2021 was a hectic year for everyone. The data protection world was also bustling with a ton of new guidance, recommendations, case law and more for businesses to keep up with. It’s easy to lose track of all the important changes, but fear not. This blog guides you through the growing data protection and GDPR landscape by looking back at some biggest decisions, trends, and relevant cases of the past year. Together with this summary, we offer recommendations you can follow.
2021 trends: transfer impact assessments
The past year saw a rise in the importance of conducting transfer impact assessments. This means it is key to:
1) Know the transfers taking place.
2) Identify your transfer tool. For example, if there is an absence of an adequacy decision, you need to rely on one of the transfer tools listed under Article 46 of the GDPR.
3) Assess if there is anything in the law or practices in force of the third country that may affect the appropriate safeguards of the transfer tools you are relying on.
4) Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. These can be technical, organisational or contractual.
2021 trends: Standard Contractual Clauses
On 4 June 2021, the Commission issued modernised standard contractual clauses under the GDPR for data transfers. The updated SCCs replace the three sets of SCCs that were adopted under the previous Data Protection Directive. Since 27 September 2021, it is no longer possible to have contracts incorporating these earlier sets of SCCs. Organisations have Until 27 December of this year to update their SCCs.
2021 trends: rising fines
2021 was a year full of fines in the data protection world. According to Atlas VPN, fines for failing to comply with the GDPR hit over €1 billion last year. That’s almost six times higher than the €171 million in fines issued in 2020. Here are some examples of the largest fines.
The Irish Data Protection Commission’s fine of €225 million regarding WhatsApp’s compliance with GDPR. The fine primarily focused on transparency obligations for both users and non-users. Since this ruling, WhatsApp has sought to challenge the hefty fine.
Vodafone’s €8.15 million fine issued by the Spanish DPA (the AEPD) on March 11, 2021 actually comprises of four fines for violating the GDPR and other Spanish laws covering telecommunications and cookies. The Vodafone fine stands as Spain’s biggest yet. Spain has accumulated 351 fines, resulting in €36.7m worth of penalties. While the average penalty rounds to about €105K, Spain has gathered the most fines by far, compared to any other country.
Luxembourg’s National Commission for Data Protection fined Amazon €746 million in July 2021. The online service provider has its EU base in Luxembourg, and it has come under scrutiny in recent years for compiling data on its customers and partners. Amazon has appealed, stating it “strongly disagrees” with the fine.
Last January, Norway’s Data Protection Authority announced its intention to fine Grindr, the location-based dating app, €6.3 million for not complying with GDPR consent rules.
A recurring theme in these fines is consent and transparency for data subjects.
There was also a rise in civil litigation involving data breaches. This shows an increasing awareness of data subject rights under GDPR. That’s why organisations should ensure they have data breach training and practices in place. Their privacy notices and policies should also clearly outline data protection rights.
The Lloyd v Google case
This case involved Richard Lloyd’s action against Google in 2017 on behalf of over four million Apple iPhone users. The claimants alleged that Google had breached its duties as a data controller under the DPA 1998 in a period between 2011 and 2012. On 10 November 2021, the UK Supreme Court’s unanimous judgment granted Mr Lloyd permission to continue his representative claim (i.e. a US-style opt-out ‘class action’) against Google. However, the UK Supreme Court issued a unanimous judgment overturning a ruling of the Court of Appeal and disallowing a data privacy class action. The Judgment denied Mr. Lloyd the ability to pursue a collective claim for compensation.
Rolfe & Ors v Veale Wasbrough Vizards LLP
This case involved a personal data breach and the possible damage such a breach can cause. The UK High Court’s judgment in 2021 gives controllers some much-needed guidance on compensation for low-level data breaches. The High Court concluded that a single data breach involving a limited amount of personal data was unlikely to cause an individual to suffer distress or be sufficient to form the basis of a claim for damages for distress.
Be it high- or low-level breaches, organisations must have practices in place to counter such instances. So, what are the upcoming trends to watch out for?
What will be the DPC’s priorities?
During 2022, we expect the Data Protection Commission is likely to focus on these areas:
- Subject access requests done correctly
- Data transfers
- Transparency regarding processing of personal data
- How controllers manage their Record of Processing activities.
One starting place for the year ahead is this: organisations should know their data.
Cliona Perrick is a data protection analyst with BH Consulting