Data Protection and Privacy in 2020: A Recap

I think we can all agree that 2020 was a terrible year, but there were many interesting developments for data protection and privacy. Here is a recap of 2020. 

The Court of Justice of the European Union (‘CJEU’) invalidated the U.S.-EU Privacy Shield (the so-called “Schrems II” case). Whilst this was not a particular surprise, its decision on the international data transfer mechanism of ‘Standard Contractual Clauses’ has created ripples of discontent. The onus has been placed on data controllers to evaluate whether or not there is the requisite level of data protection in the country to which they are transferring data. For my blog article click here.

Just a few months later the CJEU delivered a number of rulings concerning mass surveillance of electronic communications. National security was found to be within the remit of the e-Privacy Directive and the court reiterated its conclusions in Tele2/Watson. For my blog article click here.

It is impossible to think about this pandemic (for privacy practitioners in particular) and not consider the Covid-19 track and trace mobile phone applications. Globally, governments set up systems to trace individuals using their mobile phones on a scale never seen before. My blog article is here, and also see the Parliamentary Joint Committee on Human Rights report here. In the United Kingdom (U.K.) privacy campaigners are preparing a legal challenge to the NHS’s track and trace programme.[1]

Misinformation seemed to have reached its zenith during the pandemic with around 460 million views of health misinformation on Facebook in April 2020 alone. False information claiming that consuming highly concentrated alcohol disinfects the body of the virus is estimated to have led to the deaths of 800 people.[2] Facebook, and other social media platforms, are trying to combat the problem and are working with a coalition of governments to set cross-platform standards for tackling misinformation.[3] The U.K. government has confirmed that it will establish a new statutory duty of care to make online companies responsible for the safety of internet users and it will include the spread of misinformation. For the government response to the Online Harms White Paper click here.

In the U.S., the major technology companies have come under increasing pressure. In July, the Chief Executive Officers of Facebook, Google, Apple and Amazon were interviewed for more than six hours about their business practices by the U.S. House Judicial sub-committee on antitrust, commercial and administrative law. The sub-committee released its report in October after a 16-month investigation into the competitive practices of the companies.  It recommended structural separation and preventing platforms from making acquisitions in adjacent lines of business. To read the report click here.

The U.S. Department of Justice has filed a lawsuit against Google accusing it of anti-competitive practices.[4] This is the biggest anti-trust case in the U.S. since the lawsuit against Microsoft in the 1990s. The Federal Trade Commission and 48 U.S. attorneys-general have filed anti-trust charges against Facebook and are seeking to break up the social media giant. Facebook is accused of predatory practices and of achieving a monopoly position by purchasing platforms such as WhatsApp and Instagram.[5]

There were a number of data breach fines imposed by the ICO this year. Marriott International was fined £18.4 million for failing to keep millions of customers’ personal data secure. The ICO also fined British Airways £20 million for failing to have adequate security measures in place when it was subject to a cyberattack in 2018. The fines were significantly less than what the ICO had initially proposed.

There have been a number of actions started in the U.K. this year that are noteworthy. The Open Rights Group announced in November that it is starting legal proceedings against the ICO for failing to take action against the ‘AdTech’ industry, despite finding widespread unlawful practices in an investigation in 2019.[6] A legal claim against Oracle and Salesforce has been brought challenging the use of third-party AdTech tracking cookies.[7] This is a representative action, which could potentially include millions of individuals that have been tracked across the internet. The Supreme Court also granted Google permission to appeal the judgment of the Court of Appeal in Lloyd v Google LLC [2019] EWCA Civ 1599. This is another representative action seeking per capita compensation for the collection of browser-generated information. For my blog article about the case, click here.

Two interesting judgments in the U.K. this year were WM Morrison Supermarkets Plc v Various Claimants [2020] UKSC12 (employer liability for data breaches) and R(Bridges) v The Chief Constable of South Wales Police [2020] EWCA Civ 1058 (the use of live automated facial recognition technology). My blog articles on these cases are here and here.

Figures released by the Ministry of Justice in the summer indicate that the number of defamation cases issued in the U.K. has increased, with the number of claims in 2019 reaching the highest in a decade.[8] The case of Depp v News Group Newspapers [2020] EWHC 2911 (QB) dominated the newspaper headlines during the summer; the actor ultimately lost his case, with Mr Justice Nicol finding the statements made by his ex-wife to be true. The Supreme Court also clarified the application of the common law Reynold’s defence to section 4 of the Defamation Act 2013 in Serafin v Malkiewicz and others [2020] UKSC 23.

The High Court declined jurisdiction in the curious case of Wright v Granath [2020] EWHC 51 (QB), the Court of Appeal heard the case in October and judgment is still pending. Dr Craig Wright claims to be the elusive creator of bitcoin – Satoshi Nakamoto – and is trying to sue Magnus Granath for libel for tweeting that this is false. Earlier in the year Dr Wright lost his case in the Court of Appeal on jurisdiction against cryptocurrency investor Roger Ver, who had publicly expressed similar doubts.

After this challenging year let us hope for a better world in 2021. I shall be releasing a new podcast series next year called ‘The Data Optimist’ where I will be interviewing people about data and technology and how it is being used in ways that promote sustainable development and benefit society. It will be available on iTunes and Spotify. 


[2] ‘COVID-19 – Related Infodemic and Its Impact on Public Health: A Global Social Media Analysis’, The American Journal of Tropical Medicine and Hygiene, Volume 103, Issue 4, 7 October 2020.


[4] Available here: