This time last year, the General Data Protection Regulation (GDPR) took effect. Since then, it has undoubtedly been the busiest year to date in data protection compliance. Official figures from the International Association of Privacy Professionals show 375,000 newly registered Data Protection Officers, 280,000 new cases referred to regulators and $56,000,000 worth of fines issued in enforcement actions.
With regulators beginning to shift their focus from compliance to enforcement, organisations should remember that GDPR compliance is an ongoing process.
The Google fine
By far the most significant GDPR enforcement action to date was Google’s $50 million fine by the local data protection regulator in France, CNIL.
CNIL cited two reasons for the fine. Firstly, “a lack of transparency and inadequate information” regarding how to access Google’s privacy policies, and secondly, “a lack of valid consent regarding ad personalisation”.
Transparency is one of the seven key principles set out in GDPR. CNIL found that “essential information” relating to how personal data was used by Google was set out “across several documents.” The result was a lack of transparency in relation to Google’s data processing operations which prevented the user from readily understanding how personal data was being processed and for what purposes.
The GDPR mandates that organisations must have a lawful basis for collecting and processing personal data. Consent is one of the six legal bases for processing personal data. Under GDPR, consent must be “freely given, specific, informed and unambiguous.” In this case, Google sought to rely on the users’ consent to personalise advertisements by using a pre-ticked box when users’ created an account. CNIL found that this was not valid consent under GDPR.
It is particularly important for the tech sector to understand that Google, like most organisations, had made changes to its procedures and activities since the introduction of GDPR in a manner that it believed to be compliant with GDPR. In this case, CNIL decided that those changes were not adequate and fined Google accordingly. In other words, it is no defence to say that “we tried our best” and regulators will treat breaches under the GDPR as strict liability offences.
Above all, the Google fine should serve as a reminder to the rest of the tech sector that regulators are feeling empowered by the enforcement provisions afforded to them under GDPR.
The Brexit Question
Having granted an initial extension of the Article 50 process until April 2019, EU leaders have now afforded the UK a further six-month extension until 31 October 2019 when the UK will leave the EU. Depending on whether or not the UK leaves the EU with or without a deal, a further two year transitional period may apply.
Regardless of when the UK leaves the EU, GDPR will no longer apply directly in the UK (although equivalent standards will be maintained through the Data Protection Act 2018). In consequence, the UK will be considered a “third country” with respect to GDPR meaning that EU member states will only be able to transfer personal data into the UK with additional, more onerous, export measures.
In the coming months, this may impose another significant compliance hurdle for companies involved in transferring personal data to and from the UK. One possible way to overcome this hurdle would be for the UK to receive an “adequacy” decision from the EU which would permit an uninterrupted free-flow of personal data to and from the UK.
Whilst many businesses have now completed their initial GDPR compliance project, the Google fine and the possible changes to UK companies’ obligations following Brexit serve as a reminder that compliance is a continuous requirement. Organisations in the UK must not get complacent and should continue to undertake privacy impact assessments and measure their compliance against key performance indicators. In particular, organisations should keep pace with technological improvements in information security to ensure their organisational and technical measures for safeguarding data remain adequate.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.