Data protection shifts up a gear as pressure mounts on governments to regulate

As consumer demand continues to drive tech trends, the stakes for companies sharing and protecting data in this space have never been higher. In-House Perspective highlights what in-house teams need to know about developments across multiple jurisdictions.

‘The regulatory tsunami is coming,’ says Julie Brill, Microsoft’s Chief Privacy Officer and Corporate Vice-President for Global Privacy and Regulatory Affairs, with the reassuring candour of someone who knows all too well what path companies and governments need to go down. Brill, who has spent three decades focusing on data protection and privacy issues, says it’s high time the tech sector embraced regulation in the interests of consumers.

‘If you look at the cars we drive, the planes we fly, the medicines we purchase, the financial services we run and rely on – all of these are areas where we see regulations governing the products and the companies that provide them,’ she says. Technology companies have faced comparatively less regulation to date, but Brill believes the pandemic has strengthened the sector’s resolve to operate responsibly ‘in a safe and protective manner for individuals.’

Most experts agree that the EU’s General Data Protection Regulation (GDPR) has become the global benchmark for privacy regulation. In the UK there are significant challenges ahead as the government looks to mark a departure from the GDPR in the wake of Brexit. The UK’s new information commissioner – John Edwards, New Zealand’s former privacy commissioner – has been tasked with overseeing the country’s transition to a new data protection regime.

In June 2021, the EU adopted the much-anticipated ‘adequacy decision’ for the UK, ensuring the free movement of data between the EU and the UK could continue after Brexit. Adam Rose, Co-Chair of the IBA Data Protection Governance and Privacy Subcommittee and a partner at Mishcon de Reya in London, says there’s a danger that if UK regulation strays too far from the GDPR, then the EU could revoke the adequacy decision, plunging businesses that transfer data across EU borders into turmoil.

‘The government’s proposals at the moment are all set to be heading in the direction of removing some of the obligations and restrictions on businesses and at the same time giving individuals greater control over their personal data,’ says Rose. ‘If we openly move away from the kinds of protections that Europe has said we need to have in order to have a finding of adequacy, there must be a risk that Europe might turn around and say we haven’t got the right level of protection of personal data and therefore we’re no longer an adequate location,’ he says.

A recent UK Supreme Court ruling could also have significant repercussions. In November 2021, in Lloyd v Google, the Court dismissed claims on a behalf of a group of Apple iPhone users that their internet activity had been secretly tracked by Google.

The judgment provided welcome clarity for tech businesses wary of an onslaught of mass privacy class actions. However, Rose warns it could inadvertently push the UK’s data protection regime further away from the GDPR’s balanced approach. ‘For individuals in circumstances where their data has been taken by a company whom they trusted to hold their data […] the impact of that judgment prevents them from actually having an effective judicial remedy for that breach,’ he says. ‘If individuals don’t have effective judicial remedy under English law, again I’d query whether the European Union’s finding of adequacy is sustainable.’

Google declined to comment on the ruling when approached by In-House Perspective.

In December, the EU also adopted a mutual adequacy decision with South Korea, which today is home to arguably one of the most robust data protection frameworks in the world. Over the past two years the country has passed several major amendments to bring its data protection framework in line with global regulations.

It’s also stepping up enforcement. In August 2021, the country’s regulator issued Facebook and Netflix with significant fines for violating its Personal Information Protection Act (PIPA). Facebook was hit with a $6.1m fine for multiple infractions, including the collection of facial recognition data from 200,000 users without their consent. In November, Meta, Facebook’s parent company, announced it would shut down the platform’s global facial recognition system and delete data collected from 1 billion users amid ‘growing concerns’ over the technology and pending regulatory clarity on its use.

While most jurisdictions are looking to emulate the GDPR, Doil Son, Senior Vice-Chair of the IBA Technology Law Committee and a partner at Yulchon in Seoul, says foreign companies operating in Asia must be mindful that South Korea, China and many other countries in the region are increasingly adopting even more stringent data protection regimes. ‘Probably the biggest change is that many Asian countries, including China, are trying to raise the bar regarding data privacy,’ he says.

Further proposals to strengthen the investigative and sanctioning powers of South Korea’s data regulator have been put forward and are due to be revisited after the country’s general election on 9 March. These include increasing fines for privacy violations by up to three per cent of companies’ annual turnover – a move which Son worries could be disproportionate and ‘may trigger very unreasonable results’.

Brill points to evidence elsewhere of progressively more ‘robust’ laws in this space, from Brazil, which has adopted its first comprehensive data protection regulation, to India, which is poised to overhaul its data protection regime later in 2022.  

As governments globally grapple with how to strike the right balance between privacy rights and ease of doing business, Brill says these ‘global guardrails’ are critical to ensure tech companies can keep innovating responsibly.

It’s also clear that regulation will continue to be a work in progress, both in the US, which still lacks a federal privacy legislation, and elsewhere. ‘We need to shift our mindset around how we maintain the regulatory infrastructure for technology,’ she says. ‘It shouldn’t be a “one and done” project. It should be maintained. It should be revisited. It needs to be reviewed. We need to get comfortable with iterating.’