It’s been a rollercoaster first 5 years for GDPR, says Rachael Eyre.
Regulation (EU) 2016/679, more commonly known as the General Data Protection Regulation (GDPR) received its final approval by the European Parliament on 27th April 2016. GDPR updated the no-longer-fit-for-purpose Directive 95/46/EC, which was implemented at a time when few people had access to the internet.
There was much rejoicing by data protection practitioners. Finally, the regulations would be fit for the modern world of data processing, with the law drafted in such a way that it would not be overtaken by advancements in technology. Fabulous!
A mere 2 months later, the certainty drained away for as the UK voted to leave the EU.
Thankfully, as the new rules had to come into effect by 25th May 2018, the UK forged ahead with the passing the Data Protection Act 2018 (on 23rd May, talk about cutting the deadline fine).
Upon leaving the EU, the GDPR became the ‘UK GDPR’, largely a copy and paste exercise from the EU Regulation with a few minor tweaks.
So, what’s happened since GDPR’s implementation?
GDPR enforcement by the ICO
- There has been one criminal prosecution. This was brought in August 2022 against a health worker who illegally accessed the health records of 14 patients without the consent of his employer.
- The ICO has issued 69 monetary penalties and 42 enforcement notices. A whole host of sectors have been included, with the main theme being unsolicited and nuisance marketing.
- Victims of cyber attacks have been fined. Take the case of Tuckers Solicitors, fined £98,000 by the ICO for failing to safeguard client data. Hackers were able to access, copy and sell confidential information on the dark web.
The top three monetary penalties went to Clearview AI (£7.5m for unlawfully using scraped data), Marriott International (£20m relating to a hacking incident affecting 7 million people in the UK), and British Airways (£20m in relation to a cyber attack resulting in 400,000 staff and customer records being compromised).
Outside the UK
Luxembourg has issued the biggest fine at EUR 746 million against Amazon. This relates to the company unlawfully using customer data to target advertisements. The case is currently under appeal.
The Irish Data Protection Commission has become something of a GDPR leader in the EU. Many tech giants have their EU foothold in Ireland. Instagram, Meta, Google, and Whatsapp have all been fined between EUR 60 million and EUR 405 million (Google being fined twice). Fines relate to the misuse of customer personal data, cookies, transparency, and disclosing children’s personal data.
Ripple effect of GDPR
As you can see from the huge fines in Ireland, Big Tech is being forced to pull up its socks when it comes to using our personal data. Even if the fines themselves are small beer to these huge companies, small hard-fought wins chip away at profits and reputation, forcing those in charge to build data protection into their products.
Europe has become the world leader when it comes to data protection. Not long after GDPR’s implementation, California passed its own Consumer Privacy Act. This is no coincidence. While it does not go as far as GDPR, it has certainly increased protections for individuals in the jurisdiction. Any company doing business in the United States will have to be aware of the Californian law.
Japan and the Republic of Korea have received ‘adequacy decisions’, meaning that their data protection programmes are sufficiently robust.
As a result of the Schrems II case, the United States Privacy Shield was declared invalid by the European Court of Justice in 2020. The Privacy Shield was a fundamental framework that made it easier for personal data to flow across the Atlantic. A new version of the Privacy Shield (the Trans-Atlantic Data Privacy Framework) has been agreed in principle, but may face further challenges.
Slowly, the world is getting better at protecting the personal data of individuals. GDPR has been a fundamental driving force for change.
Back to the UK – the Future
It’s difficult to say what will happen next. The fate of the UK GDPR is in the hands of the current government.
The Data Protection Act 2018 (which adopts the UK GDPR) is on the UK’s statute books, so it is unlikely to be jettisoned in full, even if the Retained EU Law (Revocation and Reform) Bill goes ahead.
However, the Data Protection and Digital Media Bill was set to narrow the definition of ‘identifiable’ data to allow more automated processing. This has stalled, but in October 2022 the Culture Secretary (Michelle Donelan) said that she intended to change UK GDPR as it limits legitimate business activities. It is likely there will be some attempt to water down protections under in the future.
Whether this is positive or not depends on your stance on ‘red tape’, but I would argue that businesses have already been through the 2018 exercise and are largely used to having to comply with GDPR. It also enables UK business to benefit from trouble-free data flows EU neighbours and other countries with adequacy decisions.
How damaging would it be if the EU and other countries didn’t recognise the UK as a safe place to process personal data?
If this topic is of interest, feel free to sign up to our upcoming webinar.