Initially launched in 2006 by the Council of Europe as ‘Data Protection Day’, Data Privacy Day celebrates the signing of ‘Convention 108’ in 1981.
40 years later it is bewildering to think of the change, from then to now, in how data is used, collected and processed. From 2010 to 2020 alone, the volume of data consumed worldwide exploded from two zettabytes (two trillion gigabytes) to 59 zettabytes.
As the anniversary of Data Privacy Day comes and goes, I like to take stock and ask myself: what will the big developments be this year? And how, in a world which runs on information, can data be truly protected?
For Organizations Operating in the UK and the EU it’s Mission Impossible
Post-Brexit, organizations have a grace period of six months for data transfers in both directions under the EU-UK Trade and Cooperation Agreement.
The UK functions like a member state in terms of data protection during this period subject to certain conditions, and EU-UK transfers don’t count as going to a “third country”. The idea is that the six months give enough time to work out a more permanent adequacy decision. Surely that should go off without a hitch, right?
Unfortunately, the UK’s mass surveillance program doesn’t meet either the conditions laid out in the Court of Justice of the EU’s decision in Schrems II or the EU Data Protection Board’s guidance on surveillance safeguards – and there’s our device with the ominous ticking clock.
If the right legal pathways can be found, the clock will stop before reaching 00:00. What are the chances? Just like in Hollywood, I’d say they’re pretty good because so much business is riding on the outcome.
National Digital Identities Will Become More Prevalent
Another trend will be that national digital identities will become more prevalent as governments adjust to a ‘new normal’ where services are delivered digital-first.
COVID-19 has driven the need for new functionalities like Test and Trace, remote access to services and, most importantly, measures which may provide a way out of lockdowns.
In September 2020, the UK Government announced that it was considering the roll-out of ‘unique digital identities… to revolutionize the use of data across government and increase service delivery efficiency including in the area of public health. Following that, there has been talk of other digital identity projects such as a ‘vaccine passports’ pilot.
However, aside from questioning their efficacy, many have raised concerns about privacy within these systems. Some fear that these and future measures could lead to more tracking and storing of people’s personal data in the long-term.
After all, the point of some of these measures is to control movement. To do that they must process location, contact, and health (for example temperature, recent illnesses and vaccine history) data, at the very least.
A source of optimism may be the 10-week pilot of the Scottish Government’s Digital Identity Scotland, which found that it was able to better communicate the service’s benefits, including stringent privacy controls, after completing the pilot and understanding user needs.
Few proposals have materialized into large successes; for example, Gov.UK Verify hasn't been successful at scale.
In developing measures which use digital identities, the UK Government has committed to six broad principles including ‘to ensure [people’s] confidentiality and privacy’ but it remains to be seen whether it follows through.
Data Subjects Are Doing it for Themselves
With a historic shift in 2020 towards the digital realm, consumers have become even more sensitive to the question of controlling their data destiny. Regulatory trends such as GDPR and Open Banking were already designing roles for individuals that expanded on the traditional definition of a data subject. I predict we’ll see individuals gain new powers in 2021.
Our recent New Normal Volume II report showed that over two-thirds of consumers ranked not selling data to third parties as a top priority. The pandemic has revealed how frayed some digital relationships have become, and how many consent experiences are fundamentally broken.
So, when WhatsApp recently introduced new data-sharing terms that raised concerns about its relationship with parent company Facebook, it sparked an exodus to more privacy-focused messaging apps like Signal and Telegram.
People will be further encouraged to see themselves as empowered agents, free to access and share their own digital data, by nascent global regulatory programmes such as the UK’s Pensions Dashboard, the US healthcare sector’s CMS rule, and Australia’s Consumer Data Right. This year the seismic societal shifts precipitated by the pandemic could act as the catalyst once and for all.