What's next for data privacy?

2021 – the year of privacy (value) by design

2021 will finally be the year when 'privacy' becomes recognised as an asset with revenue centric value.

While many businesses remain caught in the headlights of GDPR, those wearing their privacy dark glasses have adopted robust and demonstrable accountability even if they cannot guarantee 100% compliance. After all, does anyone know what that really looks like yet?

Privacy assurance brings the ability to push the business forward rather than stifle innovation through GDPR-provoked paralysis. With the recognition that visible privacy accountability has value, businesses with a compliance programme which anticipates and heads off problems, will distinguish themselves from those which see privacy as a mythical concept over the next year.

Stakeholders – whether that's consumers, customers, investors, markets and key commercial partners – will reap the rewards of privacy value by design which will, in turn, bring increased asset value to the privacy-confident business.

The Moon will get EU adequacy status before the UK

Is low earth orbit infrastructure way beyond the binary reach of adequacy status? So much data is exported to data centres in the cloud with further growth in the data centre sector continually predicted by analysts. This may help quench the thirst for more data transacting capability and storage, but as we have seen this year, it also creates a challenge for legitimising data exports under EU laws.

Many commentators argue that as we continue to store increasingly large amounts of data in the cloud, the growth in the number of data centres requires a correspondingly larger consumption of energy. We'll leave you to decide whether breaching data transfer laws is better or worse than impacting environmental sustainability, or whether those combined ills are our worst nightmare. However, we've yet to see David Attenborough opine on data exports and we aren't predicting he will in 2021.

We've already started to see commercial innovation upwards, way above the reach of conventional air-miles, with innovative solutions to store the massive amounts of data in space through satellites as an alternative to traditional cloud (which we all know really means land-based data centres). Of course, these data centres are reportedly embracing sustainable energy sources and improving their green credentials, especially though embracing renewables, but this may not be enough for the data hungry world.

Data storage services using low earth orbit satellites (LEOS) could form a sort of eco-friendly SONOS for space data centres. The future of data storage in space may still be aspirational but LEOS seemed like a pipedream only months ago.

Could there be a coincidental advantage in transferring data to storage beyond the clouds and beyond traditional legally defined borders which present such a commercially challenging issue under EU data laws? Could a common space data space (it'll need a better name) challenge traditional concepts of data borders and provide the answer to what are seen as protectionist data laws that seek to barricade consumer data behind digital border walls? Could they provide an alternative to SCCs and EDPD risk evaluations and make us wonder how the architects of GDPR ever envisaged such a mundane approach to extra-territorial reach?

As we approach the season, maybe the answer to data exports is more "above you" than "behind-you". And maybe 2021 is the year for technology to push through borders in more ways than envisaged by the CJEU!

Data subjects will have their day in court

The threat of fines into many millions from the advent of GDPR has come to fruition with 2019/20 penalties running into double-digit millions (euros or pounds – take your pick!). We're also seeing data subjects mounting a charge using class or group actions that not only haemorrhage business resource but create a powerful lobby for change.

Class actions have been started (if not decided) around data breaches and adtech, in particular. Many of these are being brought privacy campaign groups but you could emulate Max Schrems, who now has two CJEU cases named after him.

2021 will be a failure without data trust

The overwhelming focus of governments and local authorities right now is to keep the pandemic under control, to minimise the impact on health, and to balance that with protecting the economy. Saving lives has obviously been paramount and part of that is understanding the key drivers needed to put related measures in place. Across the spectrum, data plays an essential role.

Whether it's curbs on the movement of people (through social distancing, self-isolation or lockdowns), reporting from healthcare helplines, COVID tests, temperature tests, travel data, contact tracing, or vaccine and treatment development, these all need reliable data, so access is crucial isn't it? And yet this data has stringent protections under a GDPR which never fully envisaged the current scenario, despite its many re-drafts before enactment.

Is it time to challenge the sacrosanct nature of the data protection principles when the greater collection of data and its importance to 'the science' is so blindingly obvious? Without data will we know, for example, whether physical retail space is a safe environment or otherwise a known quantifiable risk factor on the impact of the all-important 'R' factor? And what about transport, sports, gyms, restaurants? The list goes on…

Will 2021 see a shift of emphasis where we dare to challenge the privacy barrier and start with the questions to which we need answers and better predictability, and then ask what data we need to fulfil that and how to get it in a way which still protects the rights of individuals?

In 2021, we need to look at data with the mindset of problem solving rather than using GDPR as an insurmountable stumbling block. More questions around data will inevitably arise as we move through to vaccinations and their effectiveness, and need to roll them out with fast and agile predictability – and guess what? This will need more not less data.

We need to be bold and overcome the challenges to greater data collection rather than continue to hamper health and the economy by not knowing what we otherwise could. Of course, this must and only can be achieved with proper protections that individuals trust. Lack of digital trust is often cited as the major factor preventing greater data collection, but in 2021, we need to achieve data trust by default. After all, surely it's too important not to?

The shield will become a sword – deep fakes 

As we become more aware of the increasingly murky world of fake content and disinformation, it's hard not to be 'creeped out' by the use of AI to create deep fakes. This is content such as videos that appear to show a person of influence – an electoral candidate, celebrity or maybe even corporate senior leadership – doing or saying things they have never done or said. Deep fakes have become so sophisticated that it's almost impossible to spot the better ones and it's hard to stop their increasing circulation.

Of course, laws that make the creation of such content unlawful are theoretically possible, but there will be a tangle of competing rights to unwind. 2021 should reveal how the UK and EU are going to approach the issue as their plans for tackling unlawful and harmful content are revealed – but could the GDPR help?

2021 could be the year an individual argues in court that a deep fake of them is their personal data because it convincingly (even if wrongly) identifies them. Establishing deep fakes as personal data would give rise to all the accompanying GDPR rights including subject access to discover whether the controller has a deep fake of you, and the right to correct inaccurate data, and even to delete it.

Given the long reach of the GDPR and the fact that more GDPR-style laws are being enacted around the world, 2021 is likely to see continuing development of data protection being used as a sword and not just a shield.

Find out more

If you'd like to discuss any of the issues raised in this article in greater detail, please reach out to a member of Technology, Media & Communications team.