< Back

Trends in data, privacy and cybersecurity

In 2020, data privacy must be considered in the round and often in conjunction with other regulatory issues.

December 2019

In data privacy terms, 2019 has been less eventful so far than 2018 (although at the time of writing, we await the Advocate General's Opinion in Schrems II which could help decide the fate of Standard Contractual Clauses as a data transfer mechanism to the USA). What we have seen is the GDPR bedding in and its interrelation with other areas of regulation, both in terms of data privacy and beyond. So, without mentioning the B-word and leaving aside the issue of data transfers, what can we expect in 2020?

No more 'Mr Nice Guy'?

Many of the data protection cases which have attracted the attention of regulators since the GDPR came into effect have actually related to breaches under the Data Protection Directive and implementing legislation. This has meant that the much feared multi-million Euro fines have been slow to arrive, leading some to question whether the GDPR really has teeth.

This is starting to change. In November the Berlin Data Protection Authority (BDPA) fined real estate business Deutsche Wohnung EUR 14.5m. This fine did not just come out of the blue though. In June 2017, the BDPA had conducted an on-site inspection and found that the company failed to delete old data and stored sensitive personal data without an appropriate lawful basis. The regulator made a number of urgent recommendations to the company and allowed it time to implement changes. A subsequent inspection in March 2019 revealed, however, that the company had not made the required changes. As a result, the BDPA fined Deutsche Wohnung for breaches of the GDPR between 25 May 2018 (when it came into effect) and October 2019 (see our article for more).

We have also seen a EUR 18m fine handed down in Austria to the Austrian Postal Service in October for, among other issues, processing personal data about political affiliation without a lawful basis although the fine is being appealed and is not yet legally binding. And of course, earlier in the year the CNIL fined Google EUR 50m although, again, this is being appealed.

These fines show that regulators are not afraid to use the full force of the GDPR for egregious and persistent breaches. Any unofficial compliance holiday is well and truly over and the need for accountability and governance to drive and monitor the step change to GDPR standards has never been more important. Having said that, it is also clear that Deutsche Wohnung was given time to comply with the BDPA's recommendations and the fine was issued as a last resort. We expect there will be more large fines next year but only for the worst offenders. Organisations obviously trying to do the right thing (and not just paying lip service to compliance) are unlikely to face fines of such magnitude.

Will 2020 break the consent model?

The UK's parliamentary Joint Committee on Human Rights published a report at the end of October on the Right to Privacy (Article 8) and the Digital Revolution, concluding that the 'consent model' for data is "broken". It says that it's almost impossible for people to be fully informed about what is happening to their data and the onus shouldn't be on them to discover it. It suggests that this issue is magnified with regard to children and also criticises businesses which offer no alternatives to consent and no granularity. Anyone who has wrestled with unwieldy privacy polices (whether creating or simply reading them) can relate to the Committee's obvious frustration.

There are huge challenges to meeting information and consent requirements, especially where data journeys are complex and this is one of the reasons data controllers need to think very carefully before relying on consent as a lawful basis for processing.

In some situations though (not least of which is in relation to cookies and similar technologies under the ePrivacy Regulation), getting consent is either mandatory or the only suitable option, particularly in relation to sensitive personal data. Businesses which have no alternative to consent will find themselves under increasing scrutiny, particularly where they require consent in exchange for services. Thinking creatively about how to present information and gather GDPR consent, will bring competitive advantages (see our article on legal design for ideas).

DPIAs will become ever more critical

Data Protection Impact Assessments (DPIAs) have emerged as a crucial compliance tool over the course of the year and this will only intensify in 2020. In 2019, we saw Member State regulators finalise their lists of when a DPIA will be mandatory, but virtually every piece of regulator guidance highlights the importance of DPIAs and encourages data controllers to carry them out even when not strictly required to do so.

The reasons for this are clear – DPIAs focus the mind on identifying and mitigating privacy risks and they help demonstrate accountability. Documenting the thought process behind data processing operations is a key compliance tool. Businesses will realise (if they haven't already), that the DPIA is not a tedious administrative requirement. If carried out properly, it can unlock the GDPR.

