It is now three months since the implementation of the General Data Protection Regulation (GDPR) on 25 May 2018. This note sets out some of the key updates since then.
The Data Protection Act 2018 (DPA 2018) also came into force on 25 May 2018 alongside the GDPR. The DPA 2018 repeals and replaces the Data Protection Act 1998 (DPA 1998) and its purpose is to make certain that the provisions in the GDPR will have effect in the UK now and post-Brexit.
Under the terms of the GDPR, EU countries are able to provide national rules relating to certain types of data processing. As an example, under the DPA 2018, the Information Commissioner’s Office (ICO), the independent regulatory office regulating data protection legislation in the UK, has the ability to serve ‘assessment notices’ on businesses. This means the ICO would have the right to intervene by entering business premises, accessing documents, equipment and all other material as well as interviewing staff.
Since the implementation of the GDPR, a number of businesses have sent out emails to existing customers on their marketing lists asking them to renew their consent for their data to be processed. In a large majority of cases, these demands were unnecessary.
Consent is one of six legal grounds under the GDPR that can be relied upon to process data. Under the GDPR, consent needs to be obtained for each specific processing purpose and it can no longer be contained in general terms and conditions – it needs to be separate and clearly set out.
For businesses which relied on customers’ consent prior to the implementation of the GDPR, provided this meets the requirements under the GDPR, there is no need to ask for further consent. In addition, email marketing is covered by the Privacy and Electronic Communications Regulations 2003 (PECR). In most cases, PECR authorises unsolicited marketing without the need for consent if an individual has purchased services or products from a business (or there has been negotiation or communication previously) and the marketing from that same business relates to similar services and/or products.
Under the GDPR, the processing of customers’ personal data in that instance may be justified as a legitimate interest (another of the six legal grounds authorising the processing of personal data) so there is no need to rely on consent. In addition, should a business request consent which is not subsequently granted by the customer, this negates the business’ ability to rely on alternative legal grounds for processing that customer’s personal data as it will no longer be able to contact that customer.
The new fines under the GDPR were well-documented in the build-up to its implementation – €20 million or 4% of a business’ global annual turnover, whichever is the higher. The reality is that while the ICO has found itself increasingly busy since the implementation of the GDPR (the ICO received approximately 1,700 breach notifications in June 2018 – compared to a monthly average of 375), it has yet to issue a maximum fine under the terms of the GDPR.
One of the reasons for this may be that it is still early days – the ICO has openly stated that compliance with the GDPR will be dealt with on an ongoing basis and therefore its approach to enforcement action will be both pragmatic and proportionate.
This being said, the ICO announced in July 2018 that its intention is to fine Facebook £500,000, the maximum amount possible under the DPA 1998, for its part in the Cambridge Analytica political campaign scandal. Had Facebook been fined under the terms of the GDPR, the maximum fine would have been closer to £1.4 billion.
Speculation that the implementation of the GDPR would bring a number of new complaints against businesses has been justified. On the same day the GDPR was implemented, complaints were brought against Facebook, Instagram, Whatsapp and Google (Android) by None Of Your Business (NOYB), Max Schrems’ non-profit organisation.
Mr Schrems had previously filed a suit against Facebook in 2013 which led to the Safe Harbour agreement (which businesses in the EU relied upon to transfer data to the US) being declared invalid by the European Court of Justice. The four complaints brought by NOYB are similar: each business is accused of ‘privacy à la “take it or leave it”’.
In particular, the four businesses are accused of setting up ‘consent boxes’ with the threat of each business’ service no longer being available to individuals should they not consent to their data being processed. The intention under the GDPR is to give individuals the choice to agree to data usage or not.
If found guilty, the maximum fines under the GDPR could be €3.7 billion for Google (Android) (to be decided by the CNIL in France) and €1.3 billion for each of Instagram (to be decided by the DPA in Belgium), Whatsapp (to be decided by the Hamburg Commissioner for data protection and freedom of information) and Facebook (to be decided by the DSB in Austria). Watch this space.
If you’ve got any concerns regarding the GDPR and your business, call our Corporate and Commercial team on tel: 01892 515022.