Now that more than a year has passed since the General Data Protection Regulation (GDPR) came into force, data protection lawyer Carolyn Bertin discusses the impact and gives an insight into what the future might hold for data privacy regulations.

Changing perspectives

Without a doubt, data protection is now recognised as a serious corporate risk worthy of board attention, and the call to action to evaluate compliance levels in the run-up to May 2018 (and ongoing) resulted in a huge increase in the number of personal data breaches (PDBs) reported to the UK Information Commissioner’s Office (ICO): 10,000 more than in the previous year. The fact that over 82% of those required no action, and only 0.5% resulted in an improvement plan or monetary penalty is evidence that organisations are over-reporting rather than risk a massive fine for disregarding the rules.

The press hype and emails flooding inboxes, requesting consents for organisations to continue sending communications via electronic means, seems to have sparked the general public into looking further into their rights under GDPR and into exercising them. The EU Data Protection Board (EDPB) figures show that, over the past year, there were around 240,000 cases across the EU involving data protection complaints, PDBs, proactive investigations or similar issues. Plus, class actions are gaining traction.

GDPR has not gone un-noticed outside Europe, with Brazil, Japan and India all introducing privacy legislation aligned to GDPR, and California became the first US state to introduce a general data privacy law with the California Consumer Privacy Act emerging in 2018.

Starting to bite

The ICO recently issued its first two notices of intention to fine (NOI) under GDPR at record levels: £183 million for British Airways and £99.3 million for Marriot hotel group. Before those the fines under GDPR across the EU totalled around €56 million, with €50 million being made up by the French data regulator’s (CNIL) fining of Google following its ruling that consent had not been freely given by users. This is an issue which has had a lot of attention over the past year, with claims still pending against Instagram, Facebook and WhatsApp in Belgium, Germany and Austria (respectively). The competition regulator in Germany also weighed in on this issue last year, ruling that Facebook abused its dominant position in the way it obtained consent.

By contrast, the two NOIs in the UK hinge on security. The ICO determined that BA had failed to adequately secure the data of its customers, resulting in over 500,000 passenger details being harvested by hackers, and it said that Marriott failed to do sufficient due diligence when it acquired Starwood (whose system was hacked in 2014 resulting in over 300 million guest records being stolen). The ICO concluded in both cases that the controllers should have done more to secure their IT systems.

BA and Marriott have both indicated they will lodge responses to the NOIs. If the fines are issued, both will likely appeal. The stakes are very high indeed as both are also facing class actions for follow-on damages.

Those will not be the first group actions to be heard in the UK. The Court of Appeal ruled in 2018 that the supermarket chain Morrisons was vicariously liable for the actions of one of its employees who unlawfully uploaded staff payroll data online. If Morrisons’ appeal to the Supreme Court fails, it faces paying out compensation to over 5,000 claimants.

The above is all proof that big fines and group litigation need to be factored into risk assessments and in negotiating liability apportionment in contracts.

The future

Rumour has it, the long-anticipated update to the Privacy Electronic Communication Regulations (PECR) (now on its third draft) may never come into play.

PECR provides specific rules in relation to privacy and electronic communications (with consent being a requirement for many such communications) and in relation to the use of cookies. The GDPR standard for consent is that it is freely given, specific, informed and unambiguous for each purpose.

The ICO is clear in its new guidance: if cookies require consent under PECR (which they will do unless they are essential to the delivery of the service requested by the user or solely for the purpose of carrying out, or facilitating, a transmission over an e-communications’ network), one of the alternative lawful bases from GDPR cannot be used to set them and GDPR’s standard of consent must be obtained from website users.

The GDPR standard for consent has become the norm for activities covered by PECR requiring consent, but organisations are still struggling to get it right. Expect more focus in the coming year.

Ad tech is also in the GDPR firing line. On four separate occasions in the past year the CNIL has taken enforcement action against mobile centric ad tech companies for lack of valid consent mechanisms, in particular in relation to the use of location data. The ICO has said that web- and cross-device tracking for marketing is a regulatory priority for the coming year.

Under scrutiny is whether specific, informed consent can truly be given via cookie banners, to the multiple purposes for which an Internet user’s data is used, and for the sharing with numerous parties. The alternative is legitimate interests, but the jury is out as to whether that works in this complex technological ecosystem.

It is also difficult to determine which players are processors and which controllers, and the role can shift depending on the purpose of processing at different times, making it challenging to define responsibilities and apportion liability.

Things could change for international data transfers over the next year thanks to the French digital rights activist group’s challenge to the EU-U.S. Privacy Shield Framework, and the ongoing threat to the validity of Standard Contractual Clauses pending resolution by the European Court of Justice (ECJ) of the case brought by Austrian activist Schrems in Ireland and passed by the Irish courts to the ECJ.

Binding Corporate Rules are proving to be a viable option only for larger groups of companies and with no interest having been registered with the EDPB for codes of conduct and schemes under GDPR, data exporters could soon find themselves in a pickle.

There is a lot going on and controllers and processors need to continually monitor compliance and keep a close eye on regulatory and industry developments.