Connect with us

Hi, what are you looking for?

Investing

WFH, algorithms and multi-million-pound fines: the year in data protection

Zoom working from home

My final column of 2020 is in two parts. In this first part, I reflect on what a strange year we’ve had – picking out some of the highlights from an information law perspective. In part two, I’ll be looking forward to what 2021 may bring.

Of course, 2020 has been entirely dominated by the impact of COVID. It has been a difficult year for so many businesses. And the pandemic has thrown up all sorts of data protection challenges. Most obviously, organisations had to adapt to new ways of working, which for many of us has involved working from home. For employers, this led to a much greater emphasis on information security – reviewing and managing the additional risks associated with homeworking, training a newly remote workforce and ensuring that good habits in data governance are preserved. As the emergency situation earlier this year has given way to a new ‘normal’, organisations now need to make sure their internal policies and procedures reflect this new reality.

The new normal also means new types of data collections. This includes hospitality and retail companies needing to obtain track and trace details, workplace testing for COVID, and even data about family members when an employee is required to self-isolate. Some of this data constitutes information about health, which is a special category. Organisations need to take particular care in this area, thinking about the lawful basis for the data’s collection, appropriate retention periods and updating privacy notices.

In some cases, this has required data protection impact assessments to be carried out at speed. This has been challenging for businesses large and small. The Government has also faced its own challenges. Back in the spring, it pinned its hopes on its contact tracing smartphone app, but data protection and privacy concerns almost derailed the whole project and led to a fundamental change of approach.

Moving away from specific COVID-related data, the summer’s major row over A level and GCSE results led to an important public debate about the use and potential abuse of algorithms, and their role in automated decision-making. Even among data protection practitioners, it’s fair to say the rules around automated decision-making were not widely understood. This row brought them to the forefront of our minds, although the decisions to scrap results by algorithm prevented the ICO or the courts from ruling on their scope. The use of algorithms is only likely to grow in the coming years, so this is one issue that is not going away.

Away from the pandemic, the law continued to develop. While (thankfully) there weren’t any major legislative changes this year, we have had new case law. In April, the Supreme Court issued its judgment in the Morrisons case. The Supreme Court overturned the decisions in the High Court and the Court of Appeal, which had previously held that Morrisons was vicariously liable under the Data Protection Act 1998 for the actions of a disgruntled employee who deliberately leaked payroll data of thousands of employees onto the internet.

Data protection cases rarely reach the Supreme Court, so this decision was significant. Employers were pleased with the result, although the Court did affirm the principle that employers can be vicariously liable under data protection law for the actions of their employees (just not on the facts of this case).

This case provided a timely reminder about training staff to handle data appropriately. In July, the European Court of Justice released its judgment in the much-anticipated Schrems II litigation. The decision invalidated the EU-US Privacy Shield and once again called into question the legitimacy of international data transfers. This is likely to be a big issue in 2021, particularly in light of the Brexit changes ahead – more on this in my next column.

In such a challenging year, day-to-day information governance work took something of a back seat. The ICO made an early and decisive statement that it would be giving organisations impacted by COVID additional leeway, which was very much welcomed and certainly helped to manage some of the initial pressures. But despite the challenges of the pandemic, the regulator’s work hasn’t stopped, and some major cases were resolved.

In October, British Airways and Marriott International finally received their much-delayed GDPR fines. As you may remember, in the summer of 2019 the ICO announced its intention to fine these companies £193m and £88m for serious security breaches. However, the companies made additional representations and so the ICO had to reconsider its approach. The fines issued were massively discounted compared to the original notices of intention, with British Airways receiving a fine of £20m and Marriott £18.4m. These are still huge numbers, but much lower than initially proposed, so in a way, British Airways and Marriott achieved a good outcome. Nevertheless, the era of multi-million-pound data protection fines has truly arrived.

The ICO has also been busy with new guidance. Practitioners have particularly welcomed new subject access requests guidance. The new accountability framework provides much clearer advice on the documents and actions the ICO expects organisations to take to meet their accountability obligations. Elsewhere, regulators have increased the pace of GDPR enforcement, from minimal fines to multi-million euro ones. For instance, the CNIL in France recently fined the Carrefour supermarket chain over €3m for various infringements and Twitter was fined €450,000 by the Irish DPC. There’s an irony in that we’re getting more examples from across Europe at just the moment when these decisions will cease to have an impact in the UK.

With everything that’s happened in 2020, it’s easy to forget that the GDPR and the Data Protection Act 2018 are still very new laws. All of us – businesses, practitioners, the regulator and the courts – are still working through new situations and new challenges. It has undoubtedly been a challenging year, with data protection issues never far from the headlines. In my next column, I’ll look ahead at what 2021 may bring.

Read more:
WFH, algorithms and multi-million-pound fines: the year in data protection

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Get the daily email that makes reading the news actually enjoyable. Stay informed and entertained, for free.
Your information is secure and your privacy is protected. By opting in you agree to receive emails from us. Remember that you can opt-out any time, we hate spam too!

Latest

Economy

A Saudi flag flutters atop Saudi Arabia’s consulate in Istanbul, Turkey Oct. 20, 2018. — REUTERS/HUSEYIN ALDEMIR/FILE PHOTO RIYADH — Saudi Arabia’s crown prince...

Economy

IN FEB. 2019, Facebook, Inc. set up a test account in India to determine how its own algorithms affect what people see in one...

Economy

CHINA’S economy risks slowing faster than investors realize as President Xi Jinping’s push to cut its reliance on real estate and regulate sectors from...

Economy

Faced with a high level of competition in an era of streaming services, content providers must stay ahead by developing a strong user experience...

Economy

The Philippines remains under a “gray” list of countries under increased monitoring for money laundering and terrorism financing risks, despite some progress in implementing...

Investing

A Brewdog promotion which said customers could win “solid gold” beer cans was misleading, the advertising watchdog has found. The Scottish brewer offered shoppers...

You May Also Like

Investing

Having a good Instagram marketing agency to back up your Instagram account is an absolute must going into the new year. With competition stronger...

Economy

Ivermectin, an existing drug against parasites including head lice, has had a checkered history when it comes to treating COVID-19. The bulk of studies...

Investing

As a traditionally rigid insurance industry becomes bogged down by antiquated processes and operations, a handful of industry leaders are seeking to shake things...

Economy

Pfizer Inc on Wednesday raised its 2021 sales forecast for its COVID-19 vaccine by 29% to $33.5 billion, and said it believes people will...

Disclaimer: SmartRetirementReport.com, its managers, its employees, and assigns (collectively "The Company") do not make any guarantee or warranty about what is advertised above. Information provided by this website is for research purposes only and should not be considered as personalized financial advice. The Company is not affiliated with, nor does it receive compensation from, any specific security. The Company is not registered or licensed by any governing body in any jurisdiction to give investing advice or provide investment recommendation. Any investments recommended here should be taken into consideration only after consulting with your investment advisor and after reviewing the prospectus or financial statements of the company.

Copyright © 2021 SmartRetirementReport. All Rights Reserved.

Get the daily email that makes reading the news actually enjoyable. Stay informed and entertained, for free.



Your information is secure and your privacy is protected. By opting in you agree to receive emails from us. Remember that you can opt-out any time, we hate spam too!