The low down
Ahead of its introduction, many expected the General Data Protection Regulation (GDPR) to generate a bonanza of work for lawyers. But there was a 13-month wait for the Information Commissioner’s Office to issue its first fines. The ICO, it seems, is working to a plan – issue plenty of guidance, allow businesses to adapt while building up staff levels, then start to flex regulatory muscle. If regulators once aimed to carry a big stick and speak quietly, this is not the ICO’s style. It has the power to fine £17m or 4% of global turnover, whichever is higher. Facebook, Leave.UK and British Airways are among those facing the consequences of alleged breaches. Failures around data are also a reputation risk for organisations, whose compliance efforts must focus on correct data deletion as well as management.
It took the Information Commissioner’s Office (ICO) 13 months to issue the first fines under the General Data Protection Regulation (GDPR). Using the pan-European regime, it announced its intention to issue fines of around £283m in total against British Airways and Marriott International (£183.39m and £99.2m, respectively) for failure to keep personal data they hold secure from cyber-attacks. BA and Marriott had 28 days to make representations, which are being considered by the ICO.
Under the GDPR, which came into force in May last year alongside the Data Protection Act 2018, the ICO can fine ‘data controllers’ up to £17m or 4% of global turnover, whichever is higher (compared with the previous maximum of £500,000).
‘Companies have had somewhat of a grace period after the implementation of the GDPR,’ says Robert Allen, a partner and member of Simmons & Simmons’ data protection and privacy group. ‘The ICO has given organisations an opportunity to become familiar with the regulations, and has published [a lot] of guidance. Now it is starting to really flex its regulatory muscle.’
GDPR has affected all sectors, from the pension trustee with limited experience and resources to the large multinational financial services institution with a substantial budget for GDPR compliance
Rebecca Cousin, Slaughter and May
Kingsley Napley partner Emily Carter points to the introduction of mandatory breach reporting (organisations must report certain personal data breaches to the ICO within 72 hours of becoming aware of them) and the ‘significant increase in both numbers and expertise of the ICO workforce’.
These developments ‘mean that the ICO will impose record fines in the next year, far exceeding the £3m in 2018/19,’ Carter says.
With 22 fines issued – two of which were the ICO’s’ highest-ever – last year was already ‘record-breaking’, according to the regulator’s latest annual report. Equifax Ltd and Facebook Ireland Ltd were fined the maximum £500,000 each for data breaches predating the GDPR, and affecting the personal data of 15m UK citizens and 87m users worldwide, respectively.
Beyond the headline-grabbing fines, the new data protection framework is big business for law firms. Rebecca Cousin, a partner and co-head of Slaughter and May’s data protection and privacy practice, says: ‘GDPR has affected all sectors, from the pension trustee with limited experience and resources to the large multinational financial services institution with a substantial budget for GDPR-compliance.’
Business clients are currently grappling with data deletion. Under GDPR, organisations cannot keep data for longer than they need it. ‘Issues around data sharing and joint controllers regularly crop up, as do discussions on the implications of Brexit,’ Cousin says.
There are data protection implications in litigation, projects and transactions. For example, Marriott’s proposed fine highlights ‘the importance of due diligence in an M&A context’, Cousin says.
In 2016, Marriott acquired Starwood hotels, but it was not until two years later, when hackers stole the records of 339m guests, that it discovered Starwood’s systems had been compromised in 2014.
The GDPR’s reach extends to any business that markets products and services to individuals in the EU. ‘Our London and Hong Kong data protection hubs regularly advise overseas clients on the impact of the GDPR’s extraterritorial reach,’ Cousin says. ‘Our practice is also seeing an ever-increasing number of questions around the data protection and privacy implications of AI, blockchain and emerging tech.’
Osborne Clarke partner Mark Taylor relates ‘a gradual shift from simple compliance or readiness activity to more sophisticated queries, and also a focus on dealing with data incidents and individuals exercising their rights’.
The GDPR gives citizens and consumers (the ‘data subjects’) better control over how their personal data is used, shared and stored. Lewis Silkin partner Dr Nathalie Moreno says: ‘Brands want to capitalise on the positive marketing related to compliance.’ Her clients are increasingly using consent and other data management tools to show that they ‘take privacy to heart’.
