St Philips Regulatory Group Member Jane Sarginson has advised private and public sector organisations as to their obligations under GDPR and has first hand experience of helping businesses implement strategies to ensure compliance with data protection legislation. She has been instructed in proceedings involving the Information Commissioner. Here, on the second anniversary of the Regulation, she reflects on where we are now.
With the advances in technology and increase in the use of personal data by both small and large organisations, GDPR was introduced in 2018, as a regulation to protect the rights and freedoms of the individual, ensuring standardisation across Europe. How successful has it been to date?
GDPR was first published in 2016, allowing organisations a two-year period in which to prepare for a change in the law. With the aid of the media, initially fixating on the colossal maximum fines for breaches, and more latterly on vast data breaches of international firms, the GDPR message sounded loud and clear to many Boards of Directors. Some organisations made great efforts to ensure compliance, others less so. Some of course have made no effort at all.
Pre 2016, few members of the public had heard of the right of access allowing an individual the ability to make a Subject Access Request (SAR). With the advent of GDPR, this awareness has increased, not leading to the avalanche of requests as predicted by the doomsayers, but nonetheless, an increase all the same, requiring organisations to put processes in place to deal with them.
Across the globe, other countries are beginning to look again at data protection and looking towards GDPR to see how it has been implemented. Large tech companies have previously had a free reign over their use of our personal data, but perhaps this is slowly changing.
Although the intention of the European Union was to produce a standardised Regulation applicable right across Europe, the provision of derogations within the Regulation, regarding for instance, the age of consent, special categories, employment data and supervision, together with the enactment of the DPA 2018 in the UK, which sets out numerous exemptions, the reality is that there are substantial differences in the application of GDPR across member countries
There is little point in implementing an essential but onerous regulation with the threat of enormous fines when little if anything is done in the face of the most obvious breaches. The approach to the big tech companies is a case in point. The biggest issue facing the GDPR, is delay. Almost two years on and there has been relatively little enforcement action taken against the big tech companies. Whether this is due to the underfunding of Data Protection Authorities (DPA’s) or whether the DPA’s are struggling with implementation of the new regulation, or may be it’s just the complexity of the breach itself, the delay in enforcement against the big tech companies is regrettable.
However, things are slowly changing. DPA’s are beginning to stretch their muscles and are starting to impose some hefty fines on large organisations. In January 2019, the French DPA imposed a fine of 57 million Euros on Google, in January 2020 Italy imposed fines of 27.8 million Euros on TIM, a telecom business, and Germany imposed fines of 14.5 million Euros on Deutsche Wohnen in October 2019 and 9.95 million Euros on 1&1 Telecom GmbH in December 2019.
Many of the big tech companies have chosen Ireland as the country for their European headquarters. Bearing in mind the numerous complaints lodged against the likes of Google, Apple, WhatsApp and Twitter, the lack of enforcement there is particularly worrying as the behaviour of these companies affect nearly all of us. The Irish DPA is in the process of investigating in excess of 20 investigations, two of which concern Facebook, WhatsApp and Twitter. In these latter two investigations, the DPA has reached the consultation stage, this being a process through which the Irish DP Commissioner consults with fellow EU Data Protection regulators across the EU before imposing the relevant fine. The consultation stage has been a long time coming, delays having been caused by those investigated, challenging the disclosure of potentially commercially sensitive and confidential information to other countries. As of the 22nd May 2020 those issues seem to have been resolved and we await news of the results of the investigations in the next few weeks.
As far as the UK is concerned however, there has been little meaningful enforcement against major companies. The first GDPR fine was imposed in December 2019, against Doorstep Dispensaree Ltd, an online pharmacy who were fined £275,000 for a breach involving sensitive personal data. The highly publicised investigations concerning BA and the Marriott in which notices of intent were served, indicating fines of £183million and £99m respectively are still outstanding. No final decision had been made on the fine itself. Bearing in mind the effect of the COVID 19 pandemic on both the airline and travel business it would be remarkable if those fines were not reduced to reflect their current financial situation.
However, it’s early days for GDPR – DPA’s are still finding their way – particularly when dealing with multinational companies who often have far greater budgets with which to deal with the issues being investigated.
The intention of the EU was to ensure that there was consistency in enforcement across Europe. It’s too early to say whether this will be achieved, but with the DPA’s duty to consult other DPA’s in cross border investigations, the guidance provided by the EDPB and decisions made by the European Courts of Justice and European Court on Human Rights, a degree of uniformity and harmonisation is very likely to be achieved at least when dealing with multinational organisations involved in cross border issues. There is less certainty over solely national breaches, if for no other reason the derogations each Member State has taken advantage of and exemptions imposed in law.
The delays we have seen to date in dealing with these major breaches creates a risk of its own, in that organisations may become complacent as regards compliance. Why bother to go to the expense of compliance when there is little risk of any breach being enforced. The position has been exacerbated by the COIVD 19 pandemic leading the ICO to declare that is would be pausing some of its investigations, a stance they later clarified, saying that this only affected about 10% of their workload.
Businesses dislike uncertainty. Most organisations are risk averse, and as a result, many have audited their data privacy processes and imposed policies and procedures, the effects of which will be felt for a period of time to come. Whether or not the DPA’s enforce the regulation, individuals will always have the option, either singly or collectively, to take action in the Courts, either against the DPA or against the Controller or Processor, provided they can establish material or non-material loss. Overall, therefore, the effect of the delays, at least for the time being, is likely to be minimal.
Technology is advancing at pace. With the roll out of 5G, developments in robotics and AI, and the ever-increasing growth of the big Ad-Tech organisations, society itself need national DPA’s to act assertively, and to investigate and enforce the regulations in a timely fair and consistent manner. The sooner the ICO gets back to business the better.
Written by Alan Durham