November 25th marks the six month anniversary of General Data Protection Regulations (GDPR) officially coming into effect. Barrister-at Law Quentin Hunt has been examining the implications of early high profile test cases under the regulations – and reporting on what this might mean for organisations in the future.
Although it adopts the same principle-based approach as the preceding Data Protection Act 1998, GDPR has significantly increased the ability of regulators to impose fines – with the maximum for some offences now set at 20 million EUR or 4% of global turnover, whichever is highest. GDPR has also rendered obligations on data controllers as more onerous they were before, with the consequences for non-compliance more severe and, crucially, less predictable. This renders GDPR a significant business risk that is difficult to assess and mitigate, as three of the early legal cases demonstrate, Hunt says.
The Case: The changing relationship between Facebook and marketing customers
In June 2018, the European Court of Justice considered whether the administrators of Facebook fan pages should also be considered as data controllers. In 2011, a company called Wirtschaftsakademie Schleswig-Holstein was ordered by its state data protection regulator to deactivate its fan page, on the grounds that neither the company nor Facebook had made users aware that their data was being collected via cookies. Wirtschaftsakademie objected, saying that, as a page administrator, it had not instructed Facebook to collect data and therefore was not responsible for the breach. The Court held that administrators of Facebook Pages are join data controllers and as such are jointly responsible with Facebook for the processing of visitors and users’ data anywhere within the European Union.
The Lesson: GDPR will change the shape of future contractual marketing relationships
This ruling will fundamentally change the relationship of platforms like Facebook with their marketing customers – so that the relationship is specified not as processor-controller, but as controller-controller with equal responsibility for data security. What’s more, with this case originally being brought in 2011 under the previous Data Protection Directive of 1995, the ruling demonstrates that the principles of older data protection effectively carry over to GDPR. In other words, just because there’s new regulation in force doesn’t mean that old data protection principles are no longer relevant or referencable in a court of law.
The Case: Cambridge Analytica and criminal prosecutions
In October 2018, the regulator confirmed a fine of £500,000 for two breaches of the old law as laid out in the Data Protection Act 1998. Whilst the fine itself is relatively small (if the case had been pursued under new GDPR regulations, it could have been as much as 4% of the company’s considerable turnover), the legal implications are considerable. In terms of Cambridge Analytica’s parent company, the ICO has announced a criminal prosecution for failure to comply with an earlier Enforcement Notice and a new Enforcement Notice compelling it to properly deal with an existing subject access request. Data Broker, Emma’s Diary and Cambridge University also face regulatory action. The Information Commissioner has also called for a statutory code regulating the use of personal data in political campaigning.
The Lesson: GDPR is a tangible and significant risk for all organisations and sectors
This case represents a clear statement of intent from the regulator that it will make use of its powers to tackle data misuses for political purposes. Clearly, GDPR is a regulatory change that will impact on organisations far beyond the marketing and technology arenas. Political organisations, not for profits, public and private companies and any other organisation handling data must all stay on top of GDPR to protect themselves.
The Case: A £200K fine for the Child Sex Abuse Inquiry
In July 2018, the Independent Inquiry into Child Sexual Abuse was hit with a £200,000 fine after a staffer to the inquiry emailed 90 individuals regarding a forthcoming hearing. The staff member in question accidentally inserted the recipients into the “TO” field rather than the “BCC” field. The ICO held that the Inquiry had failed to take appropriate organisational measures to avoid unauthorised processing of personal data by failing to make use of an email account which could send emails individually to each recipient and failing to provide staff with appropriate training.
The Lesson: GDPR is a leadership matter
This case demonstrates one of the trickiest elements of GDPR to negotiate. Because GDPR is principle-based regulation, subjective judgments come into play, both when it comes to who’s responsible and when it comes to predicting likely penalties. No doubt, the extremely sensitive subject matter of the inquiry and the emotional distress caused to the complainants in this case influenced the very high fine. As such, responsibility for GDPR must be taken seriously, start from the top and be effectively cascaded down the organisation.
Other Important GDPR Developments
The ICO annual report: In July, the ICO published their 2017/2018 annual report covering the twelve months ending 31 March 2018. The report detailed a 29% increase in the number of self-reported data breaches from 2,447 to 3,156. In 60% of cases, the ICO took no further action at all. Remarkably, only 0.3% of breaches attracted a monetary penalty. This underlines the ICO’s approach of reserving fines for only the most serious of breaches. Whether this approach will be sustainable following the introduction of the GDPR remains to be seen. However, the ICO’s Regulatory Action Consultation suggests that this approach will remain the status quo for the foreseeable future.
Director Liability: The Government has just consulted on whether the ICO should be given the power to fine directors, senior officers and partners personally. The Government’s concern is that the ICO currently only recovers 54% of the fines it imposes as fines can currently only be levied against corporations. The result being that if a company is dissolved or goes into liquidation, then the directors can create a new legal entity and continue their activity without payment of any fines. The consultation closed on the 20th August 2018. Its results could have a significant impact on director liability for breaches of the GDPR.
About the Author:
Quentin Hunt is a Barrister-at-Law at 2 Bedford Row Chambers, with a specialisation in litigation and advisory matters encompassing Data Protection, Compliance and the Criminal Law. He advises clients in all aspects of Data Compliance and GDPR compliance, applying his perspective from his Criminal Law and Litigation experience.