The data protection developments of 2021 were unparalleled to any other year and paved the way for lively discussion amongst the media, businesses and consumers. The Council of Europe’s annual Data Protection Day, which takes place today, serves as a prompt to reflect on and unpack the key data protection stories of 2021, as well as to consider what lies ahead in 2022.
2021 will be remembered as a hugely progressive and exciting year:
- in the data transfer landscape, the European Commission (the EC) finally published the new standard contractual clauses (SCCs), which businesses globally are working through to be ready for 27 December 2022. The EC also issued an adequacy decision for the UK – we discuss these developments further below;
- William Fry also published its Global Trends in Technology & Data Report (here). This identified Ireland as a leading location for data-related investment in the European Union, with 93% of C-suite industry leaders surveyed believing that data-driven investment in Ireland is possible or likely in the next 18 months.
February 2021: Health Research Rules Updated
February saw the introduction of rules on the processing of personal data for health research purposes with the implementation of the Data Protection Act 2018 (Section 36(2)) (Health Research) (Amendment) Regulations 2021. For a full William Fry briefing on the Regulations, click here.
March 2021: Joint Opinion on the EU’s Digital Green Certificate
On 31 March 2021, the European Data Protection Board (EDPB) and the European Data Protection Supervisor released a Joint Opinion (04/2021) regarding the EU’s Digital Green Certificate (Certificate) and the proposed Regulation which provided the framework for the Certificate. The Joint Opinion highlighted the areas where further alignment between the proposed Regulation and the EU data protection framework was needed. You can read more about it here.
April 2021: Data Protection Commission (DPC) Considers What is Reasonable and Proportionate to Verify the Identity of a Data Subject?
In April, the DPC’s decision in Re Groupon International Ltd (Groupon) highlighted the need for organisations to consider the principles of data minimisation and proportionality when verifying individuals’ identities in data subject rights requests. For a more detailed analysis, click here.
June 2021: A Significant Month in the Data Transfer Landscape
- New SCCs: The EC published a new version of the SCCs for transfers of personal data from the EU/EEA to third countries. The new SCCs addressed the deficiencies in the pre-existing SCCs and introduced some new features such a docking clause (allowing for multiple parties to be subject to the same set of SCCs). Without a doubt, however, the hallmark feature of the new SCCs is their modular structure (allowing for a variety of transfer scenarios between parties).
- UK Adequacy: On 28 June 2021, the EC adopted its adequacy decision for the UK. This meant that personal data could continue to flow freely from the EU/EEA to the UK on the expiry of the Brexit transition period. For the first time, the EC preconditioned an adequacy decision with a ‘sunset clause’ (which means that the decision will automatically expire four years after its entry into force).
- William Fry Report: Also in June, William Fry published its Global Trends in Technology & Data Report (here). This identified Ireland as a leading location for data-related investment in the European Union, with 93% of C-suite industry leaders surveyed believing that data-driven investment in Ireland is possible or likely in the next 18 months.
July 2021: Landmark Decision as DPC Fines WhatsApp €225m in Joint Decision with the EDPB
27 July 2021 marked the milestone data protection decision of the year, as the DPC (acting as lead supervisory authority) announced its joint decision with the EDPB concluding its 3-year inquiry into WhatsApp’s compliance with the transparency requirements imposed by the General Data Protection Regulation (GDPR). The DPC found that WhatsApp breached its transparency obligations under the GDPR by failing to give data subjects, both users and non-users of its messaging app, appropriate information regarding how it processes their personal data. An administrative fine of €225m was imposed on WhatsApp, the highest fine in the history of the DPC. Significantly, the DPC also imposed an order for WhatsApp to bring its processing activities into compliance with the GDPR by taking a number of specified remedial actions.
September 2021: Organisations Required to Use New SCCs
From 27 September 2021, it became mandatory for organisations to use the new SCCs for any new transfers legitimising the transfer of personal data from outside the EU/ EEA to a third country.
December 2021: EU Commissioner for Justice Defends the DPC
The year concluded with a showing of strong and public support from Commissioner Reynders for the DPC. The DPC was subject to criticism from a small number of MEPs, who alleged that the DPC was behind on investigating and concluding complaints against large internet platforms. Commissioner Reynders reminded the MEPs that the DPC was facing complex matters, a remark which was viewed as supporting the DPC’s approach. He also described a complaint regarding an apparent delay in the DPC’s handling of the number of cross-border cases as a “misinterpretation.” For more, see here.
Data protection developments will continue to captivate public and board room discussion in 2022. In particular, we anticipate:
Increased Enforcement from the DPC:
- In its Regulatory Strategy for 2022-2027, the DPC sets out an ambitious vision for what it believes will be five crucial years in the continuing to regulate the evolution of data protection law. Amongst other things, the strategy aims to: increase the DPC’s stakeholder engagement (e.g. issue more guidance and case studies will be published on a quarterly basis, rather than annually); take a more targeted approach to complaints (e.g. by prioritising complaints which have the “greatest systemic impact”); and focus on protecting the data protection rights of children and vulnerable persons (e.g. by enforcing its December 2021 Children’s Fundamentals).
At Least Two Major DPC Decisions:
- Facebook Ireland: In May 2021, the High Court delivered a ruling against Facebook Ireland in the latest Schrems II fallout action. This paved the way for a subsequent DPC investigation which is currently ongoing. The DPC sent a draft decision to the EDPB in October 2021, which recommended an administrative sanction of between €28m to €36m. The DPC is now seeking submissions from other EU data protection authorities before it will issue a final decision. As such, a development on this decision can be expected in early 2022.
- WhatsApp: In November 2021, WhatsApp secured permission from the High Court to apply for judicial review of the DPC’s August 2021 decision. WhatsApp is seeking to argue that the DPC’s decision should be set aside, claiming it is unconstitutional and incompatible with the European Convention on Human Rights. Businesses will be monitoring this development, as any changes to their privacy notices following the WhatsApp decision, if needed, would be substantial. The standard set out in the judgment arguably goes beyond that of most privacy notices currently in place for businesses.
All Businesses to Move Over to the New EU SCCs by December 2022
- Organisations have until 27 December 2022 to transition existing sets of the “old” SCCs over to the new SCCs. It is important for organisations to start taking steps now to review their existing sets of “old” SCCs and identify those which need to transition to the new SCCs.
Contributed by Jordie Sattar and Rachel Hayes