Data gets only a brief mention in Boris Johnson’s Brexit deal and the European Union (Withdrawal Agreement) Bill, but if the UK exits the EU with a deal employing the same approach to data law as the withdrawal agreement of former PM Theresa May, the status quo will apply, at least until 31 December 2020. As its predecessor, the GDPR restricts the transfer of personal data to countries outside of the European Economic Area, but the expectation is that by the end of the transition period there will be an ‘adequacy decision’ by the European Commission to permit the free flow of personal data from the EEA to the UK.
If there is no exit agreement between the UK and the EU, it is unlikely the commission will grant adequacy status anytime soon.
Osborne Clarke partner Mark Taylor says that Brexit-related work has focused on helping clients understand how cross-border transfers will be affected, and to ‘put into place data transfer solutions that will enable them to continue to move data from the EU to the UK post-Brexit’.
These include EC-approved standard contractual clauses (SCCs). For transfers from the EEA into the UK, and in absence of an adequacy decision, importers and exporters of personal data will have to use ‘appropriate safeguards’ such as SCCs.
SCCs are widely used by businesses within the EEA to export data outside of it, yet the Schrems II case is challenging their validity. ‘The first Schrems case invalidated the US Safe Harbour scheme, which permitted transfers from the EEA to the US entities that had certified under Safe Harbour,’ says Slaughter and May partner Rebecca Cousin. ‘A similar outcome in respect of the SCCs is likely to cause disruption, especially as there isn’t really an easy alternative to switch to at the moment.’
There are other aspects of Brexit that will ensure a steady stream of work for lawyers. ‘Whether we leave with or without a deal, it looks as if the ICO will no longer be able to be a lead supervisory authority under the GDPR regime,’ Taylor notes. Under the GDPR’s ‘one-stop-shop’ system, businesses doing cross-border processing only deal with a single supervisory authority that acts as ‘the lead’ on behalf of the other EEA authorities.
Allen & Overy partner Nigel Parker asserts: ‘Saying that there is no expense spared is perhaps a little bit strong but it’s not far off it. Clients are really taking [data protection] seriously.’
A&O has seen a spike in personal data breach (PDB) work. This reflects the 13,840 PDB reports received by the ICO in 2018/19, compared with just 3,311 the year before.
Given the risk of hefty fines, ‘clients have all effectively lowered the thresholds at which they will engage external counsel to advise on data breaches as they are keen to understand and know when they need to report them to the regulators,’ Parker says. PDBs must be reported to the ICO when they ‘pose a risk to the rights and freedoms of natural living persons’.
Nevertheless, so far there has not been ‘a great uptick in the number of cases being pursued’, Parker observes. ‘When we do report, [because] the threshold is met and there is a risk of harm to individuals, we are increasingly finding that the ICO will come back and say, “thank you for letting us know, the case is closed”.’
The ICO said that over 82% of all reported PDBs in 2018/19 required no further action, demonstrating that ‘businesses are taking the requirements of the GDPR seriously’.
Taylor adds: ‘There has been enforcement activity and investigations going on behind the scenes for most of the year since the GDPR came into force.’ But the focus has been less on financial sanctions and more on advice and reprimands. ‘The two [intent-to-fine] notices… are outliers at this stage.’
Facebook’s failure to keep secure the personal information of 87m people allowed the now defunct British consultancy Cambridge Analytica to access a subset of this data (without user knowledge) for US political campaigning. The scandal broke in March 2018 and resulted in the £500,000 fine in October.
A year earlier, the ICO launched a formal investigation into the use of data analytics for political purposes, following allegations of ‘invisible processing’ of personal data and the micro-targeting of political adverts during the UK’s EU referendum.
This investigative work led to combined fines in February of £120,000 for Leave.UK and Arron Banks’ Eldon Insurance for unlawful political marketing messages. A code covering political campaigning may follow. At the time Leave.UK indicated it would appeal, though this has not been subsequently confirmed.
Adtech is another ‘priority’ sector. In response to complaints from campaign groups such as Privacy International and Open Rights Group, in June the ICO produced another policy report on the use of personal data in real-time-bidding in programmatic advertising (whereby ad impressions are bought and sold in auctions taking milliseconds).
The ICO is concerned that ‘one visit to a website, prompting one auction among advertisers, can result in a person’s personal data being seen by hundreds of organisations, in ways that suggest data protection rules have not been sufficiently considered’.
