The General Data Protection Regulation (“GDPR”) entered force with much fanfare on 25 May 2018.
In the lead-up to the new regulation, many had noted its provisions for eye-watering fines of up to €20 million or 4% of global Group turnover, whichever is higher. Data protection, it was said, would progress from being the preserve of geeks in the IT department to a major Board issue.
This conviction was strengthened by fears on the part of many commentators about the rise of “Big Data” and its scope both for intrusion into the personal lives of individuals and manipulation of the political process, a fear seemingly confirmed by the Cambridge Analytica scandal.
Since then, in the UK at least, it would probably be true to say that the reality has failed to live up to the hype, and nearly a year after the entry into force of the GDPR the Office of the Information Commissioner (“ICO”) has yet to impose a major fine on any company or organisation for a breach of the regulation.
There may be three main reasons for this.
First, the GDPR does not have retrospective effect: in other words it only applies to activities carried out after it came into force on 25 May 2018;
This leads to the second point which is that, to ensure that legal rights of organisations are respected, investigations under data protection law take time to complete. The decisions issued by the ICO to date have in the main related to conduct that took place before 25 May 2018. Such conduct was covered by the previous regime of the Data Protection Act 1998 under which the maximum fine that could be imposed was £500,000.
The third reason for the lack of a really eye-catching fine so far may be that (somewhat embarrassingly) a significant proportion of reported data protection breaches in the UK are carried out by public sector bodies such as local authorities, hospitals and the police. In these days of austerity, it would not be surprising if the ICO was reluctant to increase the financial strain on public bodies by imposing significant fines on them.
However, there are no grounds for complacency because it is clear that major fines will be imposed in appropriate circumstances.
For confirmation of this, one need only look across the Channel where the French data protection authority, the Commission Nationale de l'Informatique et des Libertés (“CNIL”), imposed a fine of €50 million under the GDPR on Google in January this year. That fine related to the use allegedly made by Google of user personal data for advertising purposes without adequate consents having been obtained and mirrors similar concerns that arose in the case of Facebook in 2018.
This is a truly eye-catching amount and very likely to be the shape of things to come. Organisations should therefore continue to prioritise data protection compliance.
Finally, a word on Brexit.
Some might have hoped that, since the GDPR is EU law, we can forget about it in a post-Brexit world. Any such hopes would be misplaced - for two reasons.
First, because the GDPR applies to organisations, whether or not located in the EU, which process personal data related to individuals in the EU for the purposes of selling goods or services to them or monitoring their behaviour – so any organisation with customers or potential customers in the EU would need to continue to comply with the GDPR in relation to those customers.
Secondly, under section 3 of the European Union (Withdrawal) Act 2018, the GDPR will be incorporated into UK law when the UK leaves the EU, subject to some alterations introduced by the Data Protection Act 2018. This is to ensure that, post-Brexit, the UK will be seen by EU data protection regulators as having a compatible system of data protection law which will therefore ensure the frictionless transfer of personal data from the EU to the UK post-Brexit – a vital consideration for business.
All in all, therefore, it is clear that data protection issues are likely to be on the agenda for many years to come.