International Data Privacy Day: Our predictions for 2020

What better day than today, International Data Privacy Day, to explore what 2020 is likely to have in store for data and privacy? Almost two years ago the EU General Data Protection Regulation (GDPR) thrust data and privacy issues firmly in the spotlight, where they remain. With attention having shifted from guidance to enforcement, this article sets out some predictions for further developments in the year to come.

  • Data ethics: The discussion is moving from “what can we do” to “what should we do” with data. Organisations are coming under increased pressure, not just from consumers who are now demanding greater transparency around how their data is collected, used and handled, but also other stakeholders such as government, regulators, industry bodies and shareholders. 2020 is likely to be the year in which we will see an increased focus in the boardroom on how to incorporate ‘ethical practices’ into data strategies, to leverage consumer trust and drive long-term profitability.
  • GDPR fines: In 2020 we expect to see the final enforcement notices for the British Airways and Marriott data breaches issued by the UK’s data protection authority, the Information Commissioner’s Office (ICO). These had originally been expected in early January, but an extension was agreed and final enforcement notices are now expected in March 2020 to finalise the penalties imposed on both organisations, both which were the result of high-profile data breaches and subsequent ICO investigations.
  • GDPR enforcement activity: Is 2020 also the year in which we see other big data breaches, investigations and fines? 2020 will also likely see a shift in enforcement activity – going beyond data breaches to other areas of non-compliance with the GDPR. For example, the Berlin data protection authority issued a €14.5 million fine on a real estate company for the over retention of personal data. Elsewhere in Europe, 2020 should be the year when we see the results of the Irish Data Protection Commissioner’s investigations into some of the biggest tech companies, including WhatsApp and Twitter.
  • Adtech focus:We also expect the GDPR to start becoming real for the adtech sector in 2020. In June 2019, the ICO released its Adtech Update Report, with a clear message to the real-time bidding industry that they had six months to act; the ICO expressed significant concerns about the lawfulness of the processing of special category data and the lack of explicit consent for that processing. That six-month period is now up, and while – to the dismay of privacy advocates – the ICO has announced that the proposals of the leaders of the industry, the Internet Advertising Bureau (IAB) and Google, will result in real improvements to the handling of personal data, in the same statement, it has stated that “[t]hose who have ignored the window of opportunity to engage and transform must now prepare for the ICO to utilise its wider powers.” So, will 2020 be the year in which we see meaningful enforcement action from the ICO in this area?
  • Adequacy decision for the UK: Yes, a Brexit-related prediction had to feature somewhere on this list. At the time of writing, it looks set that the United Kingdom will leave the European Union on 31 January 2020, with an 11-month transition period in place. The pertinent question now is what will Brexit look like at the end of this transition period, and in particular with respect to how international data transfers will be treated. It may be that 2020 is the year in which the European Commission makes an adequacy decision in favour of the United Kingdom, but concerns remain over the processing of personal data for law enforcement purposes in the UK – and the EU’s data protection supervisor has essentially said that the United Kingdom is at the back of the queue for any such decision. So, will 2020 be the year of a United Kingdom adequacy decision, or will it be the year in which organisations undertake a review of their UK data transfer flow agreements in a scramble to be compliant?
  • Lead supervisory authority no more: From 31 January 2020, the ICO will no longer be a supervisory authority for GDPR purposes and will not participate in the one stop shop mechanism or the consistency and cooperation procedure. The ICO will also lose its power to be the lead supervisory authority for approving binding corporate rules. It is possible that any future deal may change that position, but in the meantime multinational organisations whose activities are caught by the GDPR should ensure that they have an appropriate lead supervisory authority based in an EU Member State.
  • Schrems II and the SCCs: While in the case of Schrems II, the Advocate General (AG) of the Court of Justice of the European Union (CJEU) issued an opinion that upheld the validity of the European Commission standard contractual clauses (SCCs), the AG also raised concerns about the practical use of the SCCs in jurisdictions where national security laws would breach the SCCs, and suggests moving the responsibility for using the SCCs away from the data importer to the individual company exporting data. If the CJEU follows this opinion, which is expected in the first quarter of 2020, it could result in substantial additional burdens before using SCCs. It could also have ramifications for the United Kingdom after Brexit.
  • Fall of the US Privacy Shield: In Schrems II, the AG opinion also expressed concerns over the EU/US Privacy Shield. If the CJEU follows the AG’s opinion then it could influence the case of La Quadrature du Net v Commission – a case concerning the French advocacy group, La Quadrature du Net, which is seeking to invalidate the Privacy Shield on the basis that it fails to uphold fundamental EU rights because of US government mass surveillance practices. Will 2020 be the year we see the Privacy Shield suffer the same fate as its predecessor, the Safe Harbour?
  • Artificial Intelligence regulation: The European Commission’s incoming president, Ursula von der Leyen, has stated that she will put forward legislation to regulate the use of artificial intelligence and only this month a draft Commission white paper was leaked, which floated a number of options on how to achieve this. This ranged from imposing mandatory risk-based requirements on developers, to sector-specific requirements, to voluntary labelling. Although it would not be a reality for a number of years, 2020 looks likely to be the year that we see a firmer picture emerge about the direction that the European Commission wishes to take AI regulation.
  • Data class actions: In November 2019, the Supreme Court heard Morrisons’ appeal of the finding that it was vicariously liable under the Data Protection Act 1998 for a data breach committed by a disgruntled employee, even though Morrisons themselves were data protection compliant. While this case involves the law as it stood before the GDPR, given the increase in the rights of data subjects under the GDPR, should the Supreme Court decision find in favour of the claimants, this could open the door in 2020 to a wave of class actions from employees, customers, and others whose personal data has been compromised in a data breach.
  • Data-focused commercial disputes: And it is not just collective actions from data subjects that may rise – in 2020 we could also see increased data protection-focused litigation and commercial disputes in the business to business sphere, as the spotlight continues to remain on data. For example, disputes over the allocation of liability where a controller has been fined and is seeking to claim this back from a third party processor. Which leads us on to…
  • Third party risks: Focus in 2020 will also be firmly directed at third party risk management and demands on suppliers and vendors to demonstrate compliance. Gartner research reveals that “compliance programs are focused on third-party risk more than ever before, with more than twice the number of compliance leaders considering it a top risk in 2019 than three years ago.” As the nature of third party relationships continues to evolve, and the amount of data that third parties host and process for organisations on the rise, processes and procedures also need to evolve to address this risk.
  • Data is a global issue: In the wake of the GDPR and the California Consumer Privacy Act, we are seeing a global trend in other jurisdictions to introducing or seeking to introduce more robust data protection laws. For example, 2020 will see both the Brazilian General Data Protection Law (which is largely based on the GDPR) and Thailand’s Personal Data Protection Act come into force. Other data protection legislation initiatives are also going through approval stages – for example, the New Zealand Privacy Bill and India’s first major data protection bill.
  • ePrivacy: But will 2020 be the year that finally sees agreement on the new ePrivacy proposals in Europe? The update to the European legislation which regulates cookies and electronic marketing has been plagued by delays and disagreements. Even if 2020 is the year that ePrivacy is finally agreed in Europe, considerations will then move to the UK’s own approach to ePrivacy in a post-Brexit world.

