To print this article, all you need is to be registered or login on Mondaq.com.
2020 was a year we will never forget. In the world of data
protection, 2020 was perhaps the most turbulent year since the
entry into force of the EU General Data Protection Regulation
(GDPR) in 2018. Ahead of the Council of
Europe’s annual Data Protection Day on 28 January 2021, we
unpack the key data protection stories of 2020 and look ahead to
what 2021 has in store.
2020 Round-Up
March 2020: COVID-19 Raises Data Protection & Cybersecurity
Issues
COVID-19 has required businesses to adapt to remote working
environments and introduce new procedures to ensure customers and
employees remain safe. Data protection and cybersecurity play an
important role in these measures and you can read our top tips for
compliance here and here.
April 2020: DPC Publishes Guidance and Report on Cookies
On 6 April 2020, the Irish Data Protection Commission
(DPC) published a report and separate guidance on
cookies and other tracking technologies (Cookies)
following several other EU data protection Supervisory Authorities.
The DPC guidance includes important insights into the use of
Cookies and the accompanying report includes “best and
worst” examples of Cookies banners. This is a key area of
enforcement for the DPC and the deadline for bringing websites and
apps into compliance was 5 October 2020. You can
read our overview of the guidance and report here.
May 2020: First GDPR Fine Issued by DPC
In May 2020, TUSLA, the Irish Child and Family Agency, was
issued with multiple fines by the DPC for breaches of the GDPR. The
announcement of the first fine of €75,000, which related to
three incidents, was confirmed mid-May with news outlets reporting
a second fine of €40,000 also being imposed. The €75,000
fine was confirmed by the Circuit Court in November 2020. You can
read more here.
July 2020: Schrems II Impacts International Transfers of
Personal Data
In July 2020, the Court of Justice of the European Union (CJEU)
delivered its landmark decision in C-311/18 Data Protection
Commissioner v Facebook Ireland Limited and Maximillian
Schrems (Schrems II). The case concerned the
transfer of personal data to and out of the European Economic Area
(International Transfer) and examined the
“appropriate safeguards” for protecting personal data
subject to an International Transfer. The CJEU ruled that the:
- Privacy Shield, the popular means for
the transfer of personal data to the United States, does
not constitute an appropriate safeguard for
International Transfers – entities transferring personal data
(data exporters) to the US using Privacy Shield
must find an alternative solution; and - Standard Contractual Clauses
(SCCs) are valid for International Transfers but,
depending on the prevailing position in a particular country, the
data exporter may need to adopt supplementary measures to the SCCs
to ensure personal data remains protected to a standard essentially
equivalent to the GDPR.
Data exporters using Privacy Shield have scrambled to put in
place alternative legal mechanisms for International Transfers to
the US whilst those using SCCs have struggled with the concept of
supplementary measures. You can read more here.
October 2020: Data Retention & Mass Surveillance in the
Spotlight
On 6 October 2020, the CJEU delivered judgment in two landmark
decisions (case C-623/17 Privacy International; and joined
cases C-511/18 La Quadrature du Net and others, C-512/18 French
Data Network and others, and C-520/18 Ordre des barreaux
francophones et germanophone and others) concerning the
lawfulness of legislation in certain member states which required
providers of electronic communications services to forward
users’ traffic data and location data to a public authority, or
to retain such data. The cases centre on the “general and
indiscriminate” transmission and retention of traffic data and
location data and the rulings have important implications for
International Transfers in light of Schrems II. You can read more
here.
November 2020: Guidance on Schrems II and New SCCs
Published
November 2020 saw the publication of:
- draft guidance by the European Data
Protection Board (EDPB) on the supplementary
measures envisaged by Schrems II. This guidance was published for
public consultation which closed 21 December 2020. - guidance by the EDPB on essential
guarantees for surveillance measures. The guidance was adopted
outright by the EDPB. - new draft SCCs (New
SCCs) by the European Commission
(Commission). The New SCCs were published for
public consultation which closed 10 December 2020.
The supplementary measures guidance and New SCCs are subject to
further modifications based on the results of the public
consultation. This guidance and the New SCCs need to be carefully
considered by all data exporters and you can read more here.
December 2020: DPC imposes €450,000 fine on
Twitter
On 15 December 2020, the DPC imposed its first “big
tech” GDPR fine of €450,000 on Twitter as a result of its
handling of, and response to, a data breach. The DPC found that
Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of a
failure to notify the breach on time to the DPC and a failure to
adequately document the breach. You can read more here.
December 2020: Brexit Deal Brings Grace Period for UK Data
Transfers
The UK-EU Trade and Co-operation Agreement provided a lifeline
to data exporters as it provides for the transfer of personal data
to and from the UK without additional safeguards for a temporary
period of up to six months from 1 January 2021. You can read more
here.
2021 Forecast
Milestones in European data protection law and practice will
continue to capture international audiences in 2021. In particular,
data exporters eagerly anticipate:
- finalisation of New
SCCs: The New SCCs are expected to be finalised by the
Commission in 2021. When the New SCCs take effect, data exporters
will have a one-year grace period to implement them. The New SCCs
currently published in draft-form raise a number of considerations
for data exporters and William Fry have submitted feedback to the
Commission on this draft. You can read more here. - future of UK data
transfers: The temporary period for UK data transfers will
end in 2021 and we will learn what measures, if any, parties will
need to implement in order to legitimise transfers of personal data
to the UK.
We also anticipate more enforcement by the DPC
this year. In its annual report published 20 February 2020, the DPC
noted that it had 70 statutory inquires in hand as of 31 December
2019. We expect many of these statutory inquiries will reach their
conclusion this year.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from Ireland
— to www.mondaq.com
