In our introduction to the first edition of this handbook, we predicted that 2020 would be a big year for data – including in AI, data ethics and cyber security. But we did not foresee the issue that would affect all our lives, both at home and at work. Many of you reading this will have found yourselves looking at data law issues on collating employee health data, using contact-tracing systems, and the privacy and cyber-security risks of home-working. We hope you find some useful guidance within the following pages.
Despite the pandemic, data law and regulation has not stood still. The last year has seen:
- a decision by the EU’s highest court that restricts how personal data can be transferred from the EU to the US and elsewhere (the Schrems II case);
- continuing discussions on whether the UK will be deemed an ‘adequate’ destination for data transfers when the Brexit transition period ends on 31 December 2020;
- legislation and other initiatives to promote use of AI in the US, the EU and elsewhere;
- major new data protection legislation in Brazil;
- the entry into force of the California Consumer Privacy Act;
- proposals for new laws on biometric data;
- in Japan, more rights for data subjects and more restrictions on businesses;
- in China, proposed new restrictions on cross-border data transfers; and
- in Singapore, proposals for fines of up to 10 per cent of annual turnover.
We have also seen an increase in the use of AI in business processes generally, including in forensic investigations; we are pleased to include a new chapter on that in this edition.
Data-driven M&A has also continued and we have seen an increasing focus on cyber security, as regulators have shown their appetite to review a buyer’s cyber due diligence on target companies, together with related integration activity. There is also a relatively new trend of buyers seeking to assess a target’s data ethics, including in their use of data analytics. Meanwhile, antitrust regulators have increased their scrutiny of businesses that amass large datasets. We have seen the EU Commission review the Google/Fitbit acquisition and the US Federal Trade Commission ask Alphabet, Amazon, Apple, Facebook and Microsoft for details of their transactions from the past decade.
As for the next 12 months, data law issues will no doubt continue to be relevant in the fight against covid-19, with perhaps an increased focus on the right balance between privacy rights and public interest. Away from the pandemic, the EU is likely to tackle the data transfer problems arising from Schrems II and we also hope to see a (constructive) resolution of the UK adequacy issue. We can also expect to see developments on group litigation for data law breaches, including a UK Supreme Court decision on whether ‘loss of control’ of data can found an opt-out group claim, even if there is no financial loss or distress.
For now, we hope that this edition will be a useful resource for in-house lawyers and others trying to keep up with this fast-changing area of law.
The author would like to thank Melonie Atraghji for her contributions and assistance in bringing this publication together.
1 See ‘European Union: Privacy’.
2 See ‘European Union: Privacy’.
3 See ‘United States: Artificial Intelligence’.
4 See ‘Brazil: Privacy’.
5 See ‘United States: Privacy’.
6 See ‘United States: Privacy’.
7 See ‘Japan: Privacy’.
8 See ‘China: Data localisation’.
9 See ‘Singapore: Privacy’.
10 See ‘Data-driven M&A’.
11 See ‘European Union and United States: Antitrust and Data’.
12 The UK Court of Appeal said this was sufficient (Lloyd v Google – https://www.bailii.org/ew/cases/EWCA/Civ/2019/1599.pdf).