Data protection in 2023
Discover insights into the highly dynamic area of data protection and information law in the legal market and in the Chambers UK 2023 Guide.
The Data Protection Act 2018 has kept the EU's General Data Protection Regulation in UK law, and in 2021 the EU deemed post-Brexit data protection regime to have 'adequacy', meaning essentially equivalent – to its own.
This is due to last until June 2025, unless UK law diverges significantly from GDPR. Although the UK Data Protection and Digital Information Bill – which aims to reduce certain requirements of GDPR on businesses and adopt a 'risk-based approach' – was withdrawn from Parliament by the new Government in September of this year, it is thought likely that the Government aspires to implement much of the spirit of the Bill at some point.
"Everyone doing privacy law compliance is now expanding their horizons by looking at a wider digital and data policy and compliance matters. Cybersecurity, AI regulations, DMA, DSA, and the online safety bill from Europe. The privacy field has been expanded in terms of what clients are interested in and where the trends are coming. Clients and companies will have to consider privacy populism and privacy activism."
What are the concerns to the proposed reforms?
While the proposed reforms would in themselves reduce some of the burdens imposed on businesses by GDPR, there are concerns that a risk-based approach will not be compatible with the EU regime, requiring companies doing business in the UK and the EU to comply with two divergent regimes, a scenario that would come with burdens and costs of its own.
"There is no easy solution to dealing with the fallout of Schrems II. There is lots of tricky work helping clients come through with that. Can they transfer data internationally?"
As it is, the Schrems II decision handed down by the CJEU in 2020 ruled the EU-US Privacy shield an insufficient framework for compliance with EU data protection standards and has resulted in tighter requirements governing the transfer of data to third countries. If the UK regime’s adequacy vis-à-vis the EU’s is not approved in under three years’ time, businesses – and the lawyers who serve them – will have even more work to do.
"Privacy activists are driving the agenda in corporate compliance with complaints on data flows, user cookies, advertising, testing, Schrems II, etc."
A fast-changing risk landscape
Developments in technology move quickly, be they fintech platforms migrating vast amounts of data between jurisdictions, or else advances in adtech and biometric data sharing. The Covid-19 pandemic has initiated a boom in IT solutions, potentially broadening companies’ risk profile. Alongside the risks posed by data breaches and the accompanying need for resilient cybersecurity, keeping abreast of and in compliance with data protection and information law is essential for businesses of any size.
"Everyone is digitalising more post-Covid. Rapid digitalisation and the need to still use third-party service providers is creating tensions with data protection rules."
Discover market trends and analysis with Chambers UK
“There is a rise of small group claims affecting companies who are the subject of publicly announced cyberattacks or ransomware; claimant law firms are coming after companies for damages.”
Lloyd v Google
The November 2021 UK Supreme Court judgment in Lloyd v Google was deemed favourable to businesses and data controllers and seemed to forestall the prospect of a tide of class actions for breaches of data protection law. However, the ruling did not specifically address UK GDPR as the case concerned an earlier period, and it potentially left open routes for smaller classes that could be pursued by claimant lawyers.