Throughout 2018, data protection became a significant topic in the news media, driven by the coming into force of the General Data Protection Regulation (GDPR) and the unfolding of several large-scale breaches and prominent scandals, particularly the Cambridge Analytica story.
Few things make people sit up and pay attention like money, and one of the issues highlighted by journalists was that the GDPR gives data protection authorities (DPAs) power to impose significant fines - up to 2% of annual worldwide turnover or up to 10m euro (whichever is higher) for most breaches, and up to 4% of annual worldwide turnover or 20m euro (whichever is higher) for serious breaches. Whatever the amount, DPAs are required to ensure that fines are 'effective, proportionate and dissuasive'. Has this been the case so far?
Although the media now focuses on other topics, data protection returns to the news when there are breaches, or the imposition of significant fines. Data controllers and processors should still be sitting up and watching closely what happens as DPAs across Europe begin to tackle a large increase in complaints to their offices (56% more in Ireland in 2018 for example) and all of the parties involved in data protection - regulators, regulated entities and data subjects - become more familiar with the real meanings and long-term consequences of the latest iteration of the law, including the new rights and requirements created by the GDPR. Those with a stake in the industry should be asking whether the post-GDPR context will see a more proactive and stringent approach from regulators and whether the monetary amount of fines will be significant.
So far, the signs are mixed. The French DPA, the Commission Nationale de l'Informatique et des Libertés (CNIL), has imposed a fine of 50m euro against Google for lack of transparency, inadequate information and lack of valid consent to advertising personalisation. The monetary amount of this fine is significant but it is an outline. An analysis by DLA Piper indicates that other fines imposed by DPAs have been low.
The CNIL decision will be appealed, and the eventual outcome will be important in giving a preliminary indication of whether regulators will be permitted to flex their new muscles and how they should go about calculating the amount of fines. Article 83 of the GDPR provides detailed guidance in this regard, and the Dutch DPA has published a fining policy, but practice will also be developed through multiple iterations of appeals before the jurisdiction of DPAs is relatively settled.
Does this activity indicate that there is now a more stringent attitude to enforcement? This question will be the key concern for those who work with data on a day-to-day basis, whether they are a small business managing a mailing list or a global social network site. In this regard, the key focus will be on the Irish Data Protection Commission (DPC), as many large online service providers have their European and Middle-East headquarters in Ireland, making the DPC the most important DPA for many data subjects in Europe and beyond - as the GDPR has potential extra-territorial jurisdiction. So far, the signs are that the DPC will continue in the slow, deliberate and collaborative manner that it operated before the coming into force of the GDPR, despite the complaints of privacy activists. However, it is still too early to say, a year has not yet passed since May 2018.
It is also important to note that when it comes to fines for privacy breaches, the GDPR is not the only legislation that businesses should be watching. Although the US has very little privacy law, the Children's Online Privacy Protection Act does provide some protection for the data of children under the age of thirteen, and the Federal Trade Commission recently reached a settlement of $5.7m with TikTok (formerly Musical.ly) after an investigation of allegations that it illegally collected personal information from children.
Although there is still significant uncertainty around the extent of the powers of DPAs to impose large fines post-GDPR - and their willingness to exercise those - it remains an issue that those who rely on digital or online tools as an essential element of their business should watch carefully. The future of the digital marketplace is likely to be full of turmoil in the years ahead. Consider three major issues that may arise.
First, there is a legal challenge to the Privacy Shield framework for trans-Atlantic-data-sharing working its way through the Irish courts. This may include a trip to the Court of Justice of the European Union and back. The outcome may bring the transfer of data from the European Economic Area to the United States of America to a sudden halt, although the European Commission's approach to the possibility is somewhat like a parent that continues to send an errant child to bed but never follows through.
Second, the Directive on Copyright in the Digital Single Market, with its very controversial Articles 11 and 13, has passed its final vote in the European Parliament. It may require the introduction of costly and imperfect copyright filtering software and alter the online landscape in Europe, perhaps leading to greater consolidation.
Third, the coming into force of the GDPR has required much greater transparency around the activities and methods of online advertising technology ('AdTech'). Some US websites have simply stopped serving EU-based users. Others are now providing opportunities to control cookies and other tracking mechanisms to a fine level of detail, although sometimes using 'dark patterns' of user interfaces that make it easier to say yes and penalise the user for refusing cookies by imposing a slight delay as each one is switched off. Although these are annoyances that are aimed at getting users to take the path of least resistance and click 'allow tracking' without much consideration, some privacy campaigners have also highlighted much more serious potential illegalities in the mechanisms used and have lodged complaints with regulators across Europe. If these are well-founded and AdTech is forced to make fundamental adjustments to its business model, many of the revenue streams that seemingly 'free' sites depend upon will dry up. In the longer term, this could lead to a reconfiguration of information society services - another round of online creative destruction.
These issues primarily concern commercial enterprises. However, electronic government also raises deep data protection issues - consider for example, the recent Cookiebot report on AdTech tracking on public sector health websites. These do not seem to constrain the interest of civil servants in integrating the information infrastructures of the state, although the goals of European data protection law include avoiding the horrific misuse of personal data by authoritarian regimes in the past. Politicians and policy-makers will also be watching the approaches and practices of European DPAs with interest for years to come.
Overall, therefore, although are some indications that DPAs are willing to use their new powers and to impose significant fines, it is far too early to say whether the courts will sanction such developments. Other DPAs seem to remain relatively cautious. Nonetheless, the GDPR and other changes in the laws that govern digital marketplaces will continue to have an impact. The next few years will see changes, with some practices effectively outlawed and opportunities arising for new online products and services. Whether data subjects will see their rights better protected remains to be seen.
Bloomsbury Professional Online's Intellectual Property and IT Law service is the ideal resource for practitioners operating in the interwoven areas of data protection, information technology law and intellectual property. To organise a free trial, click the button below.