the EU and from the EU to the UK. The former is included in the UK GDPR and the latter is included in the EU GDPR. Also, if a trade agreement is signed between the UK and the EU, this may change at the last minute.
Looking a little further, the two laws inevitably fall apart. In December, when the UK government announced an online harm bill and the European Commission announced plans for a digital services law the next day, I had a bit of a taste of how it works. These two very different legislative plans share a similar purpose of regulating the big tech giants in the United States. Expect more duplication of this type.
In addition, there is the Brexit government. If we can go back to 2016, one of Brexit’s stated objectives was to regain control of our law. In addition, many of our information laws are strongly influenced by European law, such as the reuse of environmental information regulations and public sector information regulations, as well as data protection. So what will the UK government do when EU law restrictions are lifted? We haven’t seen much confusion, at least in the short term, but we don’t expect it. I don’t feel a great desire for change, and there are many competing priorities in 2021.
Still, as a data protection attorney, I first welcome improvements to data protection legislation. At present, they are very complex, difficult to interpret, and almost intrusive to the majority of people. Companies struggle to apply them to everyday situations and are often at the mercy of bad advice. It does nothing to improve compliance, but it can cost a lot of money. There is plenty of room for improvement without necessarily compromising personal rights or data security. But perhaps that’s a topic in another column.
Finally, there will be a change of information commissioner in 2021. Elizabeth Denham’s five-year term ends in July 2021. The ICO is currently a large and powerful regulator, but postholders have ICO priorities and approach the reflection of incumbent commissioners. We don’t know exactly in which direction the new commissioner will take office, but we anticipate a change in emphasis as the new appointees are trying to make a personal mark in 2021.
Of course, if it’s something like 2020, it’s expected to be unexpected in 2021.
My data protection forecast for 2021
https://bmmagazine.co.uk/opinion/jon-belchers-data-protection-predictions-for-2021/ My data protection forecast for 2021