GDPR was the hot topic of 2018, but what now? Nobody seems to be talking about it, but it hasn’t…

GDPR was the hot topic of 2018, but what now? Nobody seems to be talking about it, but it hasn’t gone anywhere.

By Lesley Holmes, Data Protection Officer at MHR

As GDPR drew closer, there were rumours of multi-million pound fines and people being sued over broken rules or misunderstanding what GDPR meant…so did it happen?

Well kind of, yes.

Straight after GDPR got going, one self-styled ‘data freedom activist’, Austrian Max Schrems, sued Google, as well as Facebook and its subsidiaries (which include Instagram and WhatsApp), to the tune of almost $4 Billion.

Officially, three complaints worth 3.9 Billion dollars were filed against Facebook, WhatsApp and Instagram respectively via data regulators in three different EU countries. As well as this complaint, French data protection authority CNIL filed a separate claim for 3.7 billion relating to Google’s Android operating system for android, showing wide concern around Googles practices.

The CNL claim was a breach of regulations (rather than data) as Google was accused of not respecting the rights of people to choose how their data is shared when they create an account. CNIL didn’t enforce the penalty for this ultimately, but if Google don’t clean up their act, chances are other authorities will be less generous with their own actions in future.

Despite legal challenges form governments, Schrems made most of the headlines, himself stating that Google was breaking the rules with an ‘all or nothing’ policy, which did not allow users to select preferences, one man took on a behemoth, confident GDPR gave him the backing he needed for success in a legal landmark.

While he was not that successful financially in the end, the case may lead to changes in the way Facebook can use data in Europe still, and remember this is just one man rather than a large organisation or government against Google – which one man almost won.

After Schrems took on Google, more problems were round the corner for the tech-giant.

Despite the Irish Government asking Google to make amends in areas they were seen to be falling short of GDPR compliance (Google’s international office is in Ireland), the French Government were quick to take charge when they didn’t do this.

The result? A fine of 57 Million Dollars.

The result of complaints of two NFP organisations, this fine is very big, there can be no argument around that. Only the thing is, many feel that there can be.

As GDPR-eve was upon us last year, in the last few weeks and days before GDPR took effect, there were rumours that businesses who ignored the warnings would be expected to pay 2-4% of their annual turnover for a major fine. So if Google did this, they’d be looking at a fine of around 2.5 to 5.1 billion (yes, billion!) US dollars. A fine like this, almost surreally makes 57 million pounds look like loose change.

What was the first year of GDPR like?

95,000 people have complained so far over potential breaches, but these have rarely meant legal action, so it seems people are happy for legislators to do the work for them in most instances.

Despite the complaints, it does in fact seem that companies are acting responsibly when self-governing, as businesses have already reported 41,000 potential breaches as of January 2019, a figure which is set to rise, but don’t worry; it’s better for both consumers and businesses that breaches are reported than swept under the carpet.

And that’s just the UK. Across Europe during the same period, 59,430 breaches were reported, displaying consistency among businesses.

Despite most businesses reporting responsibly, at least 91 fines had been issued at the start of 2019, with 60 fines coming from Germany alone. Most those fines related to 2018, which was described by the French data protection authority (CNIL) as a transitional year ‘intended to allow businesses to understand and implement what the GDPR requires’.

This seems to be something businesses are well aware of. As of May 25th 2018 only half of companies reported as self-compliant, despite two years of time to prepare for the new legislation. This may be a lack of preparedness, but if it’s complacency, then the future may be a shock for a lot of people at the business end of hefty fines.

What risks will businesses encounter in the future?

If 2018 is a transitional year, then any date after that must be taken far more seriously, as there has now been plenty of warning and the big fines are starting to mount.

The ‘low’ fine given to Google may be an indicator of a transition to much bigger fines, or it may be a politicised decision as we will discuss in a moment.

The fact remains that organisations can and will be given huge fines by data protection authorities if governments feel they are losing control, or that people have inadequate protection, especially as failing to meet the appropriate requirements for technical and organisational security may lead to major hacking; and data controlled by the state being misused as well.

WhatsApp, much lauded for its state-of-the-art encryption, was hacked recently so the theft of data is something we should be worried about. The circumstances too were concerning, as the hackers were able to infect devices by simply dialling the number, even if unanswered, and then erase the call log.

This was resolved quickly in this case and the group (Facebook own it) were very open about what had happened, but mishandling a situation like this is likely to incur the wrath of the EU and the UK, who do have very real legislative power.

As well as the full remit of state-led fines and punishments, individuals may, like (but not limited to) Schrems; decide to sue organisations directly. This is the norm now in the US and many social commentators feel we’re not far behind, suggesting a very large can of worms could be flying open very soon, with disastrous consequences for negligent businesses; or just those who are still (still!) unclear what the impact of GDPR means – though what is already clear is that the future will include many more class-action lawsuits.

What’s the bigger picture for GDPR?

Big data is big business and those who hold a lot of data are fast becoming the new oil barons, such is the value of data.

This ownership is losing value under GDPR, as it is harder to just harvest and use data freely for maximum profit, without receiving a penalty as a result. This should always be the case. GDPR has been brought in exactly for the purpose of reducing irresponsible data use.

While the UK government have more or less implemented a cookie-cutter copy of the existing EU legislation despite the Brexit vote, changes will come in the future if it seems the legislation is not right for Britain.

Some commentators have claimed there may be a so-called ‘Brexit light’, letting big businesses get away with more to stimulate the economy, but very few people feel that this will happen. Another reason this might not work too well, is that when you consider that EU GDPR rules will apply to data we share when trading with EU businesses, it will be important to respect data laws; but the future will include a lot more GDPR debate either way.

