Key data privacy developments in 2021 and what to expect in 2022

As another eventful year closes, data privacy developments have continued apace and there is more to expect to in 2022. In the UK for example, we await further clarity around the practical implementation of the rules on international transfers. We also look forward to seeing the ICO’s continued pragmatic approach in the remaining chapters of its draft guidance on anonymisation and pseudonymisation (and the use of PETs), which will be relevant across a wide range of areas, from M&A transactions to scientific research. Looking further afield, we are seeing data regulators in the EU tackling the big tech players and how they handle data (e.g. the fines against WhatsApp and Amazon) and will be closely monitoring enforcement trends in the EU and the UK, as well the future of mass privacy claims in a post Lloyd v Google world.

We discussed these topics, among others, at our November Data Privacy Forum 2021, our annual event for DPOs and those with responsibility for data privacy within their organisation. Our conversations focused around:  

• data privacy considerations in employee monitoring and how to carry out effective monitoring in line with data privacy requirements (e.g. when to rely on the Article 6 legal basis employers (or not) and the steps and technology that can be used to reduce the intrusiveness of any monitoring for employees).
• key data privacy developments in Mainland China and Hong Kong, including amendments to Hong Kong’s Personal Data (Privacy) Ordinance which aim to bring the law into closer alignment with international standards for privacy legislation and criminalise doxing (i.e. the act of revealing or exposing personal data about someone online, often to shame or embarrass them) and China’s new Data Security Law and Personal Information and Protection Law. The speakers focussed on the key aspects organisations based outside those jurisdictions should be aware of, such as extra-territoriality, the rules on cross-border transfers and penalties for non-compliance.
• international transfers - ‘all you need to know’, including the main requirements under the GDPR, recent developments such as the EU’s SCCs, the ICO’s draft IDTA and guidance, and practical tips for organisations on, for example, transfer impact assessments.  
• the changing enforcement and litigation landscape: perspectives and developments on both sides of the Atlantic, focussing in particular on the UK, US and Ireland. The speakers discussed the ICO’s enforcement actions and approach, the future of mass privacy claims in the UK, the Irish WhatsApp fine and the more complex matrix of federal and state laws around data privacy and cybersecurity in the US.
• the UK’s privacy outlook, including the DCMS’ proposals for data protection law reform and other key developments organisations should expect next year in the data privacy world and more widely in related areas (e.g. AI, emerging tech and regulating digital).

If you would like to find out more about what we discussed, please request access to our Forum Report event write-up here.