Data Protection Predictions 2019

2018 was a landmark year for data protection and privacy; the EU General Data Protection Regulation ("GDPR") came into effect on 25 May 2018 and implemented a comprehensive reform of the EU data protection regime. So what could 2019 possibly have in store for data protection and privacy? This article sets out some predictions for further data protection developments in the year to come.

• First and foremost, we can't avoid Brexit. Deal or no deal, the impact of this world-changing event will be keenly felt in the data protection landscape. Long-term, we will need to wait until 2020 at least to see if the UK is found to be "adequate", but the short-term impact will depend very much on the ability of the politicians to agree on exit. Please click here to read our latest bulletin on the potential impact of Brexit on data protection.
• The Court of Appeal judgment in the Morrisons case, combined with the legislative changes made by the GDPR, increased public awareness of data protection issues, and the publicity that the case attracted, could spark a new wave of class action court cases from workers and customers in the event of a data breach. Whilst individuals may not themselves be entitled to significant sums, if the data breach affects large numbers of individuals, the total potential liability for organisations could become commensurately large. Please click here to read our bulletin on the Court of Appeal judgment in the Morrisons case.
• After US mid-term elections gave the Democrats control over the House of Representatives, and data privacy scandals such as the Facebook/Cambridge Analytica one saw privacy being scrutinised by the Senate, could the prospect of a US federal privacy law analogous to the GDPR be a possibility in 2019?
• Although ostensibly technology neutral, 2018 saw calls for the GDPR to be reviewed and amended because it is not fit for purpose for use with new technologies such as blockchain. As technology continues to move ahead of regulation in 2019, is it realistic to expect to see a legal review of the GDPR as an effort to make sure that privacy regulation does not impede innovation?
• The GDPR appears to have resulted in a big shift away from consent as the processing condition relied upon for the majority of commercial processing activities. Higher standards for valid consent have resulted in a move towards reliance on "legitimate interests" instead. But how many organisations are properly carrying-out a legitimate interests assessment before relying on the legitimate interests condition? This could be an area ripe for regulatory scrutiny in 2019.
• The implementation of GDPR in 2018 has resulted in radically increased levels of complaints to the regulator and data breach regulatory notifications, resulting in significant resource pressures being placed on the national supervisory authorities. 2019 could see multiple supervisory authorities across Europe seeking additional resource and funding from national governments in order to be able to cope with demand.
• Use of new technologies and analytics could push the boundaries of "personal data" even further in 2019. For example, increasing use of voice-pattern and gait analysis recognition as a means of identifying and authenticating individuals. Do we need guidance on the fundamental definition of personal data in 2019?
• 2019 will hopefully be the year when the European Data Protection Board addresses some of the key areas of GDPR concern through guidance. Although we finally got draft guidance on extra-territoriality towards the end of 2018, there are still significant gaps in regulatory guidance waiting to be filled in 2019. Please click here to read our bulletin on the EDPB's draft guidance on extra-territoriality.
• 2019 may be the year of the new ePrivacy Regulation. This key piece of legislation, which supplements the GDPR, has already been delayed in the European legislative process. If and when it is finally agreed, can we hope for clarity on issues such as B2B marketing, use of the soft opt-in, and cookie consent?
• Could 2019 be the year when international transfers either sink or swim? Although the recent report on the 2nd annual US Privacy Shield review was less critical than some had expected 2019 could still see: the results of a legal challenge to the standard contractual clauses, an update to the standard contractual clauses to reflect the new legislative regime and Brexit potentially resulting in the UK becoming a third country. All of these factors could make it very difficult for organisations to transfer data around the world in a compliant manner.