Cross-regulator cooperation will increase

Regulators traditionally have very clear areas of responsibility but in a year which has seen a huge focus on online harms (including privacy risks), there is a growing sense that sector regulators (not just different Member State data protection regulators) including the ICO, Ofcom and the CMA will need to work together to tackle the challenges.

We have already seen EU competition regulators hand down fines for abuses relating to data dominance and just last month, Ofcom published a paper, Online market failures and harms. It set out a broad overview of online policy issues, explaining how economic issues and market failures in online services may cause harm to individuals. Market power, barriers to switching, information asymmetry and behavioural biases are some of the market failures Ofcom looked at, suggesting these can lead to harms including competition issues, fraudulent or unfair business practices, and privacy issues. Ofcom highlighted the importance of addressing all market failures that are the source of online harms and recommended regulators work together to address issues. If, as is proposed in the government's White Paper on Online harms, a new independent regulator is created to enforce a statutory duty of care, they will certainly need to work with other regulators including the ICO (assuming the new regulator is not the ICO) to be effective.

AI, facial recognition technology and adtech will be a focus for 2020

We already know that certain sectors will be a focus for the ICO in 2020.

AI

The ICO's AI framework and guidance will be published for consultation early next year. Key themes identified during the call for input were:

  • The need to build adequate AI governance and risk management capabilities.
  • Understanding data protection risks and setting an appropriate risk appetite.
  • Leveraging DPIAs as a roadmap to develop compliant and ethical approaches to AI.
Facial Recognition Technology

The ICO is investigating the use of Live Facial Recognition in the private sector (including where used in partnership with law enforcement) having concluded an investigation into the use of LFR by law enforcement. This issue is also an area of focus for the EDPS and other regulators including the CNIL.

Adtech

Following a fact-finding forum in March 2019, the ICO recognised there was more work to be done on resolving the tensions between adtech business models and data privacy law. It published an update report in July and said it would take an additional six months to gather information and review its position. We are likely to see a further report early next year. This is going to be even more of a focus if the ePrivacy Regulation is finally passed in 2020 (although we're not going to put money on that).

The evolution of defined security good practice

GDPR and the DPA18 both expressly do not set minimum standards for technical security requirements, for good reason. However, the decision notices for the first big data breach fines in the UK are due either in late 2019 or early 2020 (British Airways and Marriott), and others are on the way.

We expect that these will include relatively detailed information as to what the ICO considers to be the security failures in each case. While every business's data, and IT estate, are different, we anticipate that certain practices will effectively become automatically unacceptable for GDPR/DPA18 compliance.

Multi Factor Authentication under attack

There are an increasing number of attacks aimed at getting round 2FA/MFA. This is a reflection of the positive impact that MFA has had on security (anything successfully making hackers' lives more difficult will quickly become a target), and while there are some sophisticated and elegant attacks out there, many are still quite clumsy and ineffective. We expect to see real effort at developing and improving these tools in the near future, and some forms of MFA may become less secure. Properly integrated enterprise-grade MFA should not be at risk, but there may be inroads into other MFA implementations. Having said that, MFA will remain (in our view) a must for any user-facing cloud implementation. And on that note…

Business email compromise isn't going away

We don't see any real abatement in the number of BEC breaches (phishing links aimed at compromising, for example, Office365 accounts). Sometimes, it is unclear from logs what data is compromised in such attacks. However, based on what we have seen in practice, and advice from the NCSC and regional police cybercrime teams, it is standard practice in these attacks to use imap or similar to download as much of the mailbox as possible, quickly. The data can then be analysed and monetised by attackers at relative leisure. We are also seeing a number of re-infection attempts, such as attackers later replying to a genuine email conversation from an email address spoofing one from within the organisation, with a malware-seeded attachment. In reality, this is no more than trying to maximise gain from the original compromise, but we expect to see this sort of multi-layered approach increase over the next year.

A weakening of the public domain defence?

