Data Protection – A year’s worth of challenges and threats

Author: Leigh Callaway

Leigh Callaway, Senior Associate, Fladgate LLP (

Gerald Brent, Trainee Solicitor, Fladgate LLP (


Leigh Callaway and Gerald Brent examine the major issues which have been cropping up continually over the past year.

GDPR and Brexit

Although the British government is adamant it will ensure the free flow of personal data between the UK and the EU upon Brexit, it is unclear whether or not the EU Commission will grant an adequacy decision rendering the UK, as a newly classified third country, as having met the EU’s data protection standards, thereby allowing the free flow of personal data there and back. There is in particular a risk that certain international transfers of data (between the UK and the EU and beyond) may be deemed unlawful according to the GDPR. The EU (Withdrawal) Act 2018 goes some way to mitigate any uncertainty which may be anticipated to arise, in particular by conferring upon the government regulation-making powers to transitionally recognise all EEA countries as adequate for data to be transferred to (from the UK), but the question for personal data-reliant UK businesses, of course, is whether or not such recognition will be reciprocated by the EU.

Record-breaking enforcement

The implementation of the new GDPR regime has conferred upon supervisory authorities and regulators across the EU the confidence to fine organisations to the maximum amount allowed by the law. This is what happened in respect of the Information Commissioner’s Office (ICO) in the UK, when it issued a fine for £500,000 (the maximum allowed under the old regime) against Facebook, in October, for serious breaches of the Data Protection Act 1998, specifically for giving access to users’ personal data to application developers without the users’ sufficiently clear and informed consent.

On the continent, the French data protection regulator fined Google EUR50m for failing to provide its users with transparent and understandable information, and for failing to obtain the “specific” and “unambiguous” consent of users for the collection of their data. Such misleading practices, as to what is being done with a user’s data by a global tech company, were also targeted in Italy, where Facebook was fined €10m for amongst other things misleading users at sign-up about the extent to which their personal data would be used for commercial purposes.

Lastly, in one of its first GDPR enforcements, the supervisory authority of Baden-Württemberg issued the first German GDPR penalty of €20,000 against a social media provider for violations of Article 32 (in the context of a cyber security breach/hack).

Hacks in the headlines

Between August and September last year, 380,000 of BA’s passengers’ financial data, including credit card details, were stolen from its systems (website and applications). In other news, the ICO fined Uber £385,000 for a historic data breach and hack affecting 3m British users which occurred in 2016. Uber failed to inform the ICO of the breach after it had happened, as is mandated by the GDPR’s rules.

The scale and magnitude of cyber security breaches and hacks are rising each year. In 2019, the legal, reputational and commercial consequences of suffering a cyber security breach may prove an existential threat for personal data-driven organisations.

Tussles between US and EU over Privacy Shield

The US and the EU have been at loggerheads over the landmark EU-US data sharing agreement concluded during the Obama administration. The agreement allows for over 3,350 EU and US companies to transfer freely personal data of EU and US citizens between the EU and the US. In particular, the EU Commission has been vexed by the Trump administration’s criticisms of the EU’s data protection regime. Wilbur Ross, US commerce secretary, had earlier last year criticised the GDPR for placing unfair and significant costs on small businesses.

There appears to be a widening gulf, however, between US tech firms and Washington, as Facebook and Apple have publically called on the US administration to adopt a federal-government driven national data protection regime. This is partly out of fear of the costs of navigating a fragmented/patchwork network of state regimes but also an acknowledgement that the EU is progressive leader in a field where it is widely-held that progress must be made.

The future and the ePrivacy Regulation

 Replacing the now outdated 2002 ePrivacy Directive is the ePrivacy Regulation, expected to be adopted this year thought unlikely to come into effect until 2020. The new Regulation will govern the use of electronic communications (e.g. emails and instant messages), the use of cookies as well as other tracking technologies. Importantly, it will also govern the use of email marketing. It will be supplemental to the GDPR and will therefore build upon the framework currently in place. Although the legal relationship the UK bears with the EU is not certain as yet, it seems likely that the ePrivacy Regulation will be adopted in some large measure by Parliament.

The scramble over GDPR compliance last year may find that a sequel is well on its way.

For GDPR-related legal updates, please visit Fladgate Privacy Updates

View by date:

View by author:

Would you like to hear more?