The shifting sands of the data protection landscape in 2020 and what it means for 2021
2020 was a challenging year. The global COVID-19 pandemic had severely impacted governments, industries, and people’s private lives. Companies and individuals had to face new work conditions with restricted travels and remote working employees and governments were challenged with ways to battle the pandemic with infection predictions, contact tracing, lockdowns, and containments.
Companies had to prove flexibility to adjust to rapidly changing requirements (and environment) and meet security and data protection challenges, e.g.: Remote working options and conditions for employees; New online offers to reduce contacts; Physical and organizational measures to protect employees, customers, and suppliers in office environments; and Adjusting to legal obligations and requirements.
In addition, the year has been particularly eventful in the privacy world due to decisions and emerging trends which will show their effect or materialize even more in 2021.
Some of the topics that were addressed and discussed during the webinar were pandemic prevention measures (e.g., government access to carrier data); data localization and data sovereignty strategies of governments; CJEU Schrems II ruling what it means and how it may affect companies; social media´s approach towards content regulation; stricter enforcement of the GDPR rules by regulators; new privacy related laws and regulations: Chinese Privacy Law, E-Privacy regulation; and the impact of new technologies like AI, 5G, Ad-tech, etc.
Technology: increasing the challenges but providing the solutions too
Ramsés, who is now International Chief Technology Officer with Micro Focus where he defines the vision and mission, purpose and promise of the company in that arena, explained tokenization and digitalization amidst the ongoing pandemic. Tokenization is the process of turning a meaningful piece of data, such as an account number, into a random string of characters called a token that has no meaningful value if breached. Tokens serve as reference to the original data but cannot be used to guess those values. Tokenization, when applied to data security, is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value.
He said that one of the biggest challenges for companies to look out to in 2021 is for everyone to know the need to understand where data lives to protect our security and privacy. “We need to know where structural data goes back and forth,” said Ramsés.
He said, “Living in a cloud-generation era, we are increasingly dealing with the emergence of shadow IT or shadow data where content is backed up on multiple clouds, without the knowledge of data compliance departments. Corporates need to understand the dangers in this – legal departments cannot effectively protect what they don’t know exists! Only when corporates build an ecosystem that automates and orchestrates authentication, authorization and appropriate access can we hope to create a systematic and systemic solution to the issue of data protection.”
He concluded by saying that we as we move from 2020 to 2021 organizations will need to transition from cyber security to cyber resiliency where they build the capacity to anticipate threats, withstand and resist attacks, recover quickly, and evolve to the next stage.
Felix believes that the greatest biggest thing for 2021 will be international data transfer. “It’s going to be so difficult to come up to a situation that is compliant as of this time,” he said. Felix is heading the Technology and Outsourcing Law group as well as the Privacy and Information Law subgroup of Fieldfisher in Germany. He has a vast experience in privacy law, having worked in this field for 20 years. With a strong focus on the strategical approach towards solutions in general and regulators specifically Felix advises many US based companies when they do business in Germany. Together with his team, he also acts as external Data Protection Officer for more than 100 companies. Moreover, Felix has specialized in IT-related legal issues such as software contracts and projects, network infrastructure deals and outsourcing project. Felix has worked in-house for AOL in Germany for 7 years and has a good understanding of the needs of US clients.
“There’s never a dull day in privacy! Take for example the Schrems II ruling that was announced in July last year – it poses one of the biggest challenges around international data transfers, outside the European Economic Area (EEA). As regulators themselves make sense of the evolving situation, MNCs that do not tread carefully will be liable for hefty fines. In fact, while COVID-19 actually slowed down enforcements, going forward I predict a lot of litigation in this space. Corporates will do well to co-operate with regulators as a common ground is reached rather than take a confrontational stance.”
He further touched upon issues such as data localization – i.e if data doesn’t leave the EU, the challenge of companies dealing with their subsidiaries in other countries still warranted attention. About Brexit, he mentioned how the final solution was still at least six months away as bridging to adequacy requirements were put under the test.
Meanwhile, Joerg mentioned that it is “the balance of security versus privacy” that is the biggest challenge. “Everyone want to be in a secured world but on the other hand we all want the freedom. We don’t want the government to be looking out (on our privacy).” Joerg is leading Huawei’s Data Protection Office. He has a broad and deep experience in all aspects of Data Privacy / Data Protection with 18 years of professional experience in the subject matter including 16 years in a leadership role.
Summing up a to-do list for undertakings, Joerg added, “We may witness an increase in class action-style lawsuits in the personal data space in 2021-22 as aggravated parties view judicial remedy as a potentially faster way to get redress when their data rights are violated.
Businesses need to be transparent about the transfer locations of personal data and the types of data being transferred and take into account the legal requirements in the receiving jurisdiction. A return to “basics” is essential – records of processing activities (RoPa), privacy notices and cookies should always be up-to-date and compliant with governing laws. From a long-term sustainable point of view, organizations will need to adopt data minimization and privacy by design and default, and at all times ensure that business continuity management (BCM) plans are in place.”
At Huawei, everything is done to build a secure environment for customers, and this includes staying abreast of the latest data rulings and regulations, identifying and mapping transfers as per the governing transfer mechanisms, providing appropriate guidance and templates, continuous study, and evaluation of standard contractual clauses (SCCs) and advice on supplementary measures. For more information, click here.
The webinar was broadcast live on Telecoms.com and moderated by Wei, who leads the Telecoms.com Intelligence function. His responsibilities include managing and producing premium content for Telecoms.com Intelligence, undertaking special projects, and supporting internal and external partners. Wei’s research and writing have followed the heartbeat of the telecoms industry. His recent long form publications cover topics ranging from 5G and beyond, edge computing, and digital transformation, to artificial intelligence, telco cloud, and 5G devices. Wei also regularly contributes to the Telecoms.com news site and other group titles when he puts on his technology journalist hat.
To access the full recording, please click here.