“GDPR! GDPR! GDPR! GDPR!”
By:
Eric De Grasse
Chief Technology Officer
7 June 2019 (London, UK) – While getting your company or client ready for the introduction of GDPR was a frantic period, the last 12 months have been relatively quiet period for the rules. However that might all be about to change.
At the European Data Protection Summit in London (held this past Monday, 3 June), a few points were raised which may put the fear back into executives – or not. For most attendees, it does appear the “sex appeal” of data protection and privacy has been eroded, despite all the media chatter about controlling/regulating/dismembering the Tech Titans. But many also said “just wait until the summer is over. It might well be dominating the headlines again”.
Ivana Bartoletti, Privacy Lead of Gemserv, presented the case for tech with her talk “Privacy in The Age of Big Data & Algorithms”. Among many compelling points she raised, she took into account the implications for privacy surrounding inferred data, and asked whether such data can be truly categorized as “personal”. Personal autonomy is key to redefining data privacy – allowing people to make their own decisions, without big data shaping what we want based on our inferred data. But, Ivana concluded, inferred data isn’t covered in the GDPR, one of several limitations to the effectiveness of the GDPR. This is a point we have made many, many times. We’ll have a long read next week which parses every section of the GDPR vis-a-vis “inference”.
The focus of the Summit was on the UK, but Europe was of course the topic for many presentations, and there seemed to be a number of UK developments bubbling away at the moment, each of which could have a significant impact on data protection and the privacy landscape in the UK.
The keynote by … Max Schrems!!
There was standing room only (and of all the sessions I attended, the ONLY one that was SRO) when Max Schrems, delivered his views on UK surveillance and data privacy transfers post-Brexit to a fascinated audience. Max (“The man who took on Facebook and won”) began with:
I was asked to do something that’s impossible as an Austrian lawyer, which is talking about UK surveillance laws.
The noyb founder and privacy activist (noyb stands for “none of your business” and is a new form of privacy lobbying group, one of numerous such organisations that have sprouted up due to the new GDPR) pointing out that were Brexit to take place, the UK would lose its ability to opt out of the EU laws on national security grounds given the structure of proposed EU trade deals.
At the moment, the UK relies on an “Article 4 exception” in the EU treaty to exclude its security laws from EU oversight. The problem is, this only applies to EU member states. Once the UK is no longer a member, it no longer applies, and this is the problem the U.S. is having right now, too, with data transfers via Privacy Shield.
Schrems also went into detail about the Privacy Shield and the fall of Safe Harbor agreement, which was ruled invalid in the European Court of Justice for its failure to adequately protect consumers privacy. He also went into the background of the new, pending case on Standard Contractual Clauses. He also noted:
The EU basically says there has to be privacy and the US says there has to be surveillance, and these two things clash. It’s basically two high speed trains colliding into each other. And with so much at stake this is going to a long, expensive battle.
Reality check: the UK will no doubt continue its surveillance programs, which include data sharing with Five Eyes partners, including the U.S., and as many commentators have noted it is done in a manner that violates Europeans’ human rights under various EU laws. But post-Brexit, the EU probably won’t try to stand in the U.K.’s way. There will be the “U.K. GDPR” and there will also be U.K. surveillance laws. So, in reality, the European Union is probably just going to green-light all of it.
The GDPR ambulance chasers
Although it is not necessarily the most flattering of terms, the ambulance chasers are readying themselves for an assault on the GDPR negligence. Numerous law firms (Hayes Connor Solicitors being only one example) are already advertising their services for the British Airways data breach, impacting roughly 400,000 people. This is an on-going investigation, though the financial penalty for this breach could be as much as €918 million.
More and more UK lawyers are turning their attentions to the GDPR as a ripe, new field of expertise. Due to the headline-worth nature of data breaches and privacy violations, as well as the potential consequence to the individual, and data access requests, the GDPR area is an area primed for the legal buzz.
Big fines have been promised
So far, there is only one example of a data protection authority swinging the heavy stick of GDPR at a major firm. France’s watchdog fined Google €50 million for numerous offenses, and while there have been other significant breaches over the last few years, most occurred at a time prior to the heavy fines of GDPR. The few subsequent to GDPR have been low-level fines.
But many in attendance said “serious fines are coming in the summer, including to some of the big companies,” and this (somewhat) mirrors what I heard a few weeks ago at the informal data protection and privacy commissioners meet-up in Berlin.
The “biggie” … the annual International Conference of Data Protection and Privacy Commissioners to be held in October in Albania … will be more revealing. The Conference has closed sessions (only for accredited members and observers) and public sessions. It was here, one year ago, I had informal chats with many privacy commissioners who readily admitted they were understaffed to enforce GDPR and it’s going to take a long while for regulatory authorities to conduct their investigations. And just as many attendees said this week in London, expect regulators to target “symbolic cases” … and expect calls that such enforcement is arbitrary and unfair, and ripe for litigation.
