In my last column, I looked back at 2020 from an information law perspective. It’s safe to say that no-one would have predicted a year like 2020. And so it’s with some trepidation that I look forward to what we might expect in the year to come.
Inevitably, some of the trends that we saw in 2020 will continue. Despite positive news about the development of several vaccines, COVID will be with us for the foreseeable future. And as vaccines are rolled out, and testing improves, we may see novel information challenges. Will businesses start asking customers to provide proof of vaccination as a condition of service? Will the Government choose to issue the lucky ones with vaccination certificates? These scenarios will continue to test our data laws in 2021.
But if 2020 was all about COVID, we can’t look ahead to 2021 without talking about Brexit. For the second time in a little under three years, the UK’s data protection laws are being re-written. From 1 January 2021, the UK will no longer be required to follow EU law. The GDPR, as a European regulation, will no longer automatically apply in the UK. Instead, we’ll all need to get used to talking about its successor, the UK GDPR. This will be especially challenging for UK-based businesses which offer goods or services directly to consumers in the EU, as they will need to continue complying with the EU GDPR for their EU-based customers while adapting to the new UK GDPR for UK customers.
The good news is that the UK GDPR looks a lot like the EU GDPR. In fact, it’s largely a cut-and-paste job, with minor changes to replace references to the EU with the UK and to remove the requirements around international co-operation and the ICO’s international role. The one exception to this is around international data transfers. In my last column, I mentioned the judgment in the Schrems II case, published last July, which led to the demise of the EU-US Privacy Shield. Unfortunately, things are going to get a lot more complicated in 2021. UK-based businesses that have customers in the EU, or which use service providers based within the EU, will need to get to grips with the new rules on international transfers. As the UK will no longer be part of the EU, data transfers from the UK to the EU, and from the EU to the UK will be subject to new restrictions, the former contained within the UK GDPR and the latter in the EU’s GDPR. And this could be subject to last-minute changes should there be a trade deal between the UK and the EU.
Looking a little further ahead, the two sets of laws will inevitably drift apart. We had a small taste of how that might work in December when the UK Government announced its Online Harms Bill and then a day later the European Commission announced plans for a Digital Services Act. These two very different legislative plans share a similar objective of regulating the US big tech giants. Expect to see more of this type of duplication.
In addition, we have a Brexit government. One of the stated purposes of Brexit, if you can remember back to 2016, was to take back control of our laws. And many of our information laws are heavily influenced by European law – not only data protection but also the Environmental Information Regulations and the Re-use of Public Sector Information Regulations. So what might the UK Government do when it is no longer constrained by EU law? We don’t know but don’t expect to see a significant shakeup, at least in the short term. I don’t sense any big appetite for change, and there will be a lot of competing priorities in 2021.
Nevertheless, as a data protection lawyer, I would be the first to welcome improvements to our data protection laws. As they stand, they are overly complex, difficult to interpret and largely impenetrable for the majority of people. Businesses struggle to apply them to everyday situations and are often at the mercy of bad advice, which does nothing to improve compliance but can cost a fortune. There’s a lot of room for improvement, without necessarily reducing the rights for individuals or security of data. But perhaps that’s a topic for another column.
Lastly, we will see a change of Information Commissioner in 2021. Elizabeth Denham’s five-year term in the post comes to an end in July 2021. The ICO is now a big and powerful regulator, but it remains on one level the personal office of the post-holder, with the ICO’s priorities and approaches a reflection of the incumbent Commissioner. While we don’t know precisely in which direction the new Commissioner may choose to take his or her office, we can expect a change of emphasis as the new appointee seeks to make their personal mark in 2021.
Of course, if it’s anything like 2020, you should expect the unexpected in 2021!