Breaking down barriers or building up barricades? The outlook for data privacy in 2022

There are abundant lessons to be learned from the pandemic but one of them is surely just how vital data is to managing the risks facing humanity. Yes, test and trace had its issues, but data has been at the heart of understanding, managing and responding to COVID-19; the consequences had COVID hit a few decades earlier are unimaginable. 

We think this will be a driver for a central theme of 2022: working out how to harness public data ethically while protecting privacy. Where are the boundaries? Well, there will be different solutions for different countries and that will bring its own issues. The big question is whether any of these solutions will pave the way to harnessing that data without regulatory friction or whether they will slow down data-powered progress.

Data as DNA

For years data, especially personal data, has been seen as central to some businesses but fringe for others. That distinction is eroding. Data-rich businesses certainly have greater compliance considerations than, say, a small business which only processes personal data for HR and marketing purposes. But data is becoming a tool for every type of organisation and is embedded in ways which were the stuff of science fiction when the GDPR was being agreed. 

Such is the pace of development in data-centric business models, whether they are brand new or transformed existing businesses, that the need for and value of faster, more accurate data decisions based on more granular data insights is ever-increasing. They are what will give the ability understand, to innovate, to improve and to differentiate. The DNA of a business will rely more and more on data-driven insight and the speed of access to that insight. 

This means understanding data will move beyond the remit of the DPO, even in organisations which are not seen as traditionally data rich. It's easy to see how the data asset role will become more central to a business, maybe as important as the CFO, CRO, and even the CEO? 2022 could herald that shift to the C-Suite fit for tomorrow.

To share or not to share?

We've seen the issues of data transfers dominate 2021 and the question of when and how personal data can be transferred across borders will remain important in 2022. The sighs of relief as the UK gained EU adequacy were tempered by the complex and confusing criteria for transferring data to third countries. Not to mention that an EU-US or UK-US adequacy agreements remain elusive. 

The real issue is that while there are 'data blocks' of countries with the same or similar standards, there is no global approach and there is unlikely to be one any time soon. Even the US is struggling to come up with a common approach across its states. While California, Virginia and Colorado have, or are enacting, privacy legislation, a federal privacy law seems some way off and proposals come and go.

There are different schools of thought: those who want data to be transferrable across borders (with privacy protections in place), and those who think there is both an economic and national security advantage to localising data. These differences will only become more pronounced over the next year, whether they are 'exports with benefits' or a Venus-data-flytrap in the guise of a panacea to exports 

A UK solution

The UK is currently consulting on plans to depart from the GDPR. This will be a delicate process as it has much to gain but also plenty to lose. 

Responses to the consultation have already warned how important it is to keep EU adequacy. The EU was careful to build in the power to suspend or withdraw the decision at any time should the UK move too far away from the EU GDPR. Alarm bells are surely ringing in Brussels at the thought of a UK-US adequacy agreement, businesses drawing up their own SCCs, or at the ICO being required to take into account not just data protection law, but also economic policy. 

If, however, the UK can get the balance right, there is a chance that a more flexible data protection regime could lead to the UK becoming the centre for R&D and innovation that the government aspires to. 

Reducing some of the bureaucracy around GDPR – for example the Article 30 record keeping requirements, reforming the transparency framework, removing the need for DPIAs and prior consultation with the ICO, and allowing a more risk-based approach – could well encourage businesses to locate in the UK.

A more flexible regime can both open up innovation and satisfy EU requirements. Israel, notably, has managed to achieve EU adequacy with a regime that allows it to be an innovation hotspot – although it has also been at the centre of the NSO spyware scandal. 

There is a risk that businesses may be put off by the UK having a different regime to the EU's and choose to locate their cross-border operations within the EU, or simply default to the highest compliance common denominator. However, the revenue realisation of harnessing data power may mean that the costs of navigating any differences in operationalising data standards are seen as a price worth paying if the data-driven benefits, especially in R&D and being first to prove market viability, outweigh an operational compliance cost. 

The UK will have a careful line to tread next year as it starts to move away from the EU GDPR, and we will all have to get to grips with the changes, especially as some of them could be the business enabler you’ve been waiting for. 

The alternative approach

Not all countries see an open data protection regime as the route to economic success. Countries including Russia and China are trending towards an approach seen by many as isolationist given their data localisation measures, particularly where the data touches on national security and economically critical areas.

Neither the EU nor UK are openly keen for data to become geographically ring-fenced but at the same time, for businesses which operate across borders (for example, cloud service providers) there are arguments for locating servers in the EU to host EU data. This is particularly true of health data which is more likely to attract localisation requirements and has been the subject of much debate at EU and Member State level, for example, in France and Germany.  

We may well see more countries move to localise at least certain types of data beyond the current restrictions on transfers to third countries without additional protections which regimes like GDPR already have in place. Legislation like the proposed EC Data Governance Act has grand aims to promote harmonisation for the EU data centre eco-system in areas like B2B data portability. It could, however, also provide a framework for localisation.

What is there to worry about?

For the private and public sector alike the advantages of as much access to and flexibility with data seem obvious, but for individuals, this can be less clear. 

The UK had to delay plans to share health data by default after a public outcry. Facebook recently announced it would stop using its facial recognition system which it used to suggest tagging of photos, drawing on its database of 1 billion photos. But nobody is walking away from these concepts. 

With AI used in every area of life, automated profiling is on the rise. There are protections in the GDPR where the results of such profiling have legal or similarly significant effect, but does that make you feel comfortable with, for example, what The Guardian called "the dawn of tappigraphy", technology which measures swipes and jabs on a home screen to infer mood, mental performance levels and sleep patterns? 

There are hopes that this technology will be used in digital phenotyping. This developing area takes raw data from devices and uses AI to analyse behaviour relating to health and disease. Ultimately it is hoped this will provide early diagnosis and monitoring of health conditions. 

That sounds great – but what if it is also used to more sinister effect? There has already been a lot of controversy around technology which is used to monitor the output of employees working from home and suddenly a Minority Report world doesn't seem so far away. Take up of or resistance to these technologies will boil down to how much individuals trust their governments.

Data for the common good

As data becomes more embedded in our lives thanks to the ever-growing power of AI, governments are all too aware of the need to build up trust. 

The EC's Data Governance Act has been prioritised for completion next year. This is a serious attempt to set up a trusted framework to allow private/public data sharing. 

The UK's National Data Strategy has similar aims and some of the changes proposed to the UK GDPR focus on facilitating the use of personal data for scientific research.

The EC also published its draft AI Regulation in 2021, which looks to regulate AI and ban particularly privacy intrusive uses. Again, the UK is moving towards similar goals (although has not yet proposed legislation) with its National AI Strategy. 

Meanwhile there are also international initiatives to set out ground rules for the use of AI. Whether or not they will be any more successful than the COP 26 summit remains to be seen but while we're on the subject, data can play a significant role in in helping to understand and tackle climate change. This won't always be personal data but there will still need to be mechanisms in place to allow public/private sector data flows, adding to the impetus to facilitate this over the next year.

2022 – everything to play for

Harnessing the power of data in a way which benefits data subjects as well as the organisations processing the data will be about getting the balance right. Privacy by design, transparency and data minimisation (preferably by anonymisation where appropriate) will be vital. 

2022 will be about working out how best to enable an ethical competitive advantage. More or less regulation? Easier transfers or localisation requirements? Those who get it wrong, from tech giants to governments, to start-ups, will ultimately find they lose out to those who make the effort to get it right – there is everything to play for.

Find out more

To discuss these predictions in more detail, please reach out to a member of our Technology, Media & Technology team.