Greetings from Brussels!
First and foremost, I would like to extend my heartfelt best wishes to all for 2021! Safe to say, most of us were content to see the back of 2020 — a year to forget but also remember. Typically, as we herald in the new year, we do so with a sense of optimism and renewed hope for the year ahead.
This time around, I fear the spirit may be ever so slightly dampened with a sense of caution: News of effective vaccinations springs hope, although we may be looking at September before the EU has sufficient immunity. As is tradition with the opening notes in January, we try to dust off the crystal ball and look to predictions of what lies in store for the world of data protection; I may have been slightly off last year as we were surpassed and engulfed by all things COVID-19. Although, to my mind, some of those predictions are still "de rigueur," and maybe it’s a question of a "reboot" here and there.
Frankly speaking, looking back at how the COVID-19 pandemic upended the entirety of the year past, it was certainly not a quiet year for data protection and privacy, amplified by the explosive handing down of the "Schrems II" ruling. International data transfers took central stage and will continue to dominate the digital and data protection debate well into 2021. Data (protection) globalization will become increasingly politicized as companies and governments look to navigate the pressures of international business and privacy frameworks. Add to the equation the Brexit complexity and the U.K.’s role across international jurisdictions, companies will have their work cut out for them assessing jurisdictional equivalency with EU law and regulatory risk in the function of transfer mechanisms. Will the U.K. obtain an EU adequacy decision? It’s hard to envisage anything other than an adequacy decision to facilitate trade and business flows; data localization is the anti-thesis of global digitalization.
If companies have their work cut out for them, so will the European regulators. In 2020 enforcement policy decision-making might not have been as fluid across the single market as one might have hoped, the one-stop-shop mechanism also exposed a certain level of challenge and continued fragmentation for the EU27. Moreover, several national DPAs sought to pursue enforcement objectives under their national law provisions (pre-dating GDPR), as well as under GDPR even in cases where it was not the lead authority. There will be pressure for regulators to be more "harmonized" and efficient with cross-border complaints and their enforcement decision-making. In fairness, the GDPR remains a relatively new regime, and importantly, Europe is not an island; it takes time for consistency to trend.
In looking ahead, it is sometimes best to look in the rear-view mirror. Last year, the pandemic brought about some hefty transformations in societal behavior, with citizens the world over having to adjust their lives to the "new normal." In practice, we all went digital migrating and blending large parts of our personal and professional lives online. Remote working, online shopping, even the occasional happy hour with colleagues or friends were all spent in front of one device or another. In short, 2020 was a bonanza year for tech firms writ large, with greater amounts of (personal) data being created, collected and processed so that we could carry on. The EU, in turn, also sought to reinforce its digital vision, releasing its data strategy in February of last year. The IAPP put together an infographic of ongoing legislative developments in the EU. The broad range of policy measures geared toward Europe’s digital ambition that touches data protection and privacy, as well as cybersecurity is staggering — and relevant — as we journey through 2021.
Finally, consumer skepticism truly reached the mainstream: Consumers will be in the driver's seat, demanding more control of their personal data, and importantly how it is processed and shared. Legislators, regulators and organizations alike will need to be attentive, razor-sharp and innovative to address the growing demands of tomorrow’s digital generation.