We have cause to fear

The pandemic has concentrated data – and hence, power – in the hands of the world’s major tech companies. As we work, socialise and shop almost exclusively online, their information about us and our relationships has become much more comprehensive. This opens up even greater opportunities for commercial exploitation, a fact reflected in stock market valuations for the main tech players which have doubled in the past twelve months. The dual centres of gravity of the digital world – the US and China – have a achieved a kind of gravity singularity – like a black hole – making it ever harder for any data to escape their reach.

Blurred lines between work and private life

The pandemic has also blurred the boundaries between work and private life. Employers acting out of concern for staff wellbeing are accumulating sensitive data about entire households and communities; those concerned about productivity and engagement are also collecting far more detail about their employees’ every action than anyone would have accepted in the physical workplace. Governments, above all, have acquired intrusive surveillance powers in the name of public health beyond anything dreamt of by even the strongest pre-2020 advocates of interventionism.

Friction in cross-border data flows

The political situation – from a data privacy perspective – has become more complicated. The US lost its adequacy in July of 2020; the UK has yet to gain adequacy following its final exit from the EU in the dying hours of the same year. Just as the pandemic has seen physical borders restrict passage or close entirely, we see increasing friction in cross-border data flows and both real mistrust and the use of data flows as a political tool.

Strong signs of a new era

Yet we also have reason to hope. Regulators and politicians are taking the risk of monopolistic over-reach by the major tech companies very seriously – not just in Europe, where this has been a focus of activity since long before 2020, but also in the US, where the new administration is already on record supporting moves to increase accountability and even, potentially, break up the largest of the tech giants.

The same regulators, at least in Europe, have shown real appetite for enforcement of all of the principles of the GDPR, after a long period where data privacy regulation seemed concerned only with breaches of confidentiality. We have seen fines for over-collection, over-retention, lack of transparency and lack of DPO independence to take just four examples. We’ve seen a heartening new level of attention to employee privacy and employer education, and we’ve had the first tentative steps towards codes of conduct and certification schemes. We have also, thankfully but as yet only spottily, seen regulators holding governments to account for their use of data.

The new US administration has – on the basis of Biden and Harris’s histories, campaign statements and immediate actions after inauguration – a much stronger commitment to privacy and to international data flows than we’ve seen before. 2021 could see a federal privacy law, restrictions on the mass surveillance programmes that led to the loss of US adequacy, and perhaps therefore a reinstatement of at least the partial adequacy the US enjoyed under Privacy Shield. Countries across the globe are introducing privacy laws – including even China – and many of those share a basis in principles with the GDPR.

Above all we are seeing individual data subjects – long complacent about their privacy and their right to data protection – expressing greater interest and greater activism in support of rebalancing the control of their data. Our own research as part of the Privacy Made Positive programme has shown us how strongly consumers and employees value that privacy, and the global reaction to Facebook’s proposal to force WhatsApp users to share their data with the wider group – which saw 8.8m people defect to the competing privacy-protecting Signal messaging app in a single week – was a salutary reminder to us all that privacy is much more than just a theoretical legal right.