Whatever the future holds, being responsible with data is still advised as the story of GDPR has not yet truly been written – we’re still on the first page.

Lessons we can learn from GDPR so far?

As we see it’s been an eventful year, but what are the main things to consider now? Here’s our top five tips:

  1. Did you prepare for GDPR? If you didn’t it’s not too late to make changes, if you did…can you do it better?!
  2. With many businesses being let off in the initial period, some businesses are becoming complacent – make sure you are not one of them!  Make sure you have regular reviews of your data and if you are big enough to have a dedicated team, make sure you use them. This ensures continuity in everything you do and if you don’t have a team to do this, allocate a data controller and/or speak with your DPO or similar.
  3. Are you doing the right thing? If someone decides to sue you for a breach or mishandling of data, then you can relax a lot more if you know you did everything within your power to process your data responsibly and compliantly. Bear in mind though, a thousand employees claiming they have had their rights and freedom impinged could cost a business in the region of £1.2m if they take out a class action (and win). The complaints can add up so don’t let them happen.
  4. Make sure you’ve used all the tools at your disposal and take a back to basics approach: Know your data flows, assess, your operations, produce a gap analysis, take action and then review. Simple but effective.
  5. Make sure that you are open and transparent about what you are doing with people’s data and why. A simple privacy notice that is easy to read goes a long way to help understanding and build confidence at your business.

By Elif Ecem Seçilmiş, an Associate at Kılınç Law & Consulting The EU’s General Data Protection Regulation (GDPR) was created…

By Elif Ecem Seçilmiş, an Associate at Kılınç Law & Consulting

The EU’s General Data Protection Regulation (GDPR) was created with the aim of homogenising data privacy laws across the EU. GDPR also applies to organisations outside the EU, if they monitor EU data subjects, or offer goods and services to them. The GDPR applies to personal data, which is defined as any information relating to an identifiable natural person.

In certain cases, frameworks such as the EU-US Privacy Shield have been implemented to ensure the protection of data being transferred outside the EEA. However, such frameworks have not been established in all countries outside of the EEA. In such cases, businesses need to be keenly aware of the data protection laws in each territory, in order to ensure compliance.

Businesses based within the EEA that wish to send personal data outside the EEA also need to pay particularly close attention to GDPR. GDPR restricts the transfer of any personal data to countries outside the EEA.

The European Commission has made “adequacy decisions” as regards the data protection regimes in certain territories.  Territories, where the data protection regime has been deemed adequate, include Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. The EU Commission has also made partial findings as regards the adequacy of the regimes in the US, Japan and Canada.

If a business wishes to send data to a country that is not in the EEA, and which is not covered by an “adequacy decision”, it will need to ensure that the appropriate safeguards set out in the GDPR are implemented.

In order to facilitate data transfers within multinational corporate groups, “binding corporate rules” may be submitted to an EEA data supervisory authority for approval. If these are approved, then all members of the group must sign up to these rules and they then may transfer data outside the EEA, subject to the binding corporate rules.

Another way to make a restricted transfer outside the EEA is for both parties to enter into a data-sharing agreement, which incorporates the standard data protection clauses adopted by the European Commission.

The Commission has published four sets of such model clauses, which set out the obligations of both the data exporter and data importer. The clauses may not be amended and must appear in the agreement in full. The penalties for non-compliance with GDPR are significant since organisations can be fined €20 Million or 4% of their annual global turnover for breaches.

Article 49 of GDPR also sets out derogations from the GDPR’s general prohibition on transferring personal data outside the EEA without adequate protection. The derogations can apply, for example, where there is an important public interest, or the data must be transferred for legal proceedings. A derogation can also apply where the data subject has been fully informed of the risks but has given their explicit consent to the transfer.

The advent of GDPR has significance for companies doing business internationally. However,  companies doing business internationally also need to think beyond GDPR. Companies may find themselves subject to the data protection regimes of third countries, even if they do not have any physical presence there. For example, international companies without a presence in Turkey may be subject to Turkish data protection law if their activities have an effect in Turkey. 

A registration system for data processors is currently being rolled out in Turkey. Data processors based outside Turkey whose activities have an effect in Turkey may need to register by 30 September 2019.

Turkey’s 2016 Law on the Protection of Personal Data is based largely on EU data protection law. As a candidate state for EU membership, Turkey aligns much of its legal system with EU law. Many of its requirements are broadly similar to EU law. However, there are also some very important differences which companies whose businesses have an effect in Turkey should be mindful of.

Turkish data protection law allows for administrative fines of up to three per cent of a company’s net annual sales to be levied if personal data is stolen, or disclosed without consent.  Turkish data protection law applies to both sensitive and non-sensitive personal information.

Personal data may not be transferred outside Turkey without the consent of the data subject, except in strictly limited circumstances. Regulatory approval is required for such transfers where the transfer may harm Turkey or the data subject.

Unlike GDPR, however, “explicit consent” is required by Turkish Law to process both sensitive and non-sensitive data. The exceptions to this general rule include where there is a legal obligation on a data processor to process the data, and where such processing is necessary to protect the life of the subject. Further processing is not allowed without specific consent, and there is no “compatible purpose” exception in Turkish law. The definitions of consent also differ in Turkish law and under GDPR.

GDPR has caused many EEA companies to consider in detail the laws restricting the transfer of data out of the EEA. However, companies may also be subject to laws restricting the transfer of data into the EEA.

Elif Ecem Seçilmiş is an Associate at Kılınç Law & Consulting