On 15 January 2020, the European Data Protection Supervisor ("EDPS") and the European Data Protection Board ("EDPB") issued a press release announcing their adoption of a joint opinion on the draft new standard contractual clauses ("draft SCCs") published by the European Commission in November 2020.

On 24 December 2020, it was announced that the EU and the UK had finally reached a Brexit agreement (the Trade and Cooperation Agreement) and on the evening of 31 December 2020, the Brexit Transition Period officially ended.

Back in February of this year, the European Commission published its European Digital Strategy, envisioning major social and economic change on the use of data and technologies throughout the Member States. The overall strategy seeks to create a single market for data that will ensure data sovereignty for Europe and enhance its competitiveness on the global stage – all just in time for Brexit.

Around the world the privacy landscape has shifted considerably in the last 12 months -- from significant legal and policy changes, such as the implementation of the California Consumer Privacy Act (CCPA) and the Schrems II decision in the EU, which further complicated cross-border data transfers – to novel privacy issues related to sharing of medical data related to COVID-19. In this post, we take a look at the top privacy issues that our clients faced in 2020 and what they should be focusing on in 2021.

The European Commission recently released the draft standard contractual clauses between controllers and processors in the European Economic Area - i.e., draft data processing provisions in line with Article 28 of the GDPR (the “Draft Art. 28 SCCs”) which are open for consultation until early December.

The European Commission has, today, published its draft Implementing Decision on standard contractual clauses for the transfer of personal data to third countries (the “Draft SCCs”) which will be open for feedback until 10 December 2020.

On 29 October 2020, the European Data Protection Supervisor (“EDPS”) issued its “Strategy for Union institutions, offices, bodies and agencies to comply with the ‘Schrems II’ Ruling” (the “Strategy”). The aim of the Strategy is to monitor and ensure the compliance of EU Institutions, bodies, offices and agencies (“EUIs”) with the Schrems II decision. It is important to note therefore that this Strategy does not apply to corporate organisations, or non-EU institutions, but it does provide a useful insight for all organisations as to the views of the EDPS with respect to international transfers of personal data. The question is, how far will EU data protection authorities follow suit? Will they take a similarly strict stance towards international transfers as discussed below?

Even as companies are still bringing their practices into compliance with the California Consumer Privacy Act (the “CCPA”) and its associated regulations (which are currently under further amendment), Tuesday’s election results will require companies to revisit their data collection and privacy practices to an even greater degree.

The UK Information Commissioner’s Office (ICO) has recently published new guidance on the right of access under the GDPR (Article 15). The right of access gives individuals the right to request and obtain a copy of their personal data, as well as other supplementary information, and helps individuals understand how and why organisations are using their data.