Fáilte from Dublin!
I thought it might be interesting to sum up 2020 from the Irish data protection perspective. And what a year it has been! 2020 has been an annus horribilis for most of us. From the first reports from Wuhan about a new virus, to a global shutdown, the dawn of a fresh year is eagerly anticipated.
However, there have also been some wonderful moments during the year. I fondly remember our CEO, J. Trevor Hughes, visiting Ireland in January. We were delighted to welcome him at engagements in and around Data Protection Day. I also remember an excellent KnowledgeNet meeting on Microsoft’s campus in March during which Steve May, Microsoft’s data protection officer, and I presented on issues facing DPOs. Little did we know that would be the last event we would attend for a long time. The next day, Ireland went into lockdown with schools, offices, restaurants and non-essential retail closed. Even St. Patrick’s Day was canceled!
With lockdown, came data protection concerns. Working from home became the norm, and the DPC quickly provided guidance on WFH security issues. Other issues, such as the collection of contact-tracing information and health-related data, became hot topics, with employers collecting temperature readings and symptoms details from employees. Again, the DPC provided practical advice.
In July, the Department of Health launched a COVID-19 contact-tracing app. It consulted at an early stage with the DPC and undertook a robust data protection impact assessment, inviting representatives from digital rights and citizens advocacy groups to consult on the development of the app. The DPIA was published and helped win the trust of a majority of the Irish populace, who downloaded the app to their devices. It highlighted to me the tangible benefits of undertaking a good DPIA early in the development of new technologies with privacy impacts.
No review of 2020 would be complete without a reference to the "Schrems II" decision. On 17 July, the Court of Justice of the EU invalidated the EU-U.S. Privacy Shield Framework, which meant that organizations could no longer rely on Privacy Shield as a lawful mechanism for data transfers to the U.S.
The CJEU’s decision confirmed the validity of standard contractual clauses; however, it added a requirement that EU data exporters must conduct a case-by-case analysis to determine whether the protections afforded in the receiving country meet EU standards for the protection of personal data. This has particular relevance for the U.S. due to the concerns expressed by the CJEU in relation to the U.S. government’s surveillance activity. This may also impact on transfers to the U.K. if we are faced with a no-deal Brexit in January. Guidance from the European Data Protection Board in October did little to assuage the concerns of those managing the operational impacts of these changes.
The "Schrems" saga will not end in 2020. Following the CJEU’s judgment in July, the DPC commenced a statutory inquiry into the lawfulness of Facebook’s data transfers to the U.S. A preliminary draft decision was delivered in August. Facebook then issued judicial review proceedings, focusing on fair procedures. Separately, the DPC is investigating another complaint relating to Facebook's U.S. data transfers made by Max Schrems who has brought another set of judicial review proceedings, listed for hearing 13 Jan. 2021. The DPC also launched statutory inquiries into Facebook’s processing of children’s personal data on Instagram.
The DPC’s decision on its inquiry into Twitter will issue 17 Dec. This is the first time the cooperation procedure under the GDPR was invoked, with Commissioner Helen Dixon commenting that “the process didn’t work particularly well.”
Finally, in October, the DPC welcomed 19.1 million euros in funding for 2021. Given that it has 42 litigation cases ongoing and will have 200 staff in 2021, every cent of that budget will no doubt be spent managing its considerable litigation, investigations and enforcement workload. At the same time, privacy pros are busier than ever with privacy teams struggling to meet demand.
This brings to mind one of the slides that Trevor shared with us in January: “Privacy’s not dead — it’s hiring.” It looks like that trend will continue into 2021 and beyond.
If you want to comment on this post, you need to login.