2020 was a year we will never forget. In the world of data protection, 2020 was perhaps the most turbulent year since the entry into force of the EU General Data Protection Regulation (GDPR) in 2018. Ahead of the Council of Europe’s annual Data Protection Day on 28 January 2021, we unpack the key data protection stories of 2020 and look ahead to what 2021 has in store.
March 2020: COVID-19 Raises Data Protection & Cybersecurity Issues
COVID-19 has required businesses to adapt to remote working environments and introduce new procedures to ensure customers and employees remain safe. Data protection and cybersecurity play an important role in these measures and you can read our top tips for compliance here and here.
April 2020: DPC Publishes Guidance and Report on Cookies
May 2020: First GDPR Fine Issued by DPC
In May 2020, TUSLA, the Irish Child and Family Agency, was issued with multiple fines by the DPC for breaches of the GDPR. The announcement of the first fine of €75,000, which related to three incidents, was confirmed mid-May with news outlets reporting a second fine of €40,000 also being imposed. The €75,000 fine was confirmed by the Circuit Court in November 2020. You can read more here.
July 2020: Schrems II Impacts International Transfers of Personal Data
In July 2020, the Court of Justice of the European Union (CJEU) delivered its landmark decision in C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Schrems II). The case concerned the transfer of personal data to and out of the European Economic Area (International Transfer) and examined the “appropriate safeguards” for protecting personal data subject to an International Transfer. The CJEU ruled that the:
- Privacy Shield, the popular means for the transfer of personal data to the United States, does not constitute an appropriate safeguard for International Transfers – entities transferring personal data (data exporters) to the US using Privacy Shield must find an alternative solution; and
- Standard Contractual Clauses (SCCs) are valid for International Transfers but, depending on the prevailing position in a particular country, the data exporter may need to adopt supplementary measures to the SCCs to ensure personal data remains protected to a standard essentially equivalent to the GDPR.
Data exporters using Privacy Shield have scrambled to put in place alternative legal mechanisms for International Transfers to the US whilst those using SCCs have struggled with the concept of supplementary measures. You can read more here.
October 2020: Data Retention & Mass Surveillance in the Spotlight
On 6 October 2020, the CJEU delivered judgment in two landmark decisions (case C-623/17 Privacy International; and joined cases C-511/18 La Quadrature du Net and others, C-512/18 French Data Network and others, and C-520/18 Ordre des barreaux francophones et germanophone and others) concerning the lawfulness of legislation in certain member states which required providers of electronic communications services to forward users’ traffic data and location data to a public authority, or to retain such data. The cases centre on the “general and indiscriminate” transmission and retention of traffic data and location data and the rulings have important implications for International Transfers in light of Schrems II. You can read more here.
November 2020: Guidance on Schrems II and New SCCs Published
November 2020 saw the publication of:
- draft guidance by the European Data Protection Board (EDPB) on the supplementary measures envisaged by Schrems II. This guidance was published for public consultation which closed 21 December 2020.
- guidance by the EDPB on essential guarantees for surveillance measures. The guidance was adopted outright by the EDPB.
- new draft SCCs (New SCCs) by the European Commission (Commission). The New SCCs were published for public consultation which closed 10 December 2020.
The supplementary measures guidance and New SCCs are subject to further modifications based on the results of the public consultation. This guidance and the New SCCs need to be carefully considered by all data exporters and you can read more here.
December 2020: DPC imposes €450,000 fine on Twitter
On 15 December 2020, the DPC imposed its first “big tech” GDPR fine of €450,000 on Twitter as a result of its handling of, and response to, a data breach. The DPC found that Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach. You can read more here.
December 2020: Brexit Deal Brings Grace Period for UK Data Transfers
The UK-EU Trade and Co-operation Agreement provided a lifeline to data exporters as it provides for the transfer of personal data to and from the UK without additional safeguards for a temporary period of up to six months from 1 January 2021. You can read more here.
Milestones in European data protection law and practice will continue to capture international audiences in 2021. In particular, data exporters eagerly anticipate:
- finalisation of New SCCs: The New SCCs are expected to be finalised by the Commission in 2021. When the New SCCs take effect, data exporters will have a one-year grace period to implement them. The New SCCs currently published in draft-form raise a number of considerations for data exporters and William Fry have submitted feedback to the Commission on this draft. You can read more here.
- future of UK data transfers: The temporary period for UK data transfers will end in 2021 and we will learn what measures, if any, parties will need to implement in order to legitimise transfers of personal data to the UK.
We also anticipate more enforcement by the DPC this year. In its annual report published 20 February 2020, the DPC noted that it had 70 statutory inquires in hand as of 31 December 2019. We expect many of these statutory inquiries will reach their conclusion this year.
Contributed by Kate Corcoran