My final column of 2020 is in two parts. In this first part, I reflect on what a strange year we’ve had – picking out some of the highlights from an information law perspective. In part two, I’ll be looking forward to what 2021 may bring.
2020: The Year That Turned Data Protection Into a Full‑Throttle Sprint
When COVID hit, it didn’t just spark a health crisis—it shook the very foundations of how we handle data. 2020 saw businesses scrambling to shift from cubicles to couches, forcing data‑privacy teams to rethink everything they thought they knew.
Home‑office Hurdles
Remote work meant every employee was now a potential “security point of entry.” Employers had to:
- Audit and reinforce security protocols for home networks.
- Train remote staff in good data‑governance habits—because pizza delivery can’t replace a data‑security briefing.
- Update policies to reflect this new reality, ensuring the “new normal” isn’t just a phrase on a PowerPoint slide.
Data Collectors of the New Normal
Hospitals, retailers, and even casual restaurants suddenly found themselves collecting a wealth of new data:
- Track‑and‑trace details for hospitality venues.
- Routine COVID test results in workplaces.
- Personal health snapshots—sometimes of employees’ family members—when an employee had to self‑isolate.
All of this falls under the dreaded special category of health data, so organisations had to be extra careful, checking:
- Lawful basis for collection.
- Appropriate retention periods.
- Clear, up‑to‑date privacy notices.
Speed‑y Data‑Protection Impact Assessments
Some situations demanded rapid DPIAs—a race against time for both big and small businesses. Meanwhile, the government hit a snag with its contact‑tracing app, prompting a wholesale pivot due to privacy concerns.
Algorithms Take the Spotlight
In the summer, a hot debate erupted over the use of algorithms for student A‑level and GCSE grading. This sparked an important public debate on automated decision‑making and the risk of abuse. Even seasoned data‑protection lawyers admitted to being a bit lost on the rules that govern these systems.
Although the contentious algorithmic decisions ultimately didn’t sail through the ICO or courts, the lesson was clear: Algorithms will only grow more pervasive. The problem is not going anywhere.
Legal Broad‑Strokes of 2020
While there were no sweeping legislative changes, new case law stirred the pot:
- Morrisons case: The Supreme Court overturned lower‑court rulings that deemed the supermarket liable for an employee’s deliberate leak of payroll data.
- Key takeaway: Employers can be vicariously liable under data protection law, though not in this specific instance.
In July, the European Court of Justice delivered its landmark Schrems II verdict, invalidating the EU‑US Privacy Shield and setting the stage for a reevaluation of cross‑border data transfers—especially pivotal with Brexit looming.
Regulatory Redirection
Even as day‑to‑day governance was pushed to the sidelines, the ICO didn’t sit still:
- Granted extra leniency for COVID‑impacting organisations.
- Resolved high‑profile cases: British Airways and Marriott famously received massive but discounted GDPR fines—£20 m and £18.4 m respectively—after extra representations.
- Launched fresh guidance on subject access requests and a clearer accountability framework.
Across Europe, enforcement accelerated:
- CNIL fined Carrefour over €3 m.
- Irish DPC slapped Twitter with €450 k.
These cases remind us that while the UK’s GDPR fines are bustling, the European scene is equally on fire—yet soon the UK might be left hanging as those decisions lose force.
What Remains New?
Even after all that noise, the GDPR and the Data Protection Act 2018 are still brand‑new. The entire spectrum—businesses, practitioners, regulators, and courts—is still learning to navigate this fresh landscape.
2020 was a whirlwind, but the data‑privacy world is far from finished. Stay tuned for 2021—there’s more to uncover.