For some time now, commentators on online privacy and data protection have predicted a “tipping point”, where the public would finally realise the impact of sharing so much of their most private information online and grow tired of the endless trade in that information, leading to the spam texts and e-mails with which we’ve all become sadly familiar. After all, in the information age where businesses, platforms and brands are built and targeted around the habits and demographics of their users, knowledge truly is power. For some time, the EU has taken the use of that knowledge and the data which underpins it very seriously, which led to the original Data Protection Directive in 1995, subsequently implemented by all EU member states and reflected in UK Law by the Data Protection Act 1998.
The basic concepts set out in the Directive were all very noble and (comparatively) straightforward, imposing standards and restrictions upon any entity which collects and controls the use of personal data (defined very widely, and including photographs and even IP addresses) relating to identifiable and living individuals to control the manner in which that data is collected, used and distributed. The other side of that coin saw the grant of certain specific rights to individual “data subjects”, including access to any personal data (to a certain extent) held about them by a “controller”, details as to how and to who, that data was being used and disclosed, to object to that use in certain circumstances and to obtain compensation where damage was suffered as a result of data being processed unlawfully, i.e. not in line with eight “data protection principles”.
Still with me? For a long time, Data Protection was seen as the new Health & Safety, with many businesses dismissing their compliance obligations as something that they intended to get around to eventually, or worse, ignoring them completely. That ignorance aside, the Information Commissioner’s Office has been increasingly willing to take steps to bring the various sanctions at its disposal to bear against businesses who misuse personal data, or alternatively don’t take proper steps to ensure that it remains secure. Against this backdrop, and the rise of big data, social media, targeted marketing and the personalised consumer experience, we’ve seen Monetary Penalties levied against the likes of Sony after the Playstation Network was hacked in 2011 to the tune of £250,000.
Although questions remain as to whether or not the UK is a more secure place after five years’ worth of enforcement of Data Protection Law by the ICO, the 66 monetary penalties it has issued since 2010 (which can, for the time being, issue a penalty of up to £500,000 for breaches of the Data Protection Act 1998, Privacy Regulations 2003 and other legislation which were either deliberate or reckless and cause substantial damage or distress) show that it’s far from the “toothless tiger” many though it to be at the start of the decade. It’s been particularly hard on data breaches in the public sector but also seen as relatively lenient on the likes of Google, who escaped serious censure after its “Street View” project saw a vast amount of personal data collected from open wi-fi networks across the UK.
There has been a marked improvement in the profile and importance of data protection issues in the minds of the public after high-profile hacks involving Ashley Madison, Talk Talk and others, as well as the introduction of the hugely controversial “right to be forgotten” (even though the terminology’s probably wrong) which came out of a Spanish case whose ruling allows individuals to ask Google to remove search results which link to outdated, incorrect or irrelevant data in which there’s no real public interest. That “right” has already been used as a blunt instrument to remove data from the public eye where defamation or other reputation management tools are no longer an option, although the EU’s Article 29 Working Party has since provided guidance which has allowed Google to refuse more and more of the thousands of requests they receive to remove elements of an individual’s online presence on a daily basis.
All that said, however, we’ve only just begun. Whilst many businesses complain that compliance with data protection law is simply too complex for them, and based on a “one size fits all” counsel of protection, the issue is about to move significantly higher up the corporate and legal risk agenda with the recent publication of the new EU General Data Protection Regulation during December last year. Some four years in the making, the GDRP itself is supplemented by the new Data Protection Directive, and aims to strengthen the existing legal framework across member states’ 500 million citizens. With the concepts such as the digital single market and the new and improved “right to be forgotten” at its core, the existing patchwork of laws across the continent will eventually be swept away – I say eventually, as the chances are that the new legislation won’t come into effect until the back end of 2017. That delay notwithstanding, however, it’s worth thinking now about how to plan for the impending changes and planning to recruit for a Data Protection or Privacy Officer – you’re about to need one.
