COVID-19 has meant 2020 has been a “year like no other” in regard to data protection and privacy issues, according to Jonathan Armstrong, partner at Cordery, speaking during the 2020 UK and EU Data Protection Review and Outlook for 2021 webinar hosted by Spirion.
He noted that the sudden shift to remote working that many organizations had to undergo as a result of lockdown restrictions measures back in March has raised a number of new concerns in this field. One of these is the growing use of new third parties, in particular startup companies and businesses that have changed their services in response to the pandemic. Therefore, undertaking due diligence of such companies, and assessing whether they could be trusted with data, has been a big issue this year for many organizations, according to Armstrong.
Another issue has been health checks for people entering an organizations’ premises in light of the pandemic, which raised concerns over intrusiveness. “Some employers have got into difficulties with tracking health data onto an HR employment file,” said Armstrong, noting that the retailer H&M was fined 35.2m for collecting too much data on employees, with health checks being one aspect of that.
Additionally, monitoring remote staff productivity has led to new data privacy claims and investigations, “particularly with things like Office 365 where there is functionality out of the box to monitor employee productivity.” Armstrong added: “There are always challenges with this type of data, particularly when individuals perceive the organization is going to lose headcount and they may lose out.”
Armstrong also outlined important areas of litigation this year, one of which is increasing numbers of employees exercising data subject rights, such as requesting organizations to disclose the information they hold about them. This is particularly important as “the volumes of data can be more significant in a working from home environment.” He noted, for instance, that some organizations are routinely recording calls taking place on video conferencing platforms.
This move to remote working has also highlighted the lack of consistency between different jurisdictions in regard to the application of GDPR, in the view of Armstrong. While data protection authorities (DPAs) quickly issued advice about how organizations should handle this situation at the start of the crisis, a distinct lack of uniformity was observed.
With home working set to continue to play an important role for the foreseeable future, Armstrong set out advice for organizations to minimize the risks of data privacy problems occurring. These include recognition that consent will rarely be a solution when it comes to data collection, undertaking a data protection impact assessment (DPIA) and following the six GDPR principles.
Another major data privacy issue this year in a European context has been the UK’s ongoing negotiation with the EU to set out the full terms of its departure at the end of this year. Andre Bywater, partner at Cordery, explained that while data protection isn’t the main bone of contention in the negotiations, it currently remains unclear what the UK’s relationship with GDPR will be from next year. “GDPR has applied in the UK during the transition period, but once we leave the EU with or without a deal, it won’t technically apply,” he explained. It could be that the UK passes its own new data protection law that follows the GDPR, “but there may also be changes.”
A big aspect of the uncertainty is that the UK is currently awaiting an “adequacy decision” from the EU, in which its system is being assessed on how well it is able to protect privacy rights. If granted, data transfers from the EU to the UK can flow freely, but if not, this could cause numerous issues for organizations. Bywater commented: “I do not think we will get an adequacy decision within the next four weeks.” In this situation, “any data transfers from the EU to the UK will all have to use a particular mechanism” such as model clauses.
Summing up, Armstrong advised businesses to have a data transfer plan to be ready for such a scenario.