How 2022’s most significant data privacy trends affect your organisation

Changes at the ICO

The new information commissioner, John Edwards, began his five-year term on 4 January, taking over from Elizabeth Denham. Edwards, the former privacy commissioner for New Zealand, said: “Privacy is a right not a privilege. In a world where our personal data can drive everything from the healthcare we receive to the job opportunities we see, we all deserve to have our data treated with respect. 

“My role is to work with those to whom we entrust our data so they are able to respect our privacy with ease whilst still reaping the benefits of data-driven innovation. I also want to empower people to understand and influence how they want their data to be used, and to make it easy for people to access remedies if things go wrong.” 

Proposed reforms to UK data protection law 

Edwards’s appointment is unlikely to mark any significant change of approach from the Information Commissioner’s Office (ICO). However, as the press release that accompanied the start of his tenure observes, 2022 will be “a busy year for information rights in the UK”. 

The government’s consultation on the Data Protection Act (DPA) 2018 and UK General Data Protection Regulation (GDPR) should report in the first quarter of the year, potentially marking the beginning of the UK’s divergence from European Union (EU) data protection law. 

Whatever reforms are enacted, it is worth remembering that the EU GDPR’s scope extends to all organisations that offer goods and services to, or monitor the behaviour of, EU residents. 

Organisations in the UK can process EU residents’ personal data because of an adequacy decision issued in June 2021, which recognises that UK data protection law affords EU residents’ personal data a suitable level of protection. However, the adequacy decision can be withdrawn if UK data protection law deviates from the EU GDPR to a significant extent. 

If this happens, data controllers and processors in the UK could find themselves with two markedly different data protection regimes to contend with, as well as having to rely on other mechanisms to process EU residents’ personal data, such as standard contractual clauses (SCCs) or BCRs (binding corporate rules). 

Other incoming legislation to be aware of includes the Online Safety Bill, which aims to tackle harmful online content. 

Forthcoming EU legislation 

Meanwhile in the EU, a new wave of legislation is also due: 

• The Digital Services Act and Digital Markets Act, which “aim to create a safer digital space where the fundamental rights of users are protected and to establish a level playing field for businesses”.
• The Data Governance Act, which aims to facilitate data sharing.
• The long-awaited ePrivacy Regulation, which was originally intended to take effect alongside the GDPR in 2018, and will replace the 2002 ePrivacy Directive (the ‘cookie law’) and all EU member state laws based on it.
• The NIS2 (Network and Information Security) Directive, which will supersede the existing NIS Directive, expanding its scope “to achieve a high common level of cybersecurity across the member states”.

Greater enforcement action 

Accompanying this new tranche of European legislation, we expect to see an increase in enforcement action across the EU, continuing the trend in growing GDPR enforcement. 

In 2021, there were at least 429 fines issued under the EU GDPR and UK GDPR across the EEA and the UK – a 40% year-on-year increase. Note that not all data protection authorities publish information about the action they have taken, so we do not know about all fines that have been issued.

These fines totalled more than €1bn (just over £900m) – a 602% increase on the value of 2020’s fines. 

Most GDPR fines in 2021 were for breaches of Articles 5 (data processing principles), 6 (lawfulness of processing), 13 (information to be provided to data subjects when collecting their personal data) and 45 (security of processing). 

This regulatory focus on technical compliance is a timely reminder that it is not just data breaches that controllers and processors must prepare for – it is equally important that they can demonstrate their compliance with the law. 

As we recover from the pandemic and the data protection authorities clear their backlog of cases, we can expect to see a further increase in regulatory action under the GDPR and other laws in 2022. 

In particular, we anticipate that international data transfers will come under greater scrutiny, especially for those organisations that use SCCs. 

The European Commission issued new SCCs in June 2021, which must be used in all contracts from December 2022. The new SCCs were required in all new contracts from September 2021.

Other legislation 

The UK and EU are not the only ones introducing new legislation in 2022. New data protection laws in China and India, federal laws in the US, and revisions to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) will all keep data protection compliance on board agendas around the world – especially for those organisations that process personal data from different territories. 

Data localisation 

Data localisation, or data residency, is the legal requirement for data to be processed in specific countries. For instance, the EU GDPR restricts the processing of EU residents’ personal data to non-EU countries in which it is afforded an appropriate level of protection. 

Where this becomes problematic from a compliance point of view is the use of cloud services, which often entails international data transfers. 

Meeting your compliance obligations, whether new or old, will require a renewed focus on supply chain due diligence. If you are a data controller, you are responsible by law for the security measures applied by any processors that act on your behalf. 

Blockchain, AI, the metaverse, and so on

Finally, the question of whether the use of distributed ledgers could be squared with the GDPR has been asked since the regulation took effect, but as personal data is increasingly processed in new environments, blockchain is not the only technology that requires further consideration from a data protection point of view. 

As machine learning and artificial intelligence (AI) become more prevalent, and virtual environments such as the metaverse grow, we expect them to receive more attention from the data protection authorities. 

If you use these environments, you will undoubtedly face new cyber security and privacy challenges, and, increasingly, your compliance obligations will become more onerous.