On 8 July 2019, the ICO issued a notice of intent to fine BA £183m following a data breach incident in September 2018. This remains subject to representation by BA and so the proposed fine could be reduced or indeed not imposed at all.
Just four or five years ago, data protection was a relatively niche area of law, and data protection experts a relatively rare breed. The true value of our data and all the ways in which it was being processed had not yet fully entered the public consciousness. Yet, in the intervening period, data protection has risen to prominence across most areas of business and wider society. Data security, the use of personal data for political analytics, and electronic marketing, amongst other things, are all coming under intense scrutiny - not just from regulators, but also from the Courts, as well as the general public - the data subjects themselves.
Here, we consider the past year of GDPR, identifying the areas we recommend that clients focus on, and we look ahead to potential future developments.
GDPR fines will come, but at what level? In the lead up to GDPR coming into effect last May, organisations were particularly concerned about being on the wrong end of huge administrative fines. Potential fines for an infringement of GDPR of €20m or up to 4% of global annual turnover, whichever is higher, took centre stage in the media coverage. Whilst the UK Information Commissioner (ICO) was at pains to stress that the increased fining power was just one aspect of the new regime - it was "scaremongering to suggest that we'll be making early examples" - the risk of such catastrophic fines certainly made GDPR compliance a board level subject.
A year on, and the ICO's downplaying words have proved to be true. It has not made any "early examples" of businesses who have breached the new regime. In fact, the ICO is yet to issue the first fine for an infringement of GDPR: the headline fine in the EU so far is the French data protection authority's €50m fine against Google for breach of GDPR's transparency rules. That's not to say the ICO is not exercising its enforcement power. It has issued a number of significant fines for incidents that took place before GDPR, including recently a fine of £120,000 for unlawful filming against a maternity clinic, as well as for breaches of online marketing rules.
Given the large volume of personal data breach reports since May 2018, we would expect some of those incidents to attract fines under GDPR. However, in response to our Freedom of Information (FOI) request, in March 2019, the ICO confirmed that it had not yet issued any Notices of Intent, a necessary step before issuing a fine under GDPR. It may therefore still be some time before we see fines under GDPR, and more importantly understand the likely level of fines for different types of infringements.
Remember to pay the data protection fee, or you will be fined. Organisations have rightly focused on their GDPR compliance obligations, but it seems that many have let an administrative requirement slip under the radar. Whilst the first fees for GDPR infringements are yet to emerge, the ICO has issued a number of fines for failure to pay the statutory data protection 'fee'. Unless an exemption is available, data controllers must pay a fee to the ICO of either £40, £60 or £2900 (depending upon their size) or risk a fine of up to £4350. As we reported in November 2018, despite receiving reminders, organisations in a range of sectors, including government, have been fined for failure to pay the fee, and the first attempt to overturn such a fine (by Farrow & Ball) has failed.
Data breaches: an abundance of caution is not always the answer. GDPR requires that a data controller must report a personal data breach (e.g., the loss of personal data) to the ICO without undue delay and within 72 hours, unless that breach is unlikely to result in a risk to the rights and freedoms of individuals. Further, in some circumstances, GDPR requires the data controller to notify the affected individuals of the breach. Not surprisingly, the shift to mandatory reporting of data breaches for all data controllers has led to a huge increase in the number of data breaches reported to data protection authorities: in December 2018, the ICO said that there had been over 8,000 notifications of data breaches reported since GDPR. In our experience, borne out by ICO statements that they have seen an over-reporting of data breaches, it is important to step back and conduct a proper assessment of the implications of a data breach, rather than reporting out of an abundance of caution. There is, of course, only a limited time in which to make that assessment, but the implications of reporting an incident when it was not required could also be significant. The key message is to act quickly, including taking advice where appropriate, and keep a record of any reasons for not reporting.
Requests from individuals about their personal data can cause significant disruption. GDPR has enhanced individuals' rights in relation to their personal data. Individuals can make a range of requests concerning their personal data. These fall under the umbrella term of 'subject access requests' (SARs), but extend to requests to restrict processing, correct inaccuracies, and to erase personal data in some circumstances. SARs can be disruptive for any business, both in terms of the resource and financial cost involved: in one recent case, it has been reported that a data controller had incurred legal fees of £239,000 inclusive of VAT in dealing with a SAR. As anticipated, since GDPR, there has been a significant increase in the levels of SARs, putting many businesses under considerable pressure unless they have an effective system in place. Getting it wrong could not only lead to a complaint to the ICO, with complaints about SARs being the most frequent type of complaint it receives, but also potentially expensive litigation over whether the data controller has properly dealt with the data subject's request. In many cases, SARs can be more easily managed. There may be an exemption that can be relied upon, or the information sought may not, when analysed, amount to the individual's 'personal data'. Instead of manually processing each request, more complex cases can benefit from using machine learning software to locate and identify relevant documents. Conversely, a well-made SAR can result in a data subject finding out what personal data of theirs is being processed, and whether the processing is lawful or not.
What to look out for in the next 12 months:
Spotlight on Data Protection Impact Assessments: In certain high risk cases, a data controller must conduct a data protection impact assessment (DPIA) before processing relevant personal data. We can expect an increased focus on DPIAs in the coming months. One example is the use of new or invasive technologies to process special category data including biometric data, such as HMRC's practice of capturing and recording five million records of voices of callers to its hotline, without getting adequate consent, which was recently found to be a significant breach of data protection law.
Disputes arising from data processing agreements. We have seen numerous examples of poorly drafted or misconceived data processing agreements in which obligations and liabilities to parties have been based on a mistaken analysis of the concepts of "controller" and "processor". Some examples arose from some organisations' desire to swiftly remediate their contracts to reflect GDPR, even where no such requirement existed. We anticipate that the coming months will see disputes emerging as parties seek to rectify or avoid these erroneous terms.
Court rulings on data leaks and potential damages payouts. In October 2018, the Court of Appeal ruled in the Morrison's case. The effect of its decision is that, even if an employer takes all reasonable steps to secure personal data in line with its obligations under data protection law, it may still be vulnerable to pay damages to individuals where one of its employees stole personal data. Morrison's has recently obtained permission to appeal to the Supreme Court, and the Court's decision will determine how data protection laws interact with rules relating to vicarious liability of employers. Other data protection actions may also hit the headlines, including claims against the Met Police regarding facial recognition technology and a judicial review regarding the lawfulness of the exemption in the new Data Protection Act concerning immigration data.
Challenges to Ad Tech. The Irish Data Protection Commissioner, the GDPR lead supervisory authority for many global tech giants, has very recently announced an investigation into Google's processing of personal data in the context of its online Ad Exchange. The investigation has been prompted by complaints by data subjects and wider civil society groups. We expect to see similar complaints being made, and investigated, across Europe, as concerns about online advertising practices and infrastructure increase.