Top 10 Privacy Moments of 2021: 3-1
Top 10 Privacy Moments of 2021: 3-1

Top 10 Privacy Moments of 2021: 3-1

Countdown the 10 biggest privacy developments of the past 12 months.

clock4 Min Read

Featured Image

In the final part of this three-part series, we take a look at the top 3 privacy developments of 2021.  In part one, we started the countdown by looking at notable moments in Brazil, the APAC region, the Middle East, and Quebec. In part two we explored significant developments related to cookies, the EU Whistleblowing Directive, and US state privacy laws.  And now, the top 3 privacy moments of 2021.  


Download the report - Data privacy in 2021

Top 10 Privacy Moments of 2021: 3-1 

  1. UK Data Protection Regime 

In September this year, the UK Government launched a consultation on proposed reforms to the UK’s data protection regime. The proposals included changes to the accountability framework under the GDPR seeking a more flexible, risk-based approach. Additionally, as part of the proposals, obligations such as data protection officer (‘DPO’) appointment, Data Protection Impact Assessments (‘DPIA’), and records of processing could be removed.  

The proposed reforms would also provide for the use of analytical cookies without the user’s consent in certain circumstances and would extend the use of soft opt-in to electronic communications.  

In October, the Uk Information Commissioner’s Office (ICO) published its response to the proposals. The ICO largely welcomed the Government’s proposed reforms and the chance to respond to the consultation on future data protection reform in the UK.  

The consultation period for the proposed reforms closed on November 19, 2021, and we await the next steps from the UK Government.  

Further resources: 

  1. China’s PIPL& DSL

One of the most hotly anticipated privacy laws of the year was finally adopted in August. The National People’s Congress (NPC) in China announced that it had adopted the Personal Information Protection Law (PIPL) and that the law would take effect on November 1, 2021. The PIPL regulates the collection and use of personal information in China, offers a set of new rights to data subjects, and sets out requirements for data controllers and data processors, among other things. Many of the PIPL’s provisions mirror the GDPR and includes principles similar to purpose limitation, use limitation, and transparency. 

Additionally, the PIPL establishes heavy penalties for the violation of its provisions and, although there have been no enforcement decisions issued under the PIPL, the Provincial Cyberspace Administrations have begun initiating special rectification to implement the PIPL. 

In addition to the PIPL, China’s Data Security Law (DSL) was passed on June 10 and entered into effect on September 1. The DSL regulates data processing activities associated with personal and non-personal data and introduces data security protection obligations for information processors. These obligations include designating individuals responsible for data security, the establishment of data security management bodies, and conducting risk assessments, among other things. 

Further resources: 

  1. European Commission Standard Contractual Clauses & EDPB Final Guidance

Mid-way through 2021, the fallout from the Schrems II case came to a head. On June 4, 2021, the European Commission adopted two new sets of modernized SCCs. The new SCCs covered two use cases that were developed to be better aligned with modern transfer scenarios. One use case highlighted data transfers between Controllers and Processors under Article 28 of the GDPR while the other covered the transfer of personal data to third countries.  

Later that month the European Data Protection Board (EDPB) adopted its long-awaited final recommendations on supplementary measures to ensure an EU equivalent level of personal data protection when transferring data internationally. The final guidance outlined a six-step roadmap to help support data exporters and importers to ensure that the Article 46 transfer tool they were relying on offers an equivalent level of data protection to that found in the EU. Also included in the EDPB’s six-step roadmap was the need to conduct a Transfer Impact Assessment (TIA) which, among other things, assesses the legal frameworks of the third countries prior to transferring personal data. 

Both developments gave organizations long-awaited clarity on how to carry out lawful data transfers. However, they also brought a new administrative challenge of updating existing contracts that contained the old SCCs as well as assessing transfers of personal data to third countries. 

Further Resources: 

Follow OneTrust on LinkedInTwitter, or YouTube for the latest privacy developments.

You Might Also Be Interested In

JANUARY 25, 2023

Your guide to celebrating Data Privacy Day 2023

JANUARY 17, 2023

Speak-up culture toolkit: Leveraging disclosure data to drive a speak-up culture

JANUARY 13, 2023

Addressing UK app Code of Practice requirements with OneTrust

JANUARY 12, 2023

Ultimate guide to the EU CSRD ESG regulation for businesses

JANUARY 11, 2023

Continuous improvement: The leading indicator for successful compliance programs

JANUARY 10, 2023

Build trust, promote your program in the Third-Party Risk Exchange

JANUARY 9, 2023

Building trust in a zero trust world

JANUARY 9, 2023

Consent management by the numbers: 2022 DMA report summary

Onetrust All Rights Reserved