“We’ve updated our privacy policy”: GDPR two years on

by Scott Faulds

Almost two years ago, the General Data Protection Regulation (GDPR) came into force across the European Union (EU) and European Economic Area (EEA), creating what many consider to be the most extensive data protection regulation in the world. The introduction of GDPR facilitated the harmonisation of data privacy laws across Europe and provided citizens with greater control over how their data is used. The regulation sets out the rights of data subjects, the duties of data controllers/processors, the transfer of personal data to third countries, supervisory authorities, cooperation among member states, and remedies, liability or penalties for breach of rights. However, whilst the regulation itself is extensive, questions have been raised regarding the extent to which GDPR has been successful at protecting citizens’ data and privacy.

Breach Notifications and Fines

Critics of GDPR have argued that whilst the regulation has been effective as a breach notification law, it has so far failed to impose impactful fines on companies which have failed to comply with the GDPR. National data protection authorities (such as the Information Commissioner’s Office (ICO) in the UK) under the GDPR have the ability to impose fines of up to €20m or up to 4% of an organisation’s total global turnover, whichever is higher. Since the introduction of the GDPR, data protection authorities across the EEA have experienced a “massive increase” in reports of data breaches. However, this has yet to translate into substantive financial penalties. For example, Google has been issued a €50m fine, the highest issued so far* by CNIL, the French data protection authority. CNIL found that Google failed to provide sufficient and transparent information that allowed customers to give informed consent to the processing of personal data when creating a Google account during the set-up process of an Android powered device. This is a serious breach of multiple GDPR articles and CNIL argued that the infringements contravene the principles of transparency and informed consent which are at the heart of the GDPR.

*  The confirmation of record fines issued by ICO to British Airways (£183m) and Marriott International (£99m) has been delayed until 31st March 2020.

However, the fine imposed on Google amounts to approximately 0.04% of their total global turnover, which some have argued is simply too small an amount to act as any real deterrent. Therefore, it could be said that while GDPR has been effective in encouraging companies to be transparent when data misuse occurs, national data protection authorities have yet to make use of their ability to impose large financial penalties to act as a deterrent.

In recent months, the German and Dutch data protection authorities have both created frameworks which set out how they intend to calculate GDPR fines. Analysis of their fining structures indicates that both models will operate based on the severity of GDPR violation. However, both structures allow for the data protection authority to impose the maximum fine if the amount is not deemed fitting. The International Association of Privacy Professionals believes this will result in significantly higher and more frequent fines than those issued previously, and has suggested that it is possible that the European Data Protection Board may consider implementing a harmonized fine model across Europe.

Brussels Effect

The effects of the GDPR can be felt beyond Europe, with companies such as Apple and Microsoft committing to extend GDPR protections to their entire customer base, no matter their location.  Even the COO of Facebook, Sheryl Sandberg, admitted that the introduction of GDPR was necessary due to the scale of data collected by technology companies. The ability of the EU to influence the global regulatory environment has been described by some experts as the “Brussels Effect”. They argue that a combination of the size, importance and regulatory power of the EU market is forcing companies around the world to match EU regulations. Additionally, this effect can be seen to be influencing data protection legislation across the world, with governments in Canada, Japan, New Zealand, Brazil, South Africa and California all introducing updated privacy laws based on the GDPR. As a result, it can be said that the introduction of the GDPR has enabled the EU to play a key role in global discussions regarding privacy and how citizens’ data is used worldwide. 

Brexit

Following the UK’s exit from the EU, the GDPR will remain in force until the end of the transition period (31st December 2020), after this point it is the intention of the UK Government to introduce the UK GDPR. However, as the UK will no longer be a member state of the EU, it will require to seek what is known as an “adequacy agreement” with the EU.This allows businesses in the EEA and UK to freely exchange data. The UK government believes that this agreement will be signed during the transition period, as the UK GDPR is not materially different from the EU GDPR. However, it should be noted that the most recent adequacy agreement between the EU and Japan took two years to complete.

Final Thoughts

The introduction of the GDPR almost two years ago has had a variety of impacts on the current discussion surrounding privacy and how best to protect our personal data. Firstly, the GDPR has forced companies to become more transparent when data misuse occurs and gives national data protection authorities the power to scrutinise companies’ approaches to securing personal data. Secondly, the influence of the GDPR has helped to strengthen privacy laws across the world and has forced companies to provide individuals with more control over how their data is used. However, the effectiveness of GDPR is limited due to a lack of common approach regarding fines in relation to GDPR violations. In order to develop fully, it will be important for the European Data Protection Board to provide guidance on how to effectively fine those who breach the GDPR.


