As the year 2020 is coming to an end, it's time to make predictions and plans for 2021. Continuing our GDPR series, this blog will focus on some of the hottest talking points at the moment, which will most likely become the forces of change among all the companies processing personal data.
Data protection is something we all occasionally see mentioned in the news. Especially in 2020, where a lot of people have been working from home and companies have, at times, struggled to provide safe and secure ways of providing services online.
The data protection landscape in 2020 has been also tumultuous. Here's our take on the top 3 topics to keep an eye on next year.
The transition period for the United Kingdom leaving the European Union ends on 31 December 2020. This means that the UK will automatically drop out of the EU's main trading arrangements (the single market and the customs union), if there's no trade deal by 31 December 2020.
The latest information is that the negotiations between the UK and EU are still ongoing and there is no clarity around what is going to happen and what the new rules will be for data protection after the transition period.
Something to keep in mind is that even if the trade deal is agreed on, the free flow of data UK companies are accustomed to would still need an adequacy decision from the European Commission. The latest news on that is even more complicated than the trade deal agreement, and the UK’s upper chamber, the House of Lords, has expressed their worry in a report that “there is a possibility that the Commission may not grant the UK a data adequacy decision”.
Issuing an adequacy decision is a long process, but for UK companies it is crucial for conducting business with their EU partners and processing personal data. Time will tell how the EU Court of Justice's decision (nr C-623/17) made in October regarding British Security and Intelligence Agencies extensive data processing will affect the process. The UK's Information Commissioner's Office has issued several guidelines on their website about how to prepare for the end of transition period.
In connection to Brexit, the UK will also have to change their laws internally, as EU-level directives and regulations are not applicable after the transition period. This may also mean changes in the data protection legislation.
In addition, next year may be the year when we hear more about AI and ePrivacy legislation initiatives at EU level.
For example the Estonian Government is on a path to start regulating AIs. The so-called “AI Act” would regulate all algorithmic systems.
India, China, and Canada, and many more countries are moving forward with their data protection law initiatives. According to IAPP, there are 15 data protection legislative statutes/bills in total currently in the making in the US.
The real struggle for companies will be how to keep up with all the legislative changes, and then how to comply with all the requirements. Within Veriff we're keeping an eye on the changes happening in the world, so on top of providing a world class service we're also doing our very best to share our knowledge and help our clients comply with the data protection regulations.
Due to the European Court of Justice decision (number C-311/18) to invalidate the Privacy Shield, the world is still waiting in the dark for a way forward. Will there be new Standard Contractual Clauses or a new adequacy decision for the US?
At least both parties, the US and EU, expressed a mutual intention to find a long term solution in August.
2 new initiatives have been published recently.
First, the EU published a draft version of new Standard Contractual Clauses. Instead of several templates to choose from, the EU Commission introduced one template covering different processor-controller relationships. One aspect mentioned in the draft Commission decision is that it provides a one year transitional period after it enters into force. This means that, most likely, Data Protection Addendums should already be updated to the new version of the Standard Contractual Clauses in 2021.
Secondly, the European Data Protection Board has issued a framework of recommendations for international data transfers. The most challenging would definitely be steps number 3 and 6, regularly assessing whether the article 46 GDPR transfer tool you're relying on is effective, in light of all circumstances of the transfer. This requires a lot of time and effort to do the relevant legal research on different legislations on top of regular due diligence.
Due to the fact that Privacy Shield is the second EU-US adequacy decision being invalidated (Safe Harbour was declared invalid in 2015), it would be extremely difficult to have another adequacy decision in place if principal changes are not made in the national legislative field.
Although there may seem to be more questions than answers at the moment, hopefully next year brings more clarity and guidance from authorities.
Wishing you all great accomplishments in keeping data safe and secure for 2021!