After the Sir Cliff Richard v BBC case of 2018 establishing High Court authority for the proposition that individuals have a reasonable expectation of privacy in information regarding criminal investigations, the ZXC v Bloomberg case (which went to trial) followed suit in support of this general proposition. What was striking about ZXC was that the Court granted a final injunction even though the article containing the private information complained of had been published for some time. Therefore, it's clear that private information's availability via the public domain may no longer be a reason to deny its removal post publication. However, with ZXC on appeal to the Court of Appeal, 2020 could possibly see the reversal of the general proposition established in Richard, and bolstered in ZXC, which would be a step back for privacy advocates.

High profile individuals to turn the reputation management tables on the media?

The only other privacy trial in 2020, Bull v Desporte (which involved a privacy and copyright claim by a past lottery winner against a former lover over a book she published via Amazon) reiterated that the "kiss n tell" remains a very risky enterprise. But the big news in misuse of privacy claims has been the high profile individuals fighting back with the Duchess of Sussex and Ben Stokes launching privacy claims against Associated Newspapers and Newsgroup Newspapers respectively. For the Duchess of Sussex, her claims against Associated over its publication of vast swathes of a letter she wrote to her estranged father appears to be her strongest, most striking claim against the publisher after a long period of intense adverse press against her and Prince Harry. No doubt the Duchess of Sussex's legal team will be keen to avoid turning the claim into a reputational own goal and will be looking to dispose of the claim summarily rather than risk a very public trial. But the development of this claim and its twists and turns will be fascinating to watch in 2020.

Ben Stokes (and his mother) have sued over articles, based on past press reports and a family interview, published by The Sun regarding events which took place 31 years ago in New Zealand when Stokes', mother's ex-husband killed her two children and then himself. The claim is novel given a death is a matter of public record and the events are in the public domain (and may echo the ZXC case and the weakening public domain defence) Both these claims indicate, first, that the appetite to sue the English press post publication when a "line has been crossed" is increasing and, second, that the English press may consider that enough time has passed since Leveson to consider returning to be a more brazen approach. The Stokes story has also seen a public backlash against The Sun, which is something claimants will want to continue to capitalise on in 2020 as newspapers are becoming more concerned, and more vulnerable to, their own reputational damage.

Taking reputation management global

Online, the recent cases of Eva Glawischnig-Piesczek v Facebook Ireland Limited and Google v CNIL, have taken things several steps forward, but several steps back. While it was established in the former that the court of a Member State could make an order requiring the removal of identical or equivalent defamatory allegations (ie inaccurate, personal data), as well as the original defamatory allegations, and that such an order could be made worldwide as long as it was within the framework of international law, both cases acknowledged the boundaries of EU law. Both cases, the latter explicitly so, made it clear that EU could not extend to the USA (where Facebook and Google are headquartered). The decision against the CNIL flowed from Google's direct challenge against its fine for failing to delist and remove search results from Google.com following the delisting and removal of search results from EU Google domains. The court said the fine was wrong because EU law could not compel Google to delist and remove in the States. This has curtailed the power of the right to be forgotten as a reputation management tool as, according to this decision, it cannot extend into the USA. This was to be expected, but 2020 is likely to see claimants finding other ways to deal with search results in the States, perhaps via more SEO or direct actions against the underlying publishers.

The Wag'atha Christie effect

Last, but by no means least, the Coleen Rooney (aka Wag'atha Christie) versus Rebekah Vardy saga (whereby Coleen used private blocking on Instagram to expose Vardy's alleged misuse of privacy in selling stories about her to The Sun newspaper), no doubt wins first prize for being the most compelling and entertaining public data privacy spat of 2019. If you missed it, go read about it. Its unfolding has triggered open reputation management warfare between the two, and beyond. No doubt 2020 will see a spring of Coleen-inspired reputation hit jobs, played out in the media for full effect.

If you have any questions on this article please contact us.

"Businesses will realise (if they haven't already), that the DPIA is not a tedious administrative requirement. If carried out properly, it can unlock the GDPR."