We see three related trends that could converge to mean more enforcement action when it comes to data privacy compliance in Europe in 2021: resources, time, and the courts.
These three trends add up to more avenues for individuals to take action against data controllers. We predict an uptick in legal and regulatory action, by multiple means.
When the likelihood of anyone in a dataset being identifiable is sufficiently low, that data is taken out of the scope of laws such as the GDPR or CCPA. This can be a powerful tool for those wanting to safely innovate with data, but anonymization isn’t easy these days. Organizations struggle with knowing how low the risk of re-identification has to be before the data is removed from the scope of the law, and how this should be assessed.
In the European Union, regulators are under pressure for guidance from those who carry out research on anonymized data, such as health researchers. In the US, the CCPA introduced an equivalent to anonymization (called ‘de-identification’), but as yet there’s no guidance on how this is to be done or evaluated. With the CPRA potentially making de-identification more important as organizations face new restrictions on what they can do with personal information, expect to see increased demand for clarity in the United States too.
Anonymization is a tough topic, and we don’t expect everything to be clear by the end of 2021, but we do expect to see regulators and others consulting on the topic and working on new guidance.
* The image is a screenshot for DLA Piper’s data protection laws around the world map (taken January 15, 2021). You can review the latest data here: https://www.dlapiperdataprotection.com/