THE DEVIL'S IN THE DATA - OUR PRIVACY PREDICTIONS FOR 2022 - Herbert Smith ...

THE DEVIL'S IN THE DATA – OUR
PRIVACY PREDICTIONS FOR 2022
02 February 2022 | Insight
Legal Briefings

Data privacy will remain risky and unpredictable for firms doing
business across borders

This article was first published on International Data Privacy Day (that's 28 January for
civilians) but the awkward truth for the business community is that data handling will remain
stubbornly high up the agenda throughout 2022.

We are now one year on from the introduction of the UK GDPR in a post-Brexit Britain. Two
years on from the start of a global pandemic, which forced a discussion around the tension
between public health and data privacy. And over three years on from the GDPR coming into
force across Europe, and by extension the world. Yet the passing time has done nothing to
diminish the intense focus on data in a rapidly digitising global economy in which information
is a crucial commodity. But if nothing is simple about the flux of privacy law and regulation,
our predictions for what's in store in 2022 will at least leave you forewarned.

UK DATA PROTECTION REFORM
2021 was the year the UK Government hinted it might think outside the box in data
protection regulation. In September 2021, the UK Department for Digital, Culture, Media and
Sport (DCMS) published a wide-ranging consultation on data protection reform. The
consultation is the first step in government plans to deliver on ‘Mission 2’ of the National
Data Strategy, underpinned by a desire to boost innovation and economic growth for UK
businesses while strengthening public trust in data use. The proposals were expansive,
seeking to create an adaptable and dynamic set of rules underpinning trustworthy use of
data. They mark a move from the trend of recent years for prescriptive frameworks towards a
more outcome-focused regime, to reduce burdens on business. The consultation closed in
November 2021, with the results expected this spring. For further detail about the reform
proposals, see our post.

A NEW UK REGULATOR

On 4 January 2022, John Edwards began a five-year term in his new role as UK Information
Commissioner, succeeding Elizabeth Denham CBE. The new regulator spent the past eight
years as New Zealand Privacy Commissioner, before that working as a barrister. The new
Information Commissioner’s agenda and priorities will become clearer during his first full year
in the role. However, it seems likely that one of his early priorities will be the introduction of
the Age Appropriate Design Code to protect children online, together with the Online Safety
Bill.

THE FALLOUT FROM ENFORCEMENT – PRIVACY NOTICES AND COOKIES
2021 saw significant enforcement action – including fines of EUR746 million, EUR225 million
and EUR150 million. Interestingly, these fines did not result from big data security breaches
but rather we have seen a regulatory focus on data protection principles – particularly
transparency – and cookies. While in the UK at least, it is possible that current rules around
cookie consents may be relaxed as a result of data reform proposals described above, it
seems likely that this kind of enforcement could trigger widespread updates to privacy
notices and cookies practices in 2022.

TESTING EU COOPERATION ON GDPR
Although 2021 has seen significant EU GDPR regulatory action, it has also shone a spotlight
on differences between Member State regulators' enforcement stance. In the 2021 WhatsApp
enforcement action, objections raised by EU regulators to the Irish Commissioner’s proposed
enforcement resulted in a referral to the European Data Protection Board for resolution. In
December 2021, MEPs also sent a letter to EU Justice Commissioner Reynders to raise
concerns about Irish enforcement of GDPR. What is clear is there is a significant discrepancy
between EU supervisory authorities. Could 2022 be the year the GDPR’s cooperation
mechanism is tested to its limits? Or could we see individual Member State regulators forging
their own path?

INTERNATIONAL DATA TRANSFERS – VOLUME 1 (EU SCC RE-PAPERING)
On 27 September 2021, the new EU standard contractual clauses (SCCs) came into force for
the transfer of personal data from the EEA to third countries under the GDPR. From that date,
the SCCs have been used for any new agreements entered into that rely on model EU data
transfer clauses to legitimise the transfer of personal data from the EEA to third countries
under GDPR. Existing agreements incorporating the old EU SCCs remain valid and provide
safeguards until 27 December 2022, meaning that for many organisations 2022 is likely to
involve the not-insignificant task of 're-papering' agreements relying on the old EU SCCs and
replacing them with the new equivalents.

