2020 is drawing close to an end, and also in terms of the GDPR, it is a fact that COVID-19 has taken up massive attention. New questions arose, to which answers were needed, e.g.: Is it allowed for an employer to register data about COVID-19? Is it allowed to transfer data about COVID-19? Where can such data be stored? In several countries, an app was launched as an additional aid for contagion tracing. In addition to such apps, which helped break the chains of infection more rapidly for countries’ own citizens, other apps were introduced to foreign citizens travelling though or to a particular country. As a result, more questions arose since the laws of several countries were to be observed too. Holst, Advokater provided advice to the Robert Koch Institute and the German Ministry of Health about the possibility of extending access to download the German COVID-19 app in Denmark and for Danish citizens.
But not everything was about COVID-19 in 2020. It is quite certain that history books about 2020 will contain the name Maximillian Schrems, who is an Austrian activist and author, who became famous for his campaigns against Facebook claiming violation of privacy rights. Schrems had filed a complaint with the Irish Data Protection Commissioner about the transfer of his personal data from Facebook Ireland to the company’s parent company, Facebook Inc, established in the USA. On 16 July 2020, the CJEU delivered its judgment in the so-called “Schrem II case” ruling that Privacy Shield is considered invalid. It was a landmark judgment as it also meant that any future transfer of personal data to the USA could not be made by means of Privacy Shield. However, in the same judgment the CJEU also held that the EU Commission’s standard contractual clauses shall still apply, provided the company transferring data to a third country can ensure that a protection of personal data is achieved in the recipient country which is broadly similar to the level of protection in the EU. What this actually requires still remains unsolved, leaving a large number of companies in a state of uncertainty.
Whilst we were still all unaware of COVID-19 and Schrems II in the beginning of 2020, the Danish DPA introduced new guidelines on the processing of personal data on website users following a number of questions which arose in consequence of a GDPR matter at the Danish Meteorological Institute (DMI). Since 2004, DMI had displayed banner ads on its website and thereby contributed to collecting and transferring personal data about website users to Google.
Users of DMI’s website were met by a consent solution providing the users with two options: “OK” and “Show details”. By clicking “OK”, users would give their consent to different processing purposes, including the collection of personal data for creating statistics of users’ use of DMI’s website and for conduct-based marketing in order for the ads of the website to become aimed at the individual user. By clicking “Show details”, users would be given the option of clicking “Update consent” thereby being able to reject any consent.
The DPA i.a. determined that (i) a consent must be an active additional option when a website user gives his/her permission that his/her personal data may be processed, (ii) it must be clear which purposes the processing is being made for, and (iii) it must be easy to reject consent – also visually.
This entailed that a lot of companies once again had to go over their texts for consents, in particular also the visual set-up and design of the consent.
What may we expect in 2021 in terms of personal data?
Legislation on personal data is becoming still more complex, and globally new legislation inspired by the GDPR is being implemented. China, the second largest economy in the world, is currently working on a new personal data act which evidently is inspired by the GDPR and will impact all personal data transfers through China. Similarly, a bill for a comprehensive regulation of India’s personal data act, which is also inspired by the GDPR, is awaiting adoption by the Indian Parliament.
The need for juggling with various sets of legislation will for international companies continue during 2021 and onwards, but pari passu with several of the world’s largest economies implementing GDPR-resembling regulations (most recently Brazil and California), we should expect that there will be a more consistent expectation to personal data processing, regardless our whereabouts in the world.
In 2020, COVID-19 also entailed that several companies became aware of the opportunity of flexible working hours, and that the physical place of work could quite as well be from home. To many companies this has involved a higher scale of compliance work following the extended use of (insecure) home networks and BYOD issues. Some companies have already tackled this this problem, but many will assumably not until 2021.
The discussion about the entitlement to end-to-end encryption will presumably continue into 2021. In October 2020, the USA, Canada, Great Britain, Australia, New Zealand, India and Japan pointed out that end-to-end encryption technology constituted severe risks to public safety, since the technology could obstruct the protection of children against sexual abuse online. On the one hand it has been argued that end-to-end encryption should e.g. not apply to Facebook Messenger, whilst on the other hand some have argued that if used in one place, it will automatically spread to other places. Any intervention in end-to-end encryption will most certainly create a massive debate in 2021 between large technology companies and activists for privacy rights and may also influence the options for transferring data from the EU to an (insecure) third country.
Henrik Christian Strand, Associated Partner
M, +45 3010 2186
Pernille Kristensen, Attorney
M, +45 3010 2224