Freshfields Bruckhaus Deringer LLP

Data law and practice do not stand still – even in a pandemic. Much has changed since last year’s handbook, and we have tried to capture the main changes in this edition. Below are a few highlights from the past year. More details can be found in the pages that follow.

There have been several changes relating to data exports and data localisation, including:

  • new model clauses issued by the EU Commission, allowing personal data to be exported from the EEA. Although these are broadly welcome, they raise some new issues for businesses – not least the need to ‘repaper’ existing arrangements before the 18-month deadline expires;[1]
  • a new EU ‘adequacy’ decision that allows data to be sent from the EEA to the UK post-Brexit[2] (although the EU will be keeping an eye on whether UK law diverges too far from the GDPR);[3]
  • new restrictions on businesses exporting data from China, including where businesses are asked to provide data to foreign courts and law enforcement bodies;[4]
  • stricter rules on businesses exporting data from Japan; and[5]
  • continuing talks on a possible new EU–US arrangement to replace the Privacy Shield.

We have also seen new data breach notification regimes introduced – for example, in Singapore[6] and Japan.[7]

The number of ransomware attacks has continued to increase, with most attacks involving a threat to destroy, leak or sell stolen data. Our chapter on Cyber Forensics sets out the latest thinking on what a robust incident response plan looks like.

Regulators continue to probe cyber-due diligence conducted during M&A, where a target experiences a data breach. It is becoming ever clearer that it is a false economy to save on cyber-diligence, given the level of possible fines and the risk of follow-on damages.[8]

New tech uses and new ways of working, particularly during the covid-19 pandemic, have raised new challenges for businesses faced with investigations. Our chapter on Data Governance in Forensic Investigations sets out how businesses can manage this risk.

AI regulation continues to evolve, including a proposed new AI Regulation in the EU,[9] which includes fines of up to 6 per cent of global turnover.[10] The US has also seen several new legislative and policy measures on AI, including a stated intention by the Federal Trade Commission to bring enforcement action against businesses that use ‘biased algorithms’. Meanwhile, at the US state level, Washington has introduced landmark legislation on the use of facial recognition.[11]

The US privacy landscape has continued to evolve. California is already expanding its California Consumer Privacy Act, and other states have started enacting their own broad-based data protection laws (eg, Virginia and Colorado). At the federal level, the Biden Administration has signaled heightened scrutiny of businesses, including appointing Lina Khan – who has been critical of US tech companies’ privacy practices – as chair of the Federal Trade Commission. Moves towards a federal privacy law continue, albeit slowly.

China’s new data privacy law takes effect on 1 November 2021. The Personal Information Protection Law (PIPL) contains some GDPR-style elements, including restrictions on profiling, fines of up to 5 per cent of revenue and scope for consumer protection organisations to bring group actions. PIPL has some extra-territorial effects and will no doubt increase the compliance burden for some multinational businesses.

We have seen penalties continue to increase, with a record GDPR fine of €746 million handed to Amazon in relation to its data processing. However, there have been indications that regulators might be willing to listen to representations from businesses when setting fines – for example, the UK Information Commissioner’s Office has reduced some of its largest proposed fines following engagement with the businesses involved.[12] Several data fines have also been reduced by courts and tribunals, including in the UK,[13] Germany[14] and the Netherlands.[15]

The law and practice on data class actions continues to develop. In the UK, we await the Supreme Court’s judgment in a group claim against Google; that judgment should clarify how to define a class and whether ‘loss of control’ of data merits compensation.[16] We have also seen two group claims filed against Facebook (also on ‘loss of control’),[17] while British Airways has reportedly settled most of the data breach claim that was brought against it.[18]

We wait to see what the next year brings. For now, we hope that this edition will be a useful resource for those trying to keep pace with this fast-moving area.


[1] See the European Union: Privacy chapter.

[2] id.

[3] The UK government intends to consult on new post-Brexit data protection laws that will ‘make the country’s data regime even more ambitious, pro-growth and innovation-friendly, while still being underpinned by secure and trustworthy privacy standards’ –

[4] See the China: Data Localisation chapter.

[5] See the Japan: Privacy chapter.

[6] See the Singapore: Privacy and Singapore: Cybersecurity chapters.

[7] See the Japan: Cybersecurity chapter.

[8] See the Data-driven M&A chapter.

[11] See the United States: Artificial Intelligence chapter.

[13] See the UK First-Tier Tribunal’s decision on the Doorstep Dispensaree fine. ‘First ICO GDPR fine slashed’ GDR:

[14] See the 90 per cent reduction made by the Regional Court of Bonn in relation to the fine issued against 1&1 Telecom GmbH (decision of 11 November 2020, 29 OWi 1/20 – and ‘Multimillion-euro German fine slashed’ GDR:

[15] The Hague District Court reduced a data breach penalty issued against Haga Hospital by €150,000 (decision of 31 Mach 2021 –

[16] Lloyd (Respondent) v Google LLC (Appellant), the Supreme Court:

[17] ‘Cambridge Analytica class action filed in the UK’ GDR: and ‘Competing Facebook class action filed in the UK’ GDR:

Get unlimited access to all Global Data Review content