Change is the only constant: A year in privacy law

As 2021 draws to a close, I thought I would use this column to reflect on another strange year and look ahead to what may happen in the world of data protection during 2022.

But before that, I should revisit last December’s column, where I gave my data protection predictions for 2021. What did I get right, and what did I get wrong? Well, I was right to predict there would be controversy over the use of vaccine passports. These are still making the headlines today, as the Covid Pass is rolled out in England, replicating similar schemes in the other UK nations. My prediction that the UK’s data protection laws would begin to drift apart from those in the EU was also right, although I may have been too optimistic/pessimistic (depending on your viewpoint) when I said “don’t expect to see a significant shakeup, at least in the short term”. And my prediction that a new Information Commissioner would make an impact in 2021 proved wrong, as Elizabeth Denham’s term was extended to the end of November and the new Commissioner, John Edwards, doesn’t take up his post until the new year. Perhaps that’s one to be rolled forward to 2022.

So what else happened in 2021? Alongside the ongoing challenges posed by the pandemic, the year began with a new data protection regime. The end of the Brexit transition period on 1 January meant we said goodbye to the EU’s GDPR and hello to the new UK GDPR. We’ve also seen significant court cases on everything from class action claims to the Duchess of Sussex’s private correspondence, regulatory action by the ICO, and more changes to the rules on international data transfers. As if that weren’t enough, the UK government launched consultations on changes to the UK’s data protection regime and to weaken the privacy protections afforded by the Human Rights Act. It’s been quite a year.

And yet we may look back on 2021 as a period of relative stability in data protection, at least compared with what’s coming down the line. In the absence of any major legislative changes, the courts have taken centre stage. Data protection law can be characterised, not always entirely fairly, as seeking a balance between the rights of individuals and those of the organisations that wish to collect and use (or exploit) their data. The Supreme Court’s decision in the Lloyd v Google case, which has made large-scale class actions for data breaches considerably more difficult, has shifted the balance away from individuals. And other cases in the lower courts have mirrored that trend. To the relief of many businesses, data protection appears to be moving away from a compensation culture.

So to 2022. We’re expecting plenty of changes, with a common theme of shifting that delicate balance away from the individual and towards the organisation. That means eroding fundamental rights or freeing up businesses to innovate, depending on your viewpoint.

We already know the broad outline of the changes to our data protection laws. That’s because the UK government has told us, in a consultation that ended this autumn. The proposed reforms are intended to remove some of the more onerous obligations on organisations, limit some individual rights and encourage innovative uses of data. Whilst some of these changes are undoubtedly welcome and could improve our laws, the removal of other obligations will be controversial. Expect plenty of opposition once the detailed proposals are published, and not just from privacy campaigners. International businesses will want to stay closely aligned to the EU’s GDPR, to avoid any additional compliance burdens.

Meanwhile, as the year draws to a close and the news is dominated by the Omicron variant, the government has published proposals for changes to human rights law. Article 8 of the European Convention of Human Rights provides a right to private life and correspondence. This right is broader than anything in data protection law and has been central to many of the privacy cases that come before the courts, particularly those involving press intrusion into the private lives of celebrities, where Article 8 must be weighed against the Article 10 right to freedom of expression. The government wishes to rebalance (that word again) the scales so that Article 10 overrides Article 8 in more instances. The press will be delighted. Privacy campaigners significantly less so. That’ll be another battle to watch out for in the coming year.

Elsewhere, familiar arguments will continue to rage in 2022. As well as the ongoing debates around vaccine passports and covid rules, the Online Safety Bill will keep the spotlight on the behaviour of the tech giants and there will be a continued focus on the adtech industry. So no change there.

We already know that there’ll be a new Information Commissioner in the new year. What we don’t yet know is what the policy and legal environment will look like in twelve months’ time. It’s going to be another year of change ahead.

Published in Business Matters – 16 December 2021