For data privacy compliance, here’s what we expect in 2021.

Expect an uptick in enforcement action in Europe, not just by regulators

Marcus Grazette, Europe Policy Lead

We see three related trends that could converge to mean more enforcement action when it comes to data privacy compliance in Europe in 2021: resources, time, and the courts.

  1. Resources. The European Commission estimated that regulators across the EU will have, on average, 62% more staff and 64% higher budgets in 2020 than in 2016. The averages mask huge leaps in some places, for example, a 260% budget increase for the Irish Data Protection Authority. But money isn’t everything; the Dutch regulator claims that they would need triple their current budget to effectively enforce GDPR.
  2. Time. The scale and complexity of data use means that enforcement action takes time. The ICO described its three year investigation into Cambridge Analytica’s use of Facebook data as the largest it had ever undertaken. COVID-19 put other big investigations (such as analysing data use in adtech) on hold, but in time we anticipate that we will see outcomes delivered on those investigations.
  3. Courts. Individuals are increasingly turning to the courts for redress. The UK Supreme Court’s ruling (anticipated in 2021) in the Lloyd v Google case will set the tone. More claims may follow. The UK’s Department for Culture, Media and Sport (DCMS) is reviewing legal provisions for group actions led by non-governmental organizations (NGOs), which could facilitate ‘class action’ style lawsuits in the UK

These three trends add up to more avenues for individuals to take action against data controllers. We predict an uptick in legal and regulatory action, by multiple means.

Regulators will take steps to clarify what it means to anonymize data

Guy Cohen, Head of Policy

When the likelihood of anyone in a dataset being identifiable is sufficiently low, that data is taken out of the scope of laws such as the GDPR or CCPA. This can be a powerful tool for those wanting to safely innovate with data, but anonymization isn’t easy these days. Organizations struggle with knowing how low the risk of re-identification has to be before the data is removed from the scope of the law, and how this should be assessed.

In the European Union, regulators are under pressure for guidance from those who carry out research on anonymized data,  such as health researchers. In the US, the CCPA introduced an equivalent to anonymization (called ‘de-identification’), but as yet there’s no guidance on how this is to be done or evaluated. With the CPRA potentially making de-identification more important as organizations face new restrictions on what they can do with personal information, expect to see increased demand for clarity in the United States too.

Anonymization is a tough topic, and we don’t expect everything to be clear by the end of 2021, but we do expect to see regulators and others consulting on the topic and working on new guidance.

Want to learn more about data privacy compliance and data de-identification? Read Data Privacy 101: Guide to De-Identification


* The image is a screenshot for DLA Piper’s data protection laws around the world map (taken January 15, 2021). You can review the latest data here: