It is now just over a year and a half since the GDPR entered into force. The flood of ‘we would like to keep in touch’ emails, asking us to re-subscribe to marketing mailing lists that might not have followed best data protection practice in the past, has come to an end. This does not mean that organisations have all sorted out their compliance issues. Some have made progress, but for many others, once the initial rush of publicity wore off, there has been little progress on auditing and validating their procedures to ensure that they were properly following the law.
This has led to some strange stories, such as the Dutch supermarket chain which encouraged its employees to provide photographs of themselves in underwear or tight-fitting clothes so that they could be provided with uniforms, but dropped the idea when the Dutch Data Protection Authority called the idea ‘bizarre’. Significant breaches continue to occur. Licence plate images from Tesco’s car parks across the UK were discovered online in a database with no access control. The European Parliament itself has been sanctioned by the European Data Protection Supervisor for processing voter data beyond legal limits. Other activities may be legal, but nonetheless raise questions that merit serious consideration, such as Mercedes-Benz placing trackers in vehicles that it sells, and in some cases, passing the location of cars onto bailiffs.
The development of a proper understanding of the scale and likelihood of fines for breaches of data protection breaches has also been slow. For those familiar with regulatory process generally, and with enforcement particularly, this is not surprising. Government agencies move at their own pace, restricted by lack of resources and a need to follow proper procedures. The fines and penalties regime in other areas of regulatory law, such as environmental law, competition law, and health and safety law, all took time to be properly established and understood. They are now taken seriously, decades later. Data protection has not got to the stage yet, but the indications are that it will, although there may be some bumps in the road.
There are some important signposts on that route. The UK’s Information Commissioner (ICO) has indicated that it intends to levy significant fines on well-known companies – British Airways (BA) and the Marriot hotel chain. Although these were generally reported as the end of the process, in fact they were an important interim stage, and the final amount of the fine has yet to be decided. It would also be open to appeal, which could some time to complete. Nonetheless, the amounts involved are large - £183.39m for BA and £99,200,396 for Marriott.
These are by far the largest fines imposed so far, but there are others which are also quite significant – examples include €50m against Google in France, €18m against the Austrian Post, and €14.5m against a German property rental company. Some national Data Protection Authorities (DPAs) are clearly willing to flex their muscles when they discover large-scale problems in data protection compliance.
Nearer to home, it is also worth noting that the Data Protection Commission has just issued an enforcement notice against the Department of Social Protection regarding the Public Services Card (PSC). In August, the Commission issued findings on foot of its investigation into the PSC, essentially holding that many of its applications outside of the social welfare field were not legal, but these have been strongly challenged by the government. The notice is likely to be appealed to the Circuit Court, and probably further, which means that it will be quite some time before this particular controversy comes to an end.
We can expect some of these fines to stand, and others to be successfully challenged – sometimes as excessive but also for failure to follow proper procedures. Through this process of trial-and-error, a clearer picture of what the courts regard as reasonable fines for breaches of data protection law will emerge. It is very likely that there will be some high-profile overturning of large fines. Paradoxically, this may be a good thing. The better regulators will be more adventurous in their efforts, and thus more likely to fail. If by 2030, no European DPAs have over-reached and lost, they will not be doing their job properly – they will have let us, the ordinary European citizen, down by being too cautious in their approach to enforcement.
There are also important signals as to the development of European data protection enforcement in the fines that have been levied so far. Although both the BA and Marriott examples involved unauthorised access to data by outsiders – hacking of a corporate system by outsiders – a focus only on this type of breach is misleading. The media will tend to focus on hacking attacks, as cybercrime makes for better headlines than the boring details of poor internal security or the sad reality that many businesses will deliberately engage in practices that are clearly illegal. However, a review of a full list of penalties imposed by European DPAs indicates that fines are imposed for a wide variety of reasons, including keeping data beyond a reasonable period, lack of adequate security mechanisms, and cold calling despite objections. One particularly creative instance involved the Spanish Professional Football League, whose app accessed the microphone of the user’s smartphone to monitor for pubs screening football matches without paying a fee.
It is clear, therefore, that every organisation needs to pay attention to the basic requirements of data protection law. Does it have a proper legal basis for the processing it is engaging in? There are six possible basis under the GDPR: consent, necessity for the performance of a contract, compliance with a legal obligation, protecting the vital interests of a natural person, carrying out a task in the public interest or for the exercise of the legal authority of the processor, or necessity in order to pursue the legitimate interests of the controller or a third party, where those interests are not overridden by the interests or fundamental rights of the data subject.
In addition, is it following the principles of data protection law? There are also six of these: purpose limitation (the processing must be only for the legitimate purpose for which it was originally collected), data minimisation (only data strictly required for that purpose can be requested), accuracy (data must be kept up to date), integrity and confidentiality (appropriate security measures must be applied), storage limitation (data only be kept as long as it is needed), and fairness and transparency (processing must be legitimate and the data subject must be properly informed as to what is happening with their data).
The GDPR also includes a principle of accountability for failure to comply. Consideration of the fines imposed to date shows that penalties of hundreds of thousands of euro have been imposed for breaches of all of these principles, and for failure to have a proper legal basis for processing. Many of the fines involve failure to have proper security measures in place, underscoring how important attention to detail has become in dealing with data. Getting information security right will often require painstaking and slow work, and may inconvenience staff engaging in legitimate and authorised actions. However, as individuals are increasingly aware of their data protection rights, and are thus more likely to complain, short-term cost savings may lead to long-term penalties.
Another important aspect of the road ahead for data protection is the likelihood of enforcement action against the online advertising industry. This path is less clear, but could be quite significant. Much of the online news and social media infrastructure that has become part of the communications landscape for 2020 and beyond is funded through advertising, particularly the real-time bidding (RTB) market, where algorithms essentially buy and sell space on our eyeballs in micro-seconds. If the data which is being used for this trading of our attention is not properly sourced, secured, or includes ‘special categories’ (such as health information, ethnic background, or political views), this creates significant vulnerability to enforcement action. The UK ICO has made it clear that it takes a dim view of businesses relying on the ‘legitimate interest’ legal basis for this type of process, and of the processing of special category data for advertising targeting. The European Commission has just begun a preliminary investigation into this and other practices by Google and Facebook. Given the scale of the market, the fines could be huge (the BA fine was 1.5% of its turnover; it could have been 4% if it had not cooperated). The consequences for online information-sharing could also be significant.
In addition, an issue which has not had very much media focus is a lack of organisational capacity to meet Subject Access Requests (SARs) within the required one-month deadline. It seems that many organisations cannot meet this timeline. Information systems which are not designed with data protection compliance in mind may not make it easy to quickly collate the information that is held on an individual, particularly in large organisations. Smaller entities may simply lack the awareness of data protection duties or any real capacity to respond to an SAR in a comprehensive or timely fashion. Both of these issues are likely to prove problematic for those who do not take them seriously, as individual consumers are increasingly likely to insist on their rights, and to complain to the DPAs when they are unable to exercise them.
After 18 months, then, we are still not ‘there’ with data protection enforcement. It is likely to be three to five years before the overall picture becomes clearer. Regulatory processes and court processes are slow and painstaking. DPAs are beginning to set down clear markers that they are to be taken seriously, but it will be the end of 2020, at the earliest, before they can be confident that the courts will sanction the reasons for their enforcement actions under the GDPR and the scale of the fines that they are imposing. Many companies are still not in compliance, and after the initial flurry of attention to data protection in 2018, the issues seems to have lost its urgency. Nonetheless, the GDPR has not gone away, and we can expect it to become more rather than less important as time passes. The seemingly relaxed pace at which regulators are moving should not be taken as a lack of interest or determination; the road ahead is not entirely clear but it is moving towards more stringent enforcement and greater individual enforcement of rights.
For reading materials, monthly updates and precedents relating to Intellectual Property and IT Law, consider taking a free trial of our online services by clicking the button below.