The GDPR raises a number of issues for businesses, the headline being the concept of “privacy by design”, which should be the guiding principle for any use of “processing” of personal data and shored up by policies (and in some cases the mandatory appointment of a Data Protection Officer) which demonstrate that commitment, alongside better processes to allow individuals (who should increasingly be referred to by pseudonyms and not their true names, which will be mandatory in some industries) to more easily obtain access to information about how their personal data is used in a concise, transparent, straightforward and user-friendly manner.
Consent to the processing of personal data has long been a key concept in data protection law, and although in some circumstances (usually relating to marketing to either existing customers or individuals who’ve made enquiries of a business) it can be “implied”, when the GDPR is fully introduced businesses will be expected to use methods of obtaining consent which is “unambiguous”. This reflects and strengthens the current position that consent must be specific, informed and active, and “opt-in” rather than “opt-out” consent (including in relation to receiving marketing materials) will be the only acceptable standard.
Equally significant is a shift away from the lion’s share of compliance falling on the shoulders of Data Controllers (who obtain personal data and direct how it can be processed) to placing more responsibility on Data Processors, to whom the Controller outsources either the storage or processing of data. Although currently Processors are bound to comply with the existing law and instructions of their processor (with their responsibilities set out by law in a written contract), in future they’ll be subject to stricter controls, not least relating to the transfer of data or appointment of any “sub-processors”.
Turning to what happens when data security is breached, the GDPR requires businesses to notify their Data Protection Authority within 72 hours, a significant change to the current position, where there is no legal obligation to report breaches but there is strong encouragement to report serious breaches which could have a detrimental effect on data subjects, and a higher presumption of clemency or at least assistance in any ICO enforcement action as a result. Not only that, but if the breach is likely to lead to a high risk to the rights and freedoms of individuals, consumers and data subjects should also be notified without delay. Against the backdrop of the recent Vidal-Hall decision which saw the Court confirm that damages could be recovered for distress caused as a result of a data breach rather than pure monetary losses, it’s likely that data protection claims by consumers will become permanent fixtures of court lists and potentially a major source of growth for law firms looking for the next wave in large-scale or high-volume litigation.
As noted above, the “right to be forgotten” tilted at in the Google Spain case from May 2014 will become a matter of legislation and national law (eventually), with obligations on businesses to delete personal data which they no longer need or in relation to which consent to processing has been withdrawn without undue delay. Again, this is a shift away from the current obligations to ensure that data processed is only held for as long as necessary and kept updated, with which many businesses already struggle, especially where dealing with huge customer databases.
What didn’t survive the negotiation and wrangling across the EU was the introduction of a “digital age of consent”, raised from 13 to 16, against a huge backlash from tech giants and commentators over a resultant ban on social media use and ultimately left in the hands of member states – notably, the UK has already stated that the UK’s age of digital consent will not be raised. However, the new high watermark for monetary penalties of up to 4% of global turnover in the event of the most serious breaches has made the cut, and this alone should focus the attention of businesses across the continent on their commitments and obligations relating to their use and exploitation of personal data.
So, is it time to panic? Not yet – helpfully, the ICO has made 5 key suggestions for businesses looking to skill up before the GDPR becomes law, focussing on assessing how and where consent for processing is obtained from individuals, accountability and record-keeping, staffing up to ensure that businesses have the right expertise to deal with new obligations and planning in peacetime for when, not if, a breach takes place.
In a time when even “safe harbour” and the assumption that the US was a “safe“ place to which personal data could be transferred (not any more, at least for the time being, following a case brought by privacy activist Max Schrems following the Ed Snowden revelations) is now a thing of the past, the huge, fundamental and permanent change which the GDPR introduces simply can’t be ignored. Consumers and individuals certainly won’t against recent high-profile breaches, and planning to manage if not mitigate its impact should be as important to every business as simply keeping the lights on. Brussels will expect nothing less.