If you enjoyed this post, you may also like some of our other posts related to GDPR:

Follow us on Twitter to see what topics are interesting our research team.

Protecting privacy in the aftermath of the Facebook-Cambridge Analytica scandal

By Steven McGinty

On 4 June, Information Commissioner Elizabeth Denham told MEPs that she was ‘deeply concerned’ about the misuse of social media users’ data.

She was speaking at the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) inquiry into the use of 87 million Facebook profiles by Cambridge Analytica and its consequences for data protection and the wider democratic process. The whole affair has shone a light on how Facebook collected, shared, and used data to target people with political and commercial advertising. And, in a warning to social media giants, she announced:

Online platforms can no longer say that they are merely a platform for content; they must take responsibility for the provenance of the information that is provided to users.”

Although this is tough talk from the UK’s guardian of information rights – and many others, including politicians, have used similar language – the initial response from the Information Commissioner was hardly swift.

The Information Commissioners Office (ICO) struggled at the first hurdle, failing to secure a search warrant for Cambridge Analytica’s premises. Four days after the Elizabeth Denham announced her intention to raid the premises, she was eventually granted a warrant following a five-hour hearing at the Royal Courts of Justice. This delay – and concerns over the resources available to the ICO – led commentators to question whether the regulator has sufficient powers to tackle tech giants such as Facebook.

Unsurprisingly, it was not long before the Information Commissioner went into “intense discussion” with the government to increase the powers at her disposal. At a conference in London, she explained:

Of course, we need to respect the rights of companies, but we also need streamlined warrant processes with a lower threshold than we currently have in the law.”

Conservative MP, Damien Collins, Chair of the Digital, Culture, Media and Sport select committee, expressed similar sentiments, calling for new enforcement powers to be included in the Data Protection Bill via Twitter:

Eventually, after a year of debate, the Data Protection Act 2018 was passed on the 23 May. On the ICO blog, Elizabeth Denham welcomed the new law, highlighting that:

The legislation requires increased transparency and accountability from organisations, and stronger rules to protect against theft and loss of data with serious sanctions and fines for those that deliberately or negligently misuse data.”

By introducing this Act, the UK Government is attempting to address a number of issues. However, the Information Commissioner, will be particularly pleased that she’s received greater enforcement powers, including creating two new criminal offences: the ‘alteration etc of personal data to prevent disclosure‘ and the ‘re-identification of de-identified personal data’.

GDPR

On 25 May, the long awaited General Data Protection Regulation (GDPR) came into force. The Data Protection Act incorporates many of the provisions of GDPR, such as the ability to levy heavy fines on organisations (up to €20,000,000 or 4% of global turnover). The Act also derogates from EU law in areas such as national security and the processing of immigration-related data. The ICO recommend that GDPR and the Data Protection Act 2018 are read side by side.

However, not everyone is happy with GDPR and the new Data Protection Act. Tomaso Falchetta, head of advocacy and policy at Privacy International, has highlighted that although they welcome the additional powers given to the Information Commissioner, there are concerns over the:

wide exemptions that undermine the rights of individuals, particularly with a wide exemption for immigration purposes and on the ever-vague and all-encompassing national security grounds”.

In addition, Dominic Hallas, executive director of The Coalition for a Digital Economy (Coadec), has warned that we must avoid a hasty regulatory response to the Facebook-Cambridge Analytica scandal. He argues that although it’s tempting to hold social media companies liable for the content of users, there are risks in taking this action:

Pushing legal responsibility onto firms might look politically appealing, but the law will apply across the board. Facebook and other tech giants have the resources to accept the financial risks of outsized liability – startups don’t. The end result would entrench the positions of those same companies that politicians are aiming for and instead crush competitors with fewer resources.

Final thoughts

The Facebook-Cambridge Analytical scandal has brought privacy to the forefront of the public’s attention. And although the social media platform has experienced minor declining user engagement and the withdrawal of high profile individuals (such as inventor Elon Musk), its global presence and the convenience it offers to users suggests it’s going to be around for some time to come.

Therefore, the ICO and other regulators must work with politicians, tech companies, and citizens to have an honest debate on the limits of privacy in a world of social media. The GDPR and the Data Protection Act provide a good start in laying down the ground rules. However, in the ever-changing world of technology, it will be important that this discussion continues to find solutions to future challenges. Only then will we avoid walking into another global privacy scandal.


The Knowledge Exchange provides information services to local authorities, public agencies, research consultancies and commercial organisations across the UK. Follow us on Twitter to see what developments in policy and practice are interesting our research team. 

If you found this article interesting, you may also like to read our other digital articles.