My final column of 2020 is in two parts. In this first part, I reflect on what a strange year we’ve had – picking out some of the highlights from an information law perspective. In part two, I’ll be looking forward to what 2021 may bring.
Of course, 2020 has been entirely dominated by the impact of COVID. It has been a difficult year for so many businesses. And the pandemic has thrown up all sorts of data protection challenges. Most obviously, organisations had to adapt to new ways of working, which for many of us has involved working from home. For employers, this led to a much greater emphasis on information security – reviewing and managing the additional risks associated with homeworking, training a newly remote workforce and ensuring that good habits in data governance are preserved. As the emergency situation earlier this year has given way to a new ‘normal’, organisations now need to make sure their internal policies and procedures reflect this new reality.
The new normal also means new types of data collections. This includes hospitality and retail companies needing to obtain track and trace details, workplace testing for COVID, and even data about family members when an employee is required to self-isolate. Some of this data constitutes information about health, which is a special category. Organisations need to take particular care in this area, thinking about the lawful basis for the data’s collection, appropriate retention periods and updating privacy notices.
In some cases, this has required data protection impact assessments to be carried out at speed. This has been challenging for businesses large and small. The Government has also faced its own challenges. Back in the spring, it pinned its hopes on its contact tracing smartphone app, but data protection and privacy concerns almost derailed the whole project and led to a fundamental change of approach.
Moving away from specific COVID-related data, the summer’s major row over A level and GCSE results led to an important public debate about the use and potential abuse of algorithms, and their role in automated decision-making. Even among data protection practitioners, it’s fair to say the rules around automated decision-making were not widely understood. This row brought them to the forefront of our minds, although the decisions to scrap results by algorithm prevented the ICO or the courts from ruling on their scope. The use of algorithms is only likely to grow in the coming years, so this is one issue that is not going away.
Away from the pandemic, the law continued to develop. While (thankfully) there weren’t any major legislative changes this year, we have had new case law. In April, the Supreme Court issued its judgment in the Morrisons case. The Supreme Court overturned the decisions in the High Court and the Court of Appeal, which had previously held that Morrisons was vicariously liable under the Data Protection Act 1998 for the actions of a disgruntled employee who deliberately leaked payroll data of thousands of employees onto the internet.
Data protection cases rarely reach the Supreme Court, so this decision was significant. Employers were pleased with the result, although the Court did affirm the principle that employers can be vicariously liable under data protection law for the actions of their employees (just not on the facts of this case).
This case provided a timely reminder about training staff to handle data appropriately. In July, the European Court of Justice released its judgment in the much-anticipated Schrems II litigation. The decision invalidated the EU-US Privacy Shield and once again called into question the legitimacy of international data transfers. This is likely to be a big issue in 2021, particularly in light of the Brexit changes ahead – more on this in my next column.
In such a challenging year, day-to-day information governance work took something of a back seat. The ICO made an early and decisive statement that it would be giving organisations impacted by COVID additional leeway, which was very much welcomed and certainly helped to manage some of the initial pressures. But despite the challenges of the pandemic, the regulator’s work hasn’t stopped, and some major cases were resolved.
In October, British Airways and Marriott International finally received their much-delayed GDPR fines. As you may remember, in the summer of 2019 the ICO announced its intention to fine these companies £193m and £88m for serious security breaches. However, the companies made additional representations and so the ICO had to reconsider its approach. The fines issued were massively discounted compared to the original notices of intention, with British Airways receiving a fine of £20m and Marriott £18.4m. These are still huge numbers, but much lower than initially proposed, so in a way, British Airways and Marriott achieved a good outcome. Nevertheless, the era of multi-million-pound data protection fines has truly arrived.
The ICO has also been busy with new guidance. Practitioners have particularly welcomed new subject access requests guidance. The new accountability framework provides much clearer advice on the documents and actions the ICO expects organisations to take to meet their accountability obligations. Elsewhere, regulators have increased the pace of GDPR enforcement, from minimal fines to multi-million euro ones. For instance, the CNIL in France recently fined the Carrefour supermarket chain over €3m for various infringements and Twitter was fined €450,000 by the Irish DPC. There’s an irony in that we’re getting more examples from across Europe at just the moment when these decisions will cease to have an impact in the UK.
With everything that’s happened in 2020, it’s easy to forget that the GDPR and the Data Protection Act 2018 are still very new laws. All of us – businesses, practitioners, the regulator and the courts – are still working through new situations and new challenges. It has undoubtedly been a challenging year, with data protection issues never far from the headlines. In my next column, I’ll look ahead at what 2021 may bring.