December 29, 2021
Top 10 Privacy Moments of 2021: 3-1
4 Min Read
In the final part of this three-part series, we take a look at the top 3 privacy developments of 2021. In part one, we started the countdown by looking at notable moments in Brazil, the APAC region, the Middle East, and Quebec. In part two we explored significant developments related to cookies, the EU Whistleblowing Directive, and US state privacy laws. And now, the top 3 privacy moments of 2021.
Top 10 Privacy Moments of 2021: 3-1
UK Data Protection Regime
In September this year, the UK Government launched a consultation on proposed reforms to the UK’s data protection regime. The proposals included changes to the accountability framework under the GDPR seeking a more flexible, risk-based approach. Additionally, as part of the proposals, obligations such as data protection officer (‘DPO’) appointment, Data Protection Impact Assessments (‘DPIA’), and records of processing could be removed.
The proposed reforms would also provide for the use of analytical cookies without the user’s consent in certain circumstances and would extend the use of soft opt-in to electronic communications.
In October, the Uk Information Commissioner’s Office (ICO) published its response to the proposals. The ICO largely welcomed the Government’s proposed reforms and the chance to respond to the consultation on future data protection reform in the UK.
The consultation period for the proposed reforms closed on November 19, 2021, and we await the next steps from the UK Government.
- OneTrust Blog: UK Government Launches Consultation on Data Reform
- OneTrust Blog: ICO Responds to DCMS Consultation on UK Data Reforms
- OneTrust DataGuidance Portal: UK Post-Brexit
China’s PIPL& DSL
One of the most hotly anticipated privacy laws of the year was finally adopted in August. The National People’s Congress (NPC) in China announced that it had adopted the Personal Information Protection Law (PIPL) and that the law would take effect on November 1, 2021. The PIPL regulates the collection and use of personal information in China, offers a set of new rights to data subjects, and sets out requirements for data controllers and data processors, among other things. Many of the PIPL’s provisions mirror the GDPR and includes principles similar to purpose limitation, use limitation, and transparency.
Additionally, the PIPL establishes heavy penalties for the violation of its provisions and, although there have been no enforcement decisions issued under the PIPL, the Provincial Cyberspace Administrations have begun initiating special rectification to implement the PIPL.
In addition to the PIPL, China’s Data Security Law (DSL) was passed on June 10 and entered into effect on September 1. The DSL regulates data processing activities associated with personal and non-personal data and introduces data security protection obligations for information processors. These obligations include designating individuals responsible for data security, the establishment of data security management bodies, and conducting risk assessments, among other things.
- OneTrust Blog: China’s Personal Information Protection Law to Take Effect November 1, 2021
- OneTrust DataGuidance Portal: China’s PIPL and DSL
- OneTrust DataGuidance Infographic: China PIPL Overview
European Commission Standard Contractual Clauses & EDPB Final Guidance
Mid-way through 2021, the fallout from the Schrems II case came to a head. On June 4, 2021, the European Commission adopted two new sets of modernized SCCs. The new SCCs covered two use cases that were developed to be better aligned with modern transfer scenarios. One use case highlighted data transfers between Controllers and Processors under Article 28 of the GDPR while the other covered the transfer of personal data to third countries.
Later that month the European Data Protection Board (EDPB) adopted its long-awaited final recommendations on supplementary measures to ensure an EU equivalent level of personal data protection when transferring data internationally. The final guidance outlined a six-step roadmap to help support data exporters and importers to ensure that the Article 46 transfer tool they were relying on offers an equivalent level of data protection to that found in the EU. Also included in the EDPB’s six-step roadmap was the need to conduct a Transfer Impact Assessment (TIA) which, among other things, assesses the legal frameworks of the third countries prior to transferring personal data.
Both developments gave organizations long-awaited clarity on how to carry out lawful data transfers. However, they also brought a new administrative challenge of updating existing contracts that contained the old SCCs as well as assessing transfers of personal data to third countries.
- OneTrust DataGuidance News: Commission adopts new SCCs for exchanges of personal data
- One Trust DataGuidance News: EDPB adopts final version of recommendations on supplementary measures
- OneTrust DataGuidance Blog: The Definitive Guide to Schrems II
- OneTrust Resource: Transfer Impact Assessment (TIA) Checklist
- OneTrust Solutions: Schrems II