As we enter 2020, we consider what we expect to be on the data protection agenda this year.
More fines from the ICO?
In 2019, we saw the ICO issue two intentions to fine Marriott and British Airways in the sums of £99,200,396 and £183,390,000 respectively. Crucially, these are currently only intentions to fine and so we will await to see if those are the final fine values once the fines are issued.
Just before the end of 2019 we also saw the first fine being issued by the ICO against a London pharmacy in the sum of £275,000. This shows that in addition to issuing fines in the tens and hundreds and thousands, the ICO will still issue fines at lower values for less serious breaches.
The outcome of the Morrisons group litigation case
During 2019, the Supreme Court heard the case of WM Morrison Supermarkets plc v Various Claimants. In this case, the supermarket chain, Morrisons, were appealing the decision of the Court of Appeal, which upheld the decision of the High Court, that Morrisons was vicariously liable for a security breach caused by an employee acting without instruction who leaked personal data online.
The judgement of the Supreme Court is expected this year. If Morrisons loses its appeal and is still held liable, we will then await to see the damages that will be awarded. This case continues to be a key data protection case to watch, with potentially far reaching implications.
The future of Standard Contractual Clauses is to be determined
In 2019 the Court of Justice of the European Union heard a case regarding the validity of standard contractual clauses as a way of transferring personal data outside of the European Economic Area. Before Christmas, the Advocate General issued their opinion and supported the validity of standard contractual clauses (SCCs). However, it does not end there as we still await the final judgement of the CJEU and the AG Opinion suggested that controllers may still need to assess the sufficiency of a foreign country’s national security measures – will the CJEU agree with that?
The final judgement of the CJEU is much awaited and hopefully will provide some clarity for all organisations that regularly rely on SCCs as the appropriate safeguard for international data transfers.
Post-Brexit Data Transfers
Upon exiting the EU, the GDPR, although an EU Regulation, will be incorporated into UK law and will continue to apply, at least until new domestic data protection legislation is brought in. However, once the UK leaves the EU, the UK will be a third country for the purposes of data transfers. This means that personal data cannot be transferred from the EU to the UK without an additional safeguard in place, such as standard contractual clauses.
A Brexit transitional period may mean that for that period, such safeguards are not needed, but we will need to wait and see the outcome of the political debate as to whether such period is in place or not.
Of course, because of the extra-territorial effect of the GDPR, organisations based in the UK but still operating in the EU may have to continue complying with the EU’s version of the GDPR, as well as the UK version.
GDPR turns 2
In May 2020, the GDPR will have been in force for 2 years. Hopefully this year organisations will start to feel more comfortable with the requirements of the GDPR and as further guidance is issued by the ICO, it will be clearer as to what organisations need to do to meet those requirements.