For more information, or if you have any queries, please contact Miriam Everett.

Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378
Chloe Kite
Chloe Kite
Associate, London
+44 20 7466 2540


Businesses in every sector are under pressure to innovate to stay ahead of the competition. ‘’Open innovation’’ is a term that has come to describe innovation which extends beyond the traditional Research and Development department of a business and embraces a broader pool of talent and ideas within the whole business and frequently also extends to an external partnership with a third party collaborator to assist with and accelerate the process.

Collaborative innovations or innovative collaborations (both descriptions apply) present opportunities to reduce costs, share risk, provide broader access to talent and ideas, and ultimately achieve greater monetary gain.

Data frequently plays a central role in this drive towards ‘’open’’ innovation as there is a significant value attached to it. Data can be used to generate new products or services and revenue streams, to identify efficiencies within an organisation and reduce costs, and to inform strategic decision-making.

To download the full article, click here

Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378
Anna McGowan
Anna McGowan
Professional Support Lawyer, London
+44 20 7466 2228

ICO framework for AI proposed to help support innovative use of this emerging technology

At the end of March the Information Commissioner’s Office (ICO) published an outline of the proposed structure for its auditing framework for the use of personal data in an Artificial Intelligence (AI) context. Once finalised the framework has potential to help catalyse the use of this new emerging technology within the restrictions of data protection regulation. In particular, it is intended to support the ICO in assessing data controller compliance, as well as providing data protection and risk management guidance, in relation to AI. Continue reading

Back to the future? Commons Select Committee publishes report on robotics and artificial intelligence

The House of Commons Science and Technology Committee (“Committee“) recently published its findings following an inquiry into robotics and artificial intelligence (“AI“) in March 2016.

The published report examines the potential value and capabilities of robotics and AI, as well as legal issues and adverse consequences to consider in this area. In particular, it considers data privacy and consent issues, as well as discussions around accountability and liability.

The Committee’s conclusions and recommendations include the following:

  • Governance – standards and regulations: A suitable governance framework is necessary to regulate and standardise robotic applications. This includes a proposed standing Commission on Artificial Intelligence to develop principles governing the development and application of AI techniques, as well as advising the Government on any regulation required. The governance framework will need to be assessed on a regular basis in light of legal, ethical and societal issues that arise, to ensure the framework remains effective.
  • Education and skills: There is a need to re-skill and up-skill on a continuing basis given the potential impact of robotics and AI on the UK workforce. The Committee suggests that the Government publishes its Digital Strategy as soon as possible and commits to sufficiently flexible education and training systems that take account of these changes in workforce demands.
  • Research, funding and innovation: The Government needs to establish a Robotics and Autonomous Systems Leadership Council as soon as possible to provide co-ordination and direction in this field, as well as produce a strategy setting out the Government’s ambitions and financial support for the area.

The report also highlights that robotics and AI are already being considered as part of more mainstream legislative debates – in particular, in this year’s Queen’s Speech, the Government announced that the Modern Transport Bill aims to put “the UK at the forefront of autonomous and driverless vehicles ownership and use”.

Please click here for a copy of the Robotics and Artificial Intelligence House of Commons Select Committee Report.

Continue reading