Nothing is certain

The ever-changing world of data protection has lost none of its pace. Exacerbated by the almost global transition to a life online, homes became offices, Zoom became the go-to meeting place and Teams became the world’s virtual water cooler. With this increased reliance on technology to support remote working and digital communications, the need to protect corporate data and confidential information while working from home has become vitally important.

It comes as no surprise that, with remote working, the likelihood of data breaches and non-compliance with data legislation has increased. According to Ruth Boardman, co-head of Bird & Bird’s international privacy and data protection group, ‘Companies have been facing increasing demands from the volume of data protection queries for some time. There is a real sense of the pace of this increasing though. The demands on in-house teams are significant and many of our clients are looking to increase the size of their in-house teams dealing with data privacy as a result’.

For Nick Graham, global co-chair of the privacy and cybersecurity group at Dentons, the single biggest change this year has been related to the pandemic and the fact that most people are working from home. ‘This likely increases the data breach risk and poses additional challenges in terms of risk assessing how to ensure compliance with rules and guidance.’

Phishing attacks have been the primary culprit for the increase in data breaches, with HMRC reporting a 73% rise in email phishing attacks during the UK’s first lockdown period. Stewart Room, global head of data protection, privacy and cybersecurity at DWF, comments: ‘The pandemic has seen a significant increase in phishing attacks and other forms of social engineering, reminding us of an important lesson of crime, which is that it is relentless and constantly opportunistic’.

For Room, ransomware attacks also pose a notable threat to businesses and their operations; ‘One of the most challenging areas of cybersecurity is dealing with ransomware attacks, due to the magnitude of the operational impacts and the very delicate issue of dealing with criminals to recover data. Handling ransom negotiations puts the business, including the GC, into a dark world of criminality that requires extreme care, for example to avoid breaching sanctions lists, and access to verifiable expertise from third-party service providers.’

However, not all breaches stem from such malicious sources. As Richard Cumbley, Linklaters’ global head of TMT and IP comments: ‘The majority of the data breaches we see continue to be the result of human error or issues with passwords (in particular ‘stuffing’ and ‘spraying’ attacks).’

Room adds: ‘Working from home casts a spotlight on the issues of worker monitoring and surveillance and new ideas, such as “the right to disconnect”. WFH has also seen the return of “old-form” risks that had previously been corporately tackled, such as “over the shoulder” breaches, breaching of the business sandbox and unsafe disposal of paper.’

As noted by Hazel Grant, head of the privacy, security and information group at Fieldfisher: ‘Over the last year, the need for training and managing/monitoring the human error side of data protection has increased. This leads to conflicting aims: on the one side increased remote monitoring/scrutiny of employees is good because it helps prevent data incidents, but on the other hand this can be difficult to achieve in a data protection compliant way’.

So, how to tackle these problems? Cumbley suggests there is no silver bullet to defending against cyber attacks and instead businesses need to adopt a multi-layered defence to not only prevent intruders from accessing systems but detect them if they succeed and protect data from exfiltration. For Room, the solution lies in education – businesses need to focus on the fundamentals, such as teaching about phishing risks, maintaining backups and utilising data loss prevention strategies.

Grant agrees: ‘The approach should involve very clear notices, training on the system, education about how it is monitored and clear procedures that explain how the system should be used/what is expected from employees. So this is a mixture of data protection and employment law advice.’

Brexit fallout

Once the initial shock of the pandemic subsided and the imposed societal changes gradually became the ‘new normal’, the focus of the data protection world shifted back to the impending Brexit negotiations and the impact of EU legislation on the UK going forward. According to Grant: ‘For most clients so far, the issues with Brexit have involved changes to language to refer to the UK and the EU, and looking at their privacy management structure (so appointing representatives in both the UK and the EU for example).’

She continues; ‘Fortunately it looks likely that the really big challenge (international data transfers from the EU to the UK) will be resolved by adequacy.’

Discussions regarding the UK’s adequacy status have dominated debates in recent years and, in early 2021, the European Commission drafted decisions that will continue to facilitate the exchange of data between the EU and the UK. Graham comments: ‘For the UK, this is probably the single biggest proposed regulatory change as it will allow the UK to continue to receive personal data from EU entities without the need for standard contractual clauses, binding corporate rules or other additional steps’. According to Cumbley, ‘The draft decision by the EU Commission to find the UK adequate has been universally welcomed by business. Without adequacy, there is a risk of significant disruption to data flows between the EU and the UK’.

While the decision has eased worries and set out a path for data experts, the finish line hasn’t quite been reached. ‘The EU Commission’s draft decision still needs to be considered by the European Data Protection Board and approved by the comitology process, so we are not out of the woods yet,’ says Cumbley. ‘Similarly, the UK government wants to take a more liberal approach to data transfers to third countries (such as the US), which could create conflicts with the EU’.

Room also adds: ‘Yes, there will be communities who do not want the UK to get the badge of adequacy (particularly members of the privacy activist community), but the UK and EU have their eye on a bigger prize, which is getting the global economy back on its feet. Data protection is not going to stand in the way’.

Beyond the UK’s adequacy status, further legislation changes and rulings both at home and abroad continue to create work. Building on the data transfer issues covered above, the mid-2020 Court of Justice of the EU decision in Schrems II added further fuel to the fire. Boardman states: ‘Everyone transfers personal data or relies on suppliers who do this. Schrems II says this is no longer safe – its the data protection equivalent of the floor being taken out from under you. At a minimum, substantial due diligence has to be done before transfers are undertaken. Depending on the results of that due diligence, transfers may still be able to take place, they may need difficult additional safeguards, or they may need to stop altogether. Its resource intensive and has the potential to cause significant business change’.

Looking ahead, what does the future hold? One key piece of legislation on the horizon is the EU’s ePrivacy Regulation, which will replace the 2002 ePrivacy Directive and bring it up to date, taking into account the 2018 implementation of GDPR. As is always the case, the regulation is not without its issues, according to Graham: ‘We have a new draft ePrivacy Regulation which is triggering an ongoing debate as to whether cookie walls (so you only get access to website content if you agree the website can use your cookies to target advertising) are legal. The latest drafts make a special exception for newspapers with a lighter-touch consent needed from the user. It’s unlikely, however, that the European Parliament or European Data Protection Board will agree. This remains a matter of debate.’

From Room’s perspective, the world of data litigation should be a more pressing focus for GCs. ‘The regulatory developments pale in significance to the litigation developments. Businesses need to think more about litigation risk and litigation posture. It’s crystal clear that a compensation claims market has now emerged that runs alongside large-scale group litigation and representative actions risk. The compensation claims market for data protection breaches has matured significantly over the past year, with members of the public and high street lawyers joining the fray alongside the more established litigation actors.’

While the EU has made substantial strides towards regulating the market and providing more transparency, many elements of the data world remain uncertain or contentious in nature. The recent ruling on Schrems II, as well as the upcoming Supreme Court hearing for the high-profile Richard Lloyd v Google case and the proposed ePrivacy regulations also throw spanners into the works for data transfers, tracking processes and the commercialisation of data, areas in which consumer involvement and scrutiny is increasing. There’s clearly no one-size-fits-all solution, and the uncertainty and changeability of the data landscape look set to continue for the foreseeable future.