INTERNATIONAL DATA TRANSFERS – VOLUME 2 (THE UK POSITION)

In August 2021, the UK Information Commissioner published a consultation on international
data transfers. The regulator published a draft agreement to address transfers of personal
data outside of the UK; a draft international transfer risk assessment guidance note and tool;
and a draft UK addendum for inclusion to the EC's standard contractual clauses. The
consultation closed on 7 October 2021 and we expect to see legislative proposals in 2022,
which will finally give organisations certainty on the UK approach to international data
transfers. However, this is unlikely to end the saga depending upon the results of the UK
Government's own data protection reform consultation (see above). For more analysis on the
ICO’s proposals, see our blog post.

INTERNATIONAL DATA TRANSFERS – VOLUME 3 (SAFE HARBOR 3.0?)
Shortly after the Schrems II judgment, the US Department of Commerce and the EC began
discussions on an enhanced EU-US Privacy Shield framework to comply with the ruling.
However, discussions do not seem to have progressed much during 2021 and, without root-
and-branch reform of US surveillance law, it remains unclear how any such framework would
avoid the fate of its predecessors the Privacy Shield and US Safe Harbor. Could 2022 be the
year governments in multiple jurisdictions manage to find a way through the legal
complexities raised by the Schrems II judgment to allow the international transfer of data on
a practical level?

EPRIVACY AND COOKIES
We have covered the proposed ePrivacy Regulation in our previous data protection
predictions and yet the question remains as to whether 2022 will be the year this legislation
makes it through the process. Even without the proposed new EU regulation, some EU
agencies have made their focus on cookies very clear – the French data watchdog CNIL has
recently taken significant enforcement action against both Google and Facebook for breaches
of cookie rules. The UK's recent consultation on data protection reform also addressed the
area, questioning the viability of current rules on cookie consents. As a result, whether via
legislation, policy reform or regulatory action, it seems clear that cookies will be a frequent
dish in 2022.

TECH VS DATA REGULATION – THE RACE CONTINUES
2021 saw continued focus from organisations and regulators on innovative technologies and,
in particular, AI. Commercial application of AI has surged alongside attempts by data
regulators to keep pace, protect the privacy of individuals, and ensure fairness in an
increasingly AI-driven world. An example of this was the UK Information Commissioner’s 2021
consultation on the use of the beta version of its AI and data-protection risk mitigation and
management toolkit. Expect even more focus in 2022 on the use of AI and innovative
technologies against the backdrop of changing data privacy legislation. For more on the ICO's
AI review, see our previous article.

DATA CLASS ACTIONS REBORN?

In November 2021, the Supreme Court overturned the Court of Appeal’s decision in the high
profile Lloyd v Google case. A ruling against Google would have likely opened the floodgates
for class actions for loss of control of personal data to be brought on behalf of huge numbers
of individuals. The case was pursued under the 1998 Data Protection Act, rather than the
GDPR, which superseded it. While there may be read across to the current UK GDPR regime,
Lord Leggatt specifically stated he was not considering the later legislation and this could
potentially leave the door open for future loss-of-control claims under GDPR. After Morrisons
in 2020 won a court battle that rejected its liability for a data breach and now Lloyd v Google,
could 2022 see another data class action reach the courts? For more analysis on the Lloyd v
Google ruling, see our recent article.

A version of this article first appeared in our Data Notes blog, which has all the
latest news and commentary from our team

        SHARE
        Share to Facebook Share to Twitter Share to LinkedIn Email Print
        Show Share Links
RELATED TOPICS
Data and privacy
FEATURED INSIGHTS

             FEATURED INSIGHTS
                HELPING YOU STAY AHEAD OF THE BIG ISSUES

BROWSE BY:

TECH, DIGITAL & DATA

GEOPOLITICS AND BUSINESS

NEW BUSINESS LANDSCAPE

RELATED ARTICLES

Foreign investment: Rising tides of politics in regulation

Financing net zero cities – The case for smart legal solutions

Creating a federal Anti-Corruption Commission: What does it mean for Australian business?

KEY CONTACTS
If you have any questions, or would like to know how this might affect your business, phone,
or email these key contacts.

MIRIAM EVERETT           DUC TRAN             ANGELA CHOW            CHLOE KITE
PARTNER, LONDON          OF COUNSEL,          SENIOR ASSOCIATE,      ASSOCIATE, LONDON
                         LONDON               LONDON
+44 20 7466 2378         +44 20 7466 2954     +44 20 7466 2853       +44 20 7466 2540
Miriam.Everett@hsf.com   Duc.Tran@hsf.com     angela.chow@hsf.com    chloe.kite@hsf.com

© HERBERT SMITH FREEHILLS LLP 2022