Yes, the the data protection authorities are taking this very seriously. But everybody is looking at the Irish data protection authority as the regulator that needs to take control of the situation. Despite the fact its economy is heavily reliant on the internet giants, the Irish watchdog is Europe’s lead GDPR authority and many hope it will lead the charge.
As we have written before, the GDPR, the product of years of wrangling with data companies, became vulnerable on one key provision on which the tech companies prevailed: that the lead regulator be in the country in which the tech firms have their “data controller” – in most cases, Ireland. So that companies were not subject to 28 regulators – several far more aggressive than Ireland.
In a recent pubic relations “defense plea” (what else can you call it?), Ireland’s Commissioner for Data Protection, Helen Dixon, pointed out the authority has already opened 54 investigation, 19 of which were cross border. So to many pundits that means we should expect some pretty heavy fines. But in Ireland it is the appearance of an investigation rather than the substance of one that counts. We’ll see.
In the UK, new rules, new considerations
The UK 2018 Data Protection Act is something which has not really generated many headlines, but there is a monumental opportunity for headaches. And as many presenters noted, “it’s a bit of a minefield to go through”.
The Data Protection Act is the UK’s own version of GDPR, required due to the fact that the Brist are divorcing the European Union (latest date: 31 October 2082) but it does actually go a lot further than the European rules. This is perhaps the worst-case scenario for those wanting to remain compliant, as it creates more work ensuring compliance to two different sets of rules. Only a few UK law firms have brought this to the attention of their clients.
New clauses have been introduced creating new grey areas when it comes to confidentiality agreements, while the approach in the immigration department has received criticism. Those who are seeking official residential status in the UK will not be able to force the government into providing insight into the data which has been collected, analysed and actioned. This is the first time a data moat has been embedded into law, and there are come people who are not happy about it.
One area which is very useful is the standardization of usecases. In four areas, the ICO (the UK’s Information Commissioner’s Office) will effectively produce standards to ensure companies can remain compliant. This is the first time an authority has taken such an approach, and we can only hope it will be replicated by other authorities.
The groans of Brexit
Yep, how can you avoid it. Brexit is a tricky topic to bring up. People either disagree with it, hate it or are bored of it, but the matter of the fact is, it is crucially important in numerous areas. Brexit changes the status quo. The UK will no longer be in the European Union, therefore fundamentally changing the relationship companies have with governments, customers and supply chains. With the Brexit deadline fast approaching, and little concrete information being offered, the risk is running quite high. This will have to be a major factor in any companies approach to data protection and privacy moving forward. See my paragraph above of dealing with two, sometimes incompatible data privacy regimes.
The risk of a boring conversation
“Everyone is saying they are trying more for data protection, but does anyone actually believe it”. Heard from numerous attendees, all day. GDPR was critically important when it was introduced, and it remains critically important today. However, you have to question whether the organizations involved, or the general public, are actually taking it seriously. The last 12 months has seen GDPR fall down the agenda, though it will rise again.
Enforcement is key, and it is coming. GDPR investigations are painfully slow processes due to the vast amount of information and the complexities of the business models in the data-sharing economy. However, many investigations will be finalized over the next few months. With these final decisions come the fines. This will propel data protection and privacy back into the public debate, and ensure the general public is becoming more aware to the dangers of the digital world.
But how big will the fines be, and will corporate action and attitude change? That’s the key. As we noted earlier this year, much was made about the EU Directorate General for Competition (DG Comp) assessing a fine against Google in the amount of €5 billion. But in an industry that changes by the day, the case took eight years to complete. Further, it dealt with just one part of a problem that is now very large and sprawling. And even after the fine Google is still left holding more than $100bn in cash. And that does not include Google’s “reserve fund” which totals $27bn in cash. As my boss, Greg Bufithis opined: “Vestager’s fighters put out the fire on the first floor, but only after the blaze had spread to the rest of the building”.
There is currently a risk of GDPR “negligence” by not complying, and that is the mantra being bellowed by law firms and vendors selling services and “solutions” to deal with the GDPR. But one has to remember that law firms and vendors are merely on the wealth extraction gravy train, so they need big fines to shake the money tree. They also need hard enforcements, not years of appeals. Well, unless they are a law firm handling those appeals.
But concluding on a (somewhat) positive note … for the marketing crowd. What is slowly catching on is that data protection and privacy principles should form part of the buying decision-making process. The companies which take data protection and privacy seriously “will become more appealing to those customers, both consumer and enterprise”. And another factor to consider is … recruitment. More graduates nowadays “want to work for ethically sound organizations”, and soon enough this definition will be expanded “to include data protection and privacy principles”. It makes a nice “sell”, anyway.
