At the end of today, it will be one year since the General Data Protection Regulation (GDPR) came into effect. In this article, Ryan Dunleavy and Ian Gatt QC consider the global impact of the new regulation so far.
In the run-up to its introduction on 25 May 2018, everyone was buried in the microscopic details of trying to become GDPR compliant. Much of the focus was on the fact that non-compliance could mean monetary penalties of up to €20m or 4% of total annual worldwide turnover in the preceding financial year, whichever was higher. As a result, little thought seemed to be given to how exactly the GDPR would reshape the data privacy regime on a global and macro level.
It soon became clear after 25 May 2018 that the UK’s data protection authority, the Information Commissioner’s Office (ICO), was keen to send a message that it would exercise the GDPR’s extraterritorial scope under Article 3 of the Regulation. This states that the GDPR can apply to controllers and processors not established in the EU, where there are certain processing activities related to data subjects who are in the EU. The ICO relied on Article 3 in July 2018 when it issued its first enforcement notice, to Canadian company AggregateIQ Data Services Limited. Such action indicated that the reach of the GDPR was going to be global as far as data protection authorities were concerned rather than contained within the EU.
There have also been rising levels of fines by data protection authorities in the first year of the GDPR. These have jolted the corporate world, particularly entities operating in the technology sector. This shows that companies that forced through GDPR compliance in a panic by 25 May 2018 were right to do so, although no one knew what level of fines would be imposed until they happened. Pre-GDPR data protection fines had been low, and some thought that trend would continue.
In the UK, the maximum fine the ICO could issue before the GDPR took effect was a relatively modest £500,000 and the financial penalties imposed rarely came anywhere near that amount. As fines under the GDPR could be so much higher than under the former regime, there was uncertainty before 25 May 2018 whether the amounts would creep up or leap up. Within a short space of time, it became clear that it would be the latter. A record financial penalty was the €50m fine imposed in January 2019 by the French data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), against Google for breaches of the GDPR.
One aspect of the new GDPR regime that has not yet been properly addressed in its first year is how much compensation should be awarded under the new data privacy regime. As with the level of fines, before the GDPR came into force compensation for individuals who had suffered a data breach was not usually very high. As such, data protection claims were often a bolt-on to other claims in the courts for breaches of confidence, defamation or for misuse of private information.
We have yet to see enormous damages awards in the civil courts for individuals who have suffered from data privacy breaches. We expect, though, that the amounts of compensation paid out to victims of data breaches under the GDPR will gradually increase, as they have in misuse of private information claims. This is a fairly recent but now distinct legal cause of action that grew out of breach of confidence cases and Article 8 of the European Convention on Human Rights. (Article 8 protects a person’s right to respect for their private and family life, their home and their correspondence.) Damages awarded by the courts for those claims did not breach the £5,000 mark until Max Mosley was awarded £60,000 for his claim against the News of the World in 2008, after which the amount of damages became markedly more substantial. For instance, last year Sir Cliff Richard was awarded £210,000 in damages for his privacy case against the BBC.
While out-of-court settlements of data privacy compensation claims and awards by the courts are likely to increase under the GDPR data privacy regime, there is still a likelihood that for a while at least, individuals will consider bringing claims combined in large-scale group litigation actions where data privacy is one element of a larger case. This has been a tactic that has worked in the past, for instance in the long-running court action against various construction companies where 1,200 blacklisted workers secured £35m in compensation between May 2016 and May 2019 for breaches of the Data Protection Act 1998, breaches of confidence, breaches of defamation law, for misuse of private information and loss of earnings. Eventually, however, compensation amounts for data privacy claims are likely to reach a level at which stand-alone single claimant claims in the civil courts will become viable, in a similar way to misuse of private information claims.
A final point to note about the GDPR regime is that it may well have enthused non-EU countries to put a new emphasis on their own data privacy regimes. In many instances, non-EU companies are likely to need to be GDPR complaint anyway. Data privacy seems to be a new buzz phrase across the world, and the US appears to be focusing heavily upon it, particularly following the 2018 Facebook/Cambridge Analytica data scandal.
Facebook is said to be expecting a fine of up to $5bn from the US Federal Trade Commission (FTC), which Facebook has said is “in connection with the inquiry of the FTC into [Facebook’s] platform and user data practices”. It is difficult to know if there would have been as much enthusiasm for such large fines for data privacy issues in the US without the GDPR having first shown the way in the EU and beyond. Everything may be said to be bigger in the US, but to date the largest penalty that the FTC has imposed for a privacy breach by a technology company was a $22.5m fine against Google in 2012, a sum eclipsed by CNIL’s €50m fine against Google this year.
In short, the implementation of the GDPR on 25 May 2018 appears to be the most significant milestone so far in what looks set to be a global shift in how data privacy is to be dealt with in the digital age. We can expect increasing amounts of fines, compensation, litigation, and headlines, not to mention more regulation and legislation to protect data privacy. This will include the EU’s much delayed proposed ePrivacy Regulation, which in March 2019 the European Data Protection Board pressed EU legislators to adopt.
The ePrivacy Regulation will probably not be introduced for a year or two. When it is, it will affect all electronic communications service providers, including WhatsApp, Facebook Messenger, Skype, and Gmail. Its intention is to enhance the security and confidentiality of electronic communications, to clarify electronic direct marketing rules (eg, with regard to email and text messages), to clarify rules on metadata, to define clearer rules on tracking technologies, such as cookies, and to achieve more harmonisation of e-privacy across different countries. Like with the GDPR, infringers of the ePrivacy Regulation will also be subject to fines up to €20m, or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher.
The story, therefore, has just started in relation to data privacy and the global digital market.