2021 was a busy year for data protection, with the Supreme Court significantly curtailing the rise of class actions in data claims in Lloyd v Google, the long-awaited adequacy decision allowing data flows to continue from the EU to the UK and a bold new approach being mooted for the UK's data protection landscape in future.
So, after all that 2021 brought us, where are we headed in 2022, and what key themes will emerge this year? Charlotte Clayson, Partner, and Edward Rees, Solicitor give us their view.
A busy year for data breach litigation?
The threat of data breach litigation claims is likely to continue, with individuals becoming increasingly aware of their rights and keen to hold large and trusted organisations to account following a data breach. However, as a result of the Supreme Court's judgment in Lloyd v Google, the deluge of group litigation claims is unlikely to materialise as anticipated. The ability to bring mass data breach claims for simple 'loss of control' of personal data, i.e. without proving any accompanying distress or damage, has been seriously reduced in scope.
This likely means there will be attempts to reformulate claims and come up with innovative solutions to seek compensation for large groups of affected individuals. Such schemes will need to stand up to court scrutiny and, possibly more importantly, the scrutiny of litigation funders whose backing is increasingly critical to the success of these types claims. For the moment, it seems that the UK's temporary reign as class action capital of the world for data and privacy claims is now at an end.
The UK's post Brexit data reforms continue
The government has closed its consultation into how data protection law might be reformed now that, from a legal perspective at least, the framework does not need to mirror that of the EU and the much-discussed GDPR. Despite this, the government's aim to create an "ambitious, pro-growth and innovation friendly data protection regime" may not be quite as innovative or far reaching as first anticipated, especially if the ICO's response is anything to go by. In particular, the ICO seems resistant to key proposals to allow for fees to be charged to respond to Subject Access Requests; to do away with the concepts of Data Protection Officers and Data Protection Impact Assessments; and to re-structure the ICO itself, which it says raises concerns around its independence from the running of government.
However, we know that many businesses are keen to overhaul what can often be seen as a bureaucratic and resource-intensive system, balanced in favour of the rights of individuals rather than growth and innovation. We wait to see what 2022 brings in the next stage of reforms, what the government makes of the consultation responses as it shapes its proposals for the future of data privacy, and how the new Information Commissioner, New Zealand's John Edwards, makes his mark on the ICO and the UK data landscape.
The battle for 'best friend' status
Whilst the UK is now free to depart from the EU data protection regime, there are serious concerns for privacy professionals and businesses alike that too much of a departure will have significant real-world consequences for the flow of data from the EU, and particularly on the adequacy decision that has only recently been adopted with a communal sigh of relief. Those within government have previously indicated that a deal with the US would be on the table and seen as important to enable data to continue flowing after the demise of the EU-US Privacy Shield.
However, given the EU's dim view on the levels of privacy and protection afforded by parts of the US, this may be a step too far for the EU and UK's relationship to withstand. Will the UK look to the EU or the US as its close ally in the fast-paced world of data, or tread a careful line between the US and EU privacy regimes? All eyes will be on this developing issue, given the significant impact on many businesses if data transfers across the Atlantic are disrupted.
Proactive planning becomes non-negotiable
We have all become increasingly aware of the rise and rise of cyber attacks on businesses and individuals alike. As cyber-attacks become more sophisticated, they target a huge range of organisations, from retail and logistics, to local authorities and education providers, engineering and telecoms. But the list does not end there: no organisation is safe from the risks of cyber-attacks, regardless of their size, reputation, or sector.
Data provides the ideal opportunity for organisations to be targeted through ransomware, phishing scams, social engineering and exploiting holes in physical and network security – all for financial gain. With the volume of data in existence growing exponentially every day, that risk is not going away. This is no longer a case of if but when, and how well your organisation can cope with the fallout. 2022 is the year that all organisations should be proactively planning and reviewing the steps they will take in the event of a cyber-attack. For those organisations who do not have a cyber-attack or data breach response plan in place, this should be the top priority objective for 2022. Those with a plan in place will need to keep it under constant review as technology, methods and risks continually evolve.
