Privacy Transformation - Issue 85
As you would expect — it's been a slow news week, but that leaves a bit of room for considering what lies ahead for data protection and privacy in the year to come. Here's my take:
- The next six months will see a lot of attention paid to EU-UK data transfers in light of the extension given to explore an alternate transfer mechanism. An adequacy decision is not the shoe in that the UK government would like to think, particularly given likely incompatibilities of UK law enforcement surveillance practices with EU data protection law and possible additional divergence with GDPR post Brexit.
- SCCs will continue to be in the spotlight post SCHREMS II due to the invalidation of the Privacy Shield framework. SCCs themselves may not stand up to additional scrutiny and controllers should be aware that if using SCCs they need to gain assurance that there are adequate protections in place on the data that is transferred. An updated version of SCCs is currently in draft stage.
- As the pandemic is hopefully brought under control with mass vaccination efforts, questions of how to resume 'normal' life will lead to data protection and ethical considerations on issues such as vaccination passports. As we see in this issues' lead story, some countries are already putting in place the infrastructure to track who has received or rejected a vaccine.
- Cookie enforcement — Irish and European regulators made noise in this area in 2020. The Irish DPC signalled their intention to take enforcement action. Their Cookie Sweep Report laid the groundwork for this and their latest communications have stated that they are preparing enforcement action against organisations. Website operators are advised to get their house in order where cookies and similar tracking technologies are concerned.
- Elizabeth Denham's term as UK Information Commissioner comes to an end in July 2021. The new Commissioner will be closely watched on two fronts — their relationship with EU regulators and continued goal alignment with the principles of the GDPR and whether a more forceful approach will be taken on regulatory enforcement considering perceived failures in recent years.
- Security will continue to take centre stage. There were no shortage of Data Breaches in 2020 and the (in some cases hastily rolled out) work from home revolution that took place in response to the pandemic has seen many organisations scramble to put in place appropriate technical and organisational measures to protect employees and the data that they manage. I expect to see a maturing of many organisations' security postures in relation to remote working in the coming year, with greater embracing of technologies such as Desktop-as-a-Service (DaaS). Technological solutions may also play a greater role in facilitating secure data transfers to third countries. Homomorphic encryption is an example of a technology that offers the possibility to perform operations on data without having access to the underlying data and could prove useful in certain areas such as data analysis in fields such as medicine.
That's it for my predictions. If you have any that you'd like to share, do let me know! Enjoy this first issue of what is hopefully a happier year ahead for everyone.
Best,
Alan
PRIVACY
Coronavirus: Spain to keep register of those who refuse Covid vaccine
Spain is to set up a register of people who refuse to be vaccinated against coronavirus and share it with other European Union nations, the health minister has said.
NOYB Statement on Vienna Superior Court ruling
Facebook lost and won appeal: It must give full access to all data and pay €500, but may use data without consent of the user.
ICO statement in response to UK Government’s announcement on the extended period for personal data flows
ICO statement in response to UK Government’s announcement on the extended period for personal data flows, that will allow time to complete the adequacy process.
SECURITY & TECH
Multiple Smart Doorbells Found Vulnerable To Cyber Attacks
While smart doorbells are a convenience, they are also vulnerable to cyber attacks. Researchers have discovered numerous popular smart doorbell models to have serious security lapses. Thus, they pose a threat to user security.
This warning comes on foot of reporting of incidents of hackers livestreaming police raids on households after hijacking their victims' smart home devices and making a hoax call to authorities.
DATA BREACH
Japanese Giant Kawasaki Admits Security Breach With Potential Data Leak
Kawasaki detected security breach upon noticing unauthorized access to its Japanese servers from overseas offices during internal audit.
RESOURCES
DPC: Decisions exercising corrective powers
The Irish DPC has launched a new section to their website outlining the DPC’s decisions exercising corrective powers made under the Data Protection Act 2018.
DPC Podcast: GDPR Compliance During Covid-19
MB Donnelly is joined by data protection professional Hugh Jones to discuss GDPR compliance during Covid-19.
CONTRIBUTE
Have an interesting article, book, video, podcast or other data protection or privacy resource that you would like to share with fellow privacy practitioners? Feel free to drop me a note.