What can we expect from data protection in the year ahead?

Camilla Winlo, Head of Data Privacy at Gemserv

The past year has been a turbulent one for cybersecurity, with a number of high profile breaches hitting the headlines. The pandemic has of course played a central role in conversations around data privacy, while entire industries have been accused of data handling malpractice. So, what are the stories we can expect to see shaping the agenda in 2022?

Here are four developments we expect to see in the year ahead:

• Polarisation around Covid vaccination data will increase

While there are early indications that the combination of vaccination, immunity from previous infection and the evolution of the virus may cause less significant symptoms in most, it still appears that Covid is capable of making unvaccinated and immunocompromised individuals very ill. In winter, this puts huge pressure on the NHS and the public purse, and we expect this to translate over time into increased pressure to encourage the unvaccinated to get vaccinated, and for society to impose different rules on the unvaccinated. We started to see this in 2021 and expect it to continue into 2022.

With different quarantine rules for vaccinated and unvaccinated employees and the possibility of compulsory vaccination on the horizon, more and more organisations are going to find themselves processing Covid vaccination data. Quarantine measures are set to continue to help stop the spread of the virus, which in turn, will mean that organisations will still need to incorporate a hybrid approach to work. Some employees will test positive for Covid and therefore will not be allowed to leave their homes, but they won’t have symptoms that would otherwise stop them from working. Others may have come into close contact with a positive case and will also need to isolate. All of this will have an impact on employers.

Going into 2022, we expect tensions between pro and anti-vaxxers to rise. This is unlikely to be mitigated much by the amount of real-world vaccine safety data that is available, which is what a lot of vax-hesitant people say they are waiting for, due to the polarisation of information availability and the fact that in some cases, vax hesitancy will be rooted in genuine and founded concerns, for example where individuals have health conditions that make taking the vaccine a more personally risky choice. That makes Covid status an employee safeguarding issue due to the risk of discrimination between employees. There will also be companies that want – or are compelled – to terminate unvaxxed employees, as well as some that will do the reverse.  We can expect to see these decisions appealed as the ‘grey area’ around what counts as a medical exemption is clarified.

• Tighter regulations around ad tech

The European Data Protection Board (EDPB) published its 2021-2023 strategy in December, and part of that strategy includes more proactive monitoring of ad tech. Ad tech is under huge pressure to tighten up its data protection practices after the Irish Council for Civil Liberties sued a branch of the Interactive Advertising Bureau (IAB) and others over what it described as “the world’s largest data breach” in 2021.

IAB found itself under fire for its role facilitating a process known as real-time bidding, where personal data is passed between hundreds of ad brokers and related firms during an auction process in the moments before a website loads, on behalf of paying brands. During the milliseconds between clicking on a page and it loading, everything from the type of device an individual is using to limited location data and browsing history can be shared with brokers to better target that person.

The breach spurred numerous complaints from the likes of none of your business (noyb), the European centre for digital rights, and various court cases after finding that the ad tech industry is fundamentally unlawful because of the way it is structured. Better regulation around ad tech needs to be put into place not just for the advertisers themselves, but for online retailers, too. It’s going to be incredibly important for the economy as a whole that the ad tech industry gets this right, but there is a lot of work to do to get there.

• Regulatory action around Artificial Intelligence (AI) will ramp up

While the European Data Protection Board (EDPB) strategy highlights the need for more proactive monitoring of AI use, the UK National Data Strategy focuses on making sure AI works and that the UK is a leader. Data privacy must be a priority or the result will be poor quality solutions that don’t work as intended. AI-specific regulations are set to be enforced and I think we’ll see some interesting actions.

After facial recognition company Clearview AI was issued a Notice of Intent to fine following a number of breaches of national data protection law, conversations around the practices of ethical data collection and analysis have come to the forefront of public attention. It’s essential that organisations that want to harness the possibilities of AI and data-driven innovation in the UK do so in a way that protects individuals.

Organisations should be entitled to trust that providers like Clearview AI are engaging in ethical practices and that their services can be used lawfully. It’s very reassuring to see the regulator taking strong action to make AI innovators trustworthy. Whether it’s fighting crime, preventing fraud or other forms of safeguarding through data, when the public and private sector combine, they must ensure the right processes are put in place in order to comply with data protection regulation.

• Privacy Shield 2: A new basis for sharing data between the EU and the US

The Privacy Shield framework was the second attempt by the EU and the US to create a secure mechanism for data sharing. It was thrown out in court after judges deemed the framework insufficient to provide adequate safeguards for the transfer of personal data from the EU to the US, and they’ve been working ever since to replace it.

The exchange is a one-way deal – there are cultural differences between the EU and the US that mean that personal data in the EU is protected in different ways to personal data in the US. The purpose of Privacy Shield is to provide a way to allow EU data to be processed by US companies without losing those protections. I expect we will see some major announcements coming next year, which will include technological changes by Big Tech household names, and that in turn will lead to work for UK and EU businesses.

Regulations are indispensable to the proper functioning of economies and societies, and to protect those structures, we need to implement the right data protection measures. Having the right data protection regulations in place is critical to ensuring the proper functioning of organisations, and for ensuring that both customer and employee data is handled correctly. As businesses and governments continue to generate more data than ever, we need to take regulatory action to create secure, ethical data storage and sharing practices.