This past year brought significant privacy-related regulatory challenges to business operations. The pandemic situation and lockdown, the ever-rising number of data breaches, the invalidation of the EU-US Privacy Shield, and the challenges arising from the uncertainties of BREXIT have all tested compliance departments to the full.
The pandemic and the health emergency situation forced many companies to seek innovative solutions to maintain or to completely transform their business operations. Sending employees into home office and working remotely from home and keeping contact with customers and clients have changed the way businesses operate, significantly accelerated the expansion of e-commerce towards new business opportunities, customers, and product types. Indeed, the rapid move to a digital business and related digital transformation was a key driver or survival strategy for several companies, while disrupting the traditional legal and compliance work performed by multinational corporations. The shift away from physical to online operations has shown the importance of digital communication channels and platforms, online customer relationship management, and mobile applications, and this also brought challenges to those compliance departments inexperienced with digital transformation projects and accompanying regulatory challenges, and with complex privacy-by-design, privacy-by-default, e-privacy, information security, information technology, and intellectual property-related challenges.
The dark side of the lockdown also led to an ever-increasing number of cyberattacks and data breaches that caught many compliance departments off-guard. Phishing campaigns, ransomware attacks, and direct cyberattacks resulted in major data breaches throughout Europe – and in Hungary as well. Preparation for data breaches paid off where tested data breach playbooks were available, and many compliance heads encountered such data breaches and business email compromise frauds for the first time.
Hungarian regulatory authorities continued their growing focus on digital operations. The Hungarian Competition Authority is currently investigating the role of data and data-based business models in e-commerce and the resulting effects on competition, the Hungarian National Bank has issued several new recommendations and guidelines on remote working, bank physical and logical security, and compliance defense lines, and the National Authority for Data Protection and Freedom of Information has continued to enforce the General Data Protection Regulations provisions and imposed its largest-ever fine: approximately EUR 280,000 on a Hungarian telecommunication company for insufficient technical and organizational measures related to a data breach.
The second part of the year was influenced by EU-level developments involving international data transfers. The invalidation of the EU-US Privacy Shield and the limitations articulated by the Court of Justice of the European Union relating to the use of EU standard contractual clauses have forced companies to initiate the complex task of assessing third countries and identifying appropriate supplementary measures to secure international data transfer compliance. This required the mapping of international data transfers, replacement of the EU-US Privacy Shield where necessary, and conducting transfer impact assessments by sending out questionnaires to business partners and obtaining feedback from them to document and assess the need for specific supplementary tools required for the data transfer. In that regard, the simple paperwork of entering and signing EU standard contractual clauses have become more burdensome and difficult to manage considering the wide scope of transfers and outsourced business operations.
At the year’s end, the exit of the United Kingdom from the European Union also became reality. Several business operators have already taken steps to address the fact that the UK will be a third country in the future; however, given that the European Commission has not released an adequacy decision concerning the status of the United Kingdom post-BREXIT, this situation also caused compliance challenges to companies considering the need to conduct transfer impact assessments regarding UK operations. Finally, during the Christmas period, representatives of the UK and the EU struck a deal and recognized the UK as a safe country in the EU-UK Trade and Cooperation Agreement until July 1, 2021, and it is anticipated that the EU Commission will adopt an adequacy decision soon.
We expect that challenges relating to the COVID situation, digitalization, and the growth of e-commerce and privacy enforcement will continue and that more focus will be given to the use of monitoring technologies and tools.
By Adam Liber and Tamas Bereczki, Partners, Provaris