• news-banner

    Expert Insights

Privacy in the time of a Pandemic

While many have pressed pause on ‘business as usual’ as a result of Covid-19, the importance of privacy and compliance with data protection law has found itself in the spotlight.  Regulators over the past five months have shown that the integrity of data protection is more important than ever in a time where businesses and services have moved online and data is at the forefront of communication, connection and the government’s test and trace.  In this article we set out the recent developments in data protection law and how they have impacted businesses during this Covid-19 pandemic.

Collecting information

Restaurants and pubs have reopened and been asked by the UK government to support the NHS Test and Trace response by collecting contact details of their customers.  As a result, businesses which may not previously have collected personal data must now comply with the applicable data protection laws in order to comply with the Test and Trace. 

As offices reopen businesses are implementing measure to keep their workers safe including following government guidance on returning to work.  Safety measures may include tracking who is in the office and when, routine temperature checks and/or surveys on symptoms, all of which include the collection of employee or visitor personal data.

This increase in the collection and processing of personal data must be done in compliance with applicable data protection law.  Businesses must consider their lawful basis for processing the personal data and consider whether their collection of such personal data is necessary and proportionate for the purpose of protecting customers, employees and/or visitors against the Covid-19 virus.  In addition, the personal data collected should only be processed for as long as is necessary for the purpose for which it was collected and must be stored security.

Schrems II – International data transfers

On 16th July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield as a mechanism by which to transfer personal data from the EU to the United States.  Businesses can take some comfort as the judgement did state that the Standard Contractual Clauses (“SCCs”) remain valid, although it reinforced the obligation on businesses to verify the level of data protection offered by the importer prior to implementing the SCCs.  For further background on this case, please see here.   

This judgment reinforces the European Commission’s view that the protection of personal data is paramount and that the high standards of protection set by the GDPR should not be compromised.  As such, all businesses relying on the Privacy Shield to transfer personal data to the US should review their data flows and consider what alternative transfer mechanisms are required. 

Age Appropriate Design Code

The Information Commissioner’s Officer’s Age Appropriate Design Code (the “Code”) will come into force on 2nd September 2020 with a 12 month transition period.  The purpose of the Code is to ensure that online service providers implement appropriate safeguards to protect children’s personal data.  The Code introduces 15 standards, which the UK government’s explanatory memorandum has stated are not technical standards but are ‘a set of technology-neutral design principles and practical privacy features’ to put the protection of children’s personal data as a ‘default setting’.

The Code further entrenches the principles of ‘privacy by design’ implemented by the GDPR and the Data Protection Act 2018.  Any business providing online products or services that process personal data and are likely to be accessed by children must implement the strict requirements of the Code in order to comply. 

Cyber Security

Interpol released a report on 4th August 2020 showing the increase in cyberattacks during Covid-19 and a shift in focus of cyber criminals from individuals and small businesses to major corporations, governments and critical infrastructure.   The report found that cybercriminals are targeting their attacks in order to exploit the uncertainty caused by Covid-19 at a time of increased online dependency.  The exploitation of Covid-19 in online scams and phishing attempts has seen cybercriminals entice victims into providing their personal data by impersonating government and health authorities. 

Businesses need to be aware of this increased risk and should take this opportunity to ensure their cyber defences are up to date.  This is particularly important considering the obligation to protect personal data from any unauthorised access under data protection law alongside businesses’ possible increase in processing of personal data, including sensitive personal data, in connection with measures implemented by businesses during Covid-19.


While the Schrems II judgement and the Age Appropriate Design Code have been in the pipeline for a number of years, their impact on them being handed down and implemented during Covid-19 cannot be underestimated.  Both the judgment and the Code show a momentum towards, and a re-enforcement of, the high standards of privacy required to comply with the GDPR and Data Protection Act 2018.  This reiteration of the primacy of data protection has come at a time where businesses have gone online, the collection of personal data has increased and the risk of cybercrime is on the rise.  As such, businesses should review their internal practices and ensuring that they are compliant with data protection law as it is evolving in the context of our new working world. 

Our thinking

  • IBA Annual Conference 2023

    Charlotte Ford


  • Mental Health Management

    Nick Hurley


  • Charles Russell Speechlys expands presence in Greater China with the arrival of Litigation and Dispute Resolution Partner Stephen Chan

    Stephen Chan


  • Family and Employment law assistance in legal advice deserts

    Sarah Farrelly


  • Property Patter: the latest on the Building Safety Act

    Richard Flenley


  • James Souter writes for City AM on Meta pulling out of its London office

    James Souter

    In the Press

  • Charles Russell Speechlys advises Puma Private Equity on its £3.5 million investment into TravelLocal

    David Coates


  • The Evening Standard quotes Rose Carey on the increase in visa fees

    Rose Carey

    In the Press

  • Charles Russell Speechlys advises Zenzero’s management team on its majority acquisition by Macquarie Capital

    Mark Howard


  • David Savage writes for Construction News on the upcoming building-control overhaul

    David Savage

    In the Press

  • Updates and points to note in relation to buy-to-let residential properties

    Twiggy Ho


  • Felicity Chapman writes for Insider Media on alternatives to court for divorcing business owners

    Felicity Chapman

    In the Press

  • Investment Week quotes Julia Cox on the proposed scrapping of inheritance tax

    Julia Cox

    In the Press

  • Charles Russell Speechlys expands commercial offering with the appointment of Rebecca Steer

    Rebecca Steer


  • The Times quotes Gareth Mills on the CMA’s preliminary approval of the Activision Blizzard-Microsoft deal

    Gareth Mills

    In the Press

  • Heritage property and conditional exemption

    Sarah Wray


  • Property Week quotes Cara Imbrailo on Rishi Sunak scrapping MEES requirements for residential landlords

    Cara Imbrailo

    In the Press

  • The Financial Times quotes Emma Humphreys on UK rental costs

    Emma Humphreys

    In the Press

  • City AM quotes Gareth Mills on the CMA’s new set of principles for regulating AI

    Gareth Mills

    In the Press

  • Hamish Perry and Mike Barrington write for The Evening Standard on whether a merger between the CBI and Make UK can work

    Hamish Perry

    In the Press

Back to top