Leigh Callaway and Gerald Brent examine the major issues which have been cropping up continually over the past year.
Although the British government is adamant it will ensure the free flow of personal data between the UK and the EU upon Brexit, it is unclear whether or not the EU Commission will grant an adequacy decision rendering the UK, as a newly classified third country, as having met the EU’s data protection standards, thereby allowing the free flow of personal data there and back. There is in particular a risk that certain international transfers of data (between the UK and the EU and beyond) may be deemed unlawful according to the GDPR. The EU (Withdrawal) Act 2018 goes some way to mitigate any uncertainty which may be anticipated to arise, in particular by conferring upon the government regulation-making powers to transitionally recognise all EEA countries as adequate for data to be transferred to (from the UK), but the question for personal data-reliant UK businesses, of course, is whether or not such recognition will be reciprocated by the EU.
The implementation of the new GDPR regime has conferred upon supervisory authorities and regulators across the EU the confidence to fine organisations to the maximum amount allowed by the law. This is what happened in respect of the Information Commissioner’s Office (ICO) in the UK, when it issued a fine for £500,000 (the maximum allowed under the old regime) against Facebook, in October, for serious breaches of the Data Protection Act 1998, specifically for giving access to users’ personal data to application developers without the users’ sufficiently clear and informed consent.
On the continent, the French data protection regulator fined Google EUR50m for failing to provide its users with transparent and understandable information, and for failing to obtain the “specific” and “unambiguous” consent of users for the collection of their data. Such misleading practices, as to what is being done with a user’s data by a global tech company, were also targeted in Italy, where Facebook was fined €10m for amongst other things misleading users at sign-up about the extent to which their personal data would be used for commercial purposes.
Lastly, in one of its first GDPR enforcements, the supervisory authority of Baden-Württemberg issued the first German GDPR penalty of €20,000 against a social media provider for violations of Article 32 (in the context of a cyber security breach/hack).
Between August and September last year, 380,000 of BA’s passengers’ financial data, including credit card details, were stolen from its systems (website and applications). In other news, the ICO fined Uber £385,000 for a historic data breach and hack affecting 3m British users which occurred in 2016. Uber failed to inform the ICO of the breach after it had happened, as is mandated by the GDPR’s rules.
The scale and magnitude of cyber security breaches and hacks are rising each year. In 2019, the legal, reputational and commercial consequences of suffering a cyber security breach may prove an existential threat for personal data-driven organisations.
The US and the EU have been at loggerheads over the landmark EU-US data sharing agreement concluded during the Obama administration. The agreement allows for over 3,350 EU and US companies to transfer freely personal data of EU and US citizens between the EU and the US. In particular, the EU Commission has been vexed by the Trump administration’s criticisms of the EU’s data protection regime. Wilbur Ross, US commerce secretary, had earlier last year criticised the GDPR for placing unfair and significant costs on small businesses.
There appears to be a widening gulf, however, between US tech firms and Washington, as Facebook and Apple have publically called on the US administration to adopt a federal-government driven national data protection regime. This is partly out of fear of the costs of navigating a fragmented/patchwork network of state regimes but also an acknowledgement that the EU is progressive leader in a field where it is widely-held that progress must be made.
The scramble over GDPR compliance last year may find that a sequel is well on its way.