From 25 May 2018 to 1 May 2019, the ICO received over 41,000 data protection complaints from the public, compared with 21,000 in 2017/18. Data subject access requests (DSARs) almost doubled in the year following the introduction of the GDPR, representing 38% of all complaints received.
Carter notes: ‘For any organisation, responding to a DSAR is a significant administrative burden and there is often lack of clarity concerning the extent of the obligations coupled with misunderstanding of the application of the statutory exemptions. These difficulties are especially acute for small or medium-sized organisations.’ While DSARs are not new, under GDPR such requests can now be made for free (previously organisations could charge £10 to process them).
DSARs allow individuals to obtain a copy of their personal data, or information from their employer or ex-employer such as advance disclosure before issuing a claim – hence they are now ‘a real feature of pre-employment litigation strategy’, says Allen. DSARs are also becoming more ‘sensitive and complex’ and clients need external legal advice to respond to them.
Susan Hall, a partner at Clarke Willmott, says: ‘People are using them strategically as an alternative [or in addition] to a pre-action disclosure application.’
Moreno has also seen an increase in DSARs linked to political micro-targeting. Moreno is representing pro-Remain organisations trying to bring an action against the practices of the Leave camp.
‘We are seeing privacy rights groups take a prominent role,’ says Parker, pointing to Privacy International as an example. In November, the UK-based charity filed a series of complaints against data brokers, adtech companies, and credit referencing agencies with data protection authorities in France, Ireland and the UK. The complaints ‘document wide-scale and systematic infringements of data protection law’.
The ICO has given organisations an opportunity to become familiar with the regulations, and has published [a lot] of guidance. Now it is starting to really flex its regulatory muscle
Robert Allen, Simmons & Simmons
‘Many of my clients have been interested in those complaints,’ says Parker, recommending that ‘a lot of companies out there should be paying attention’ to them.
Parker says many such complaints ‘are well-researched, well-written, well-thought-out complaints and they are presented to the regulator on a silver platter: “Here is your investigation already done for you, all you need to do is to rubber stamp it and make a finding against these organisations and fine them”’.
The UK has not yet seen a successful collective action for compensation over a data breach, but Cousin points to the ongoing litigation between Morrisons and a group of more than 5,000 former and current employees that are seeking compensation after the payroll data of nearly 100,000 staff was leaked on the web by a rogue employee. Morrisons’ appeal will be heard in the Supreme Court in November.
‘Other recent headline-grabbing data breaches are likely to lead to similar actions, in particular where the ICO has issued a fine,’ Cousin says.
Under the GDPR there is no need to suffer any financial loss to make a claim, and it is possible to claim damages for distress alone. However, Carter says: ‘The quantum of damages remains prohibitively modest against the cost of an individual claim.’ Hence the rationale of collective actions.
Still, the expansion of class action firms in the UK, and new provisions under GDPR allowing not-for-profit organisations to bring claims on behalf of individuals, mean this area ‘will inevitably be tested further in the courts’, according to Carter.
It is significant that from the start of this October all High Court claims that include data protection must be issued in the Queen’s Bench Division’s Media and Communications list. Hall says this shows that this rapidly expanding area of law ‘needs specialist judgments’.
Meanwhile, regulator pressure on organisations that handle data is unlikely to diminish. Lawyers expect more fine notifications by the ICO in the coming weeks and months for violations of the GDPR.
Earlier this year, the ICO signed a co-operation agreement with the Financial Conduct Authority, given the large amounts of personal data that financial services firms handle. ‘We may see regulatory action in the financial services sector by one or other of those regulators or both at the same time,’ predicts Allen, adding that many clients regulated by financial institutions have seen an increase in data-related complaints.
The ICO is also pursuing organisations that are not paying their fees to the regulator. Under new regulations, also introduced in May last year, data processors must pay an annual ‘data protection fee’ to the ICO unless exempt (replacing the formal notification process). The ICO can now issue penalty notices of up to £4,350 for non-payment.
Larger organisations now pay £2,900 annually (compared with an annual notification fee of £500 previously). In 2018/19, the ICO’s fees totalled £39m (compared with £21m in 2017/18), an 84% increase on the previous year.
This funds the authority’s data protection-related work. As Hall says: ‘Effectively, that is their war chest for bringing action.’
Marialuisa Taddia is a freelance journalist