The European Union (“EU”), 2020 saw significant developments in the evolution of the data protection and cybersecurity landscape. The Court of Justice of the EU (“CJEU”) in Schrems II struck down the legality of the EU-U.S. Privacy Shield, on which companies relied to transfer personal data from the EU to the US. In Schrems II, the Commission re-examined whether the Privacy Shield complies with GDPR requirements, i.e., affords the level of protection of fundamental rights equivalent to that guaranteed under EU law. The CJEU found that interference arising from US surveillance law, e.g., FISA, did not ensure equal protection because data subjects had no actionable rights before the courts against US authorities. Additionally, there no adequate remedies available to data subjects to access or rectification their personal data. In its FAQs on Schrems II, the EDPB stated that no “grace” period is granted for entities that relied on the EU-U.S. Privacy Shield. Entities relying on the now invalidated Privacy Shield should immediately put other data transfer mechanisms or frameworks in place. While companies are turning to other frameworks to transfer personal data, such as Standard Contract Clauses (“SCCs”) and Binding Corporate Rules (“BCRs”), EU law compels these companies to ensure that personal data will be safeguarded. The adoption of new SCCs will bring more certainty to companies that relied on this framework to transfer personal data reducing implementation costs as well. The European Data Protection Board (“EDPB”) posits that given a change in the US federal administration and the need for legal certainty to facilitate cross-border commercial activity in the current economic context, the EU and the US will work swiftly towards a mechanism that can resolve transatlantic transfers for once and for all.
It would seem best for all companies to closely follow EDPB changes and instruct Data controllers who rely on SCCs and BCRs to transfer data to ensure that the level of protection required by EU law is respected in the third country concerned. If personal data is not adequately protected in the importing Member State, the controller or the processor should determine what supplementary measures would be needed to ensure an equivalent level of protection and implement the same before they become law.
With respect to the pandemic, while EU data protection laws were not meant to hinder the deployment of measures to trace the virus evolution, EU supervisory authorities stress that this should not come at a cost in terms of privacy. These standards will remain high as Member States commence their vaccination plans. The EU plans to propose issuing a certificate called a Digital Green Pass that would let people who have been vaccinated against the coronavirus travel more freely. Implementing a system to issue certificates will take coordinated technical and legal effort. It is no small task. It is also unclear what legislative steps would be required, nor whether the system would extend beyond European Union citizens. Regarding tracing and detection data, public administrations and companies have to assess the proper retention periods applicable to the storage and archival of such information.
As a consequence of the COVID-19 pandemic, a number of public, corporate, and workplace practices have emerged to limit the spread of the virus, all of which have privacy implications. To respond to this, many EU Member States have smartly issued rules and guidelines balancing privacy and the processing of personal data in the context of the pandemic.
In the area of cybersecurity, EU and Member State supervisory authorities and cybersecurity agencies have continued to be active in the adoption of measures and decisions that enhance and enforce cybersecurity standards. The EU Agency for Cybersecurity (“ENISA”) has the mandate of increasing the protection of public and private networks and information systems, developing and improving cyber resilience and response capacities, and developing skills and competencies in the field of cybersecurity, including management of personal data. ENISA has developed a strategy that sets out objectives, including effective cooperation amongst operational actors within the EU in case of massive cyber incidents, the creation of a high level of trust in secure digital solutions, and efficient and effective cybersecurity information and knowledge management for Europe.
In conclusion, data privacy isn’t new; the attitude shift is. People demand more, and the changes that have occurred in the workplace due to the pandemic make it critical for businesses to privacy-compliant across the entire enterprise. In no other area will businesses be required to balance public health, legal obligation, and personal privacy. Data ethics will be important as consumers care less about their data being captured and more about how it is used. Consent, selling, and sharing will remain definitions of importance. Expectations will be placed on businesses to communicate how they handle data, i.e., where it is going, who it is going to. Privacy protection will need to be continuous and holistic. Securing data and day-to-day operations from remote locations will be a significant focus. The blurring of personal and professional lives and mobile devices’ roles will require businesses to determine how they protect their data and track its use while not inadvertently monitoring employees’ personal lives. With GDPR, the focus is on fines. The fear of violating the law should make responsible businesses comply at every turn. This will continue as more US legislation is put into play. Businesses will have to sort out the confusion that multiple legal frameworks cause. They will have to understand what is required to become compliant, perhaps reversing years of naively irresponsible data use. The turmoil of 2020 has provided some protection, but 2021 will see a return to stricter measures. The European Data Protection Board has instructed European Supervisory Authorities to increase scrutiny and shorten their patience. 2021 is likely to see more and more considerable fines. No matter what trends play out in 2021, continuous privacy is going to determine if an organization is safe or not!
Our Withers team can help you safely prepare your businesses from both a technical and legal standpoint incorporating these emerging technology trends in a customized, secure and efficient manner. We have the experience and knowhow to help you stay ahead of the competition.