Three years ago, the legal, cybersecurity and technology sectors were anticipating an impending legal storm. The EU’s General Data Protection Regulation was about to become enforceable. The regulation has gone on to become a model for many national laws outside the EU, and California also adopted its California Consumer Privacy Act just a month later.
Some big name companies have made headlines with fines, British Airways was fined £20 million and Marriott £18.4 million for substantial breaches of the rules. According to DLA Piper, data protection regulators have imposed €272 million in fines for a wide range of GDPR infringements. There have been more than 281,000 data breach notifications since the application of GDPR on 25 May 2018 with Germany (77,747), The Netherlands (66,527) and the UK (30,536) topping the table for the number of data breaches notified to regulators.
Has the legislation been a success?
“The GDPR has undoubtedly proved to be a successful piece of EU-wide legislation,” says Tim Heywood a Partner and data protection expert at gunnercooke, “its stated aim is to protect the fundamental human right to privacy in relation to our personal data. It has put data privacy on the agenda for all corporate boards and has strengthened our rights as individuals.”
Far from the original fear and panic that many businesses across Europe felt prior to enforcement, for Cacy-Leigh Neilson an Employment and Data Protection Associate Solicitor at Oury Clark, it’s actually been positive for businesses, “businesses are finding that if they follow the concept of privacy by design and default, and they do it right, it can be a business enabler, unlocking the potential for their business to benefit from responsible data uses and data-driven innovation as a competitive advantage.
The legislation has also take a while for its full force to be felt, and its impact has been slowed by the pandemic too. “Initially yes, it took some time for real GDPR fines to start being applied at levels that meant something. By 2020 and into this year, we’ve seen significant fines in the $20million+ range for breaches and mid-handling of data. While still not comparable to the actual ransomware payments demanded in a lot of cases, the spectre of a €50million fine against Google is not to be trifled with”, says Adam Brady, Director, Systems Engineering at Illumio.
However, Toni Vitale, a partner at Gateley Legal, thinks that fines and public awareness haven’t been translated into enough action by companies, “I am concerned to see that most large tech companies and a majority of online actors have yet to adapt their behaviour to implement key requirements of GDPR,” he explains. “This includes modifying data processing principles and data protection by design and by default requirements. Users are still tracked online, across websites, platforms, and through their devices, often without a valid legal basis, and without awareness of such processing. There is much more to do here.”
Rise of the Data Protection Officer
One key part of the legislation was the requirement for certain companies to employ a Data Protection Office, responsible for managing compliance with the GDPR. “Responsible for both internal education around data use, what constitutes personal data, and monitoring thereafter, the DPO is a very visible reminder of the real importance of data protection. It’s not easy to ignore GDPR when a business works to identify and specify a person or people with oversight,” according to Adam Brady, Director, Systems Engineering at Illumio.
For John Flynn, Conosco’s Principle Security Consultant DPOs bring a culture change too, “they have changed the culture of businesses by assuring the requirements of compliance to GDPR are in place and are monitored and assessed. They have also assisted in raising awareness of the importance of data protection amongst all areas within businesses.”
A real-life stress test
COVID-19 brought an unexpected challenge for compliance – was the system resilient enough to handle the challenges of the new world of work, contact tracing and an over-run administration system?
Toni Vitale thinks it turned out to be the perfect stress test. “The last few months have provided unassailable proof that the GDPR can withstand a real-life stress test. Sometimes derided by critics as overly rigid and bureaucratic, the GDPR has emerged as resilient and flexible when dealing with the COVID-19 crisis. Even as the pandemic put data protection rules under the spotlight regulators and governments have deployed the GDPR judiciously, benefiting from the framework’s intricate balance of privacy rights against other compelling public interests such as public health. This facilitated the deployment of public health measures in Europe, including employee health scans and using technology for contact tracing at scale.”
However Howard Freeman believes that COVID-19 may have simply provided more evidence that the GDPR might be more bark than bite, “the ICO never reached out and punished a ‘normal’ business for a breach. Had they done so, this would have Yes, they fined BA over £180 million but that was later reduced to £20 million, mainly due to Covid 19. Perhaps a better way was still to collect the fine but give BA time to pay it. The ICO has also suffered with response times, possibly due to the high number of calls it has received and Covid-19.”
A catalyst for global data protection
So what’s next for GDPR? According to Jorren Kibbe, a barrister at No5 Barristers’ Chambers practising in data protection claims, companies will want to keep a close eye on the Lloyd Vs Google case, a representative action case against Google, on behalf of around 4.4 million iPhone users alleging that Google acted in breach of its duties as a data controller. “The decision of the Supreme Court in Lloyd v Google is likely to have a strong impact on the viability of large-scale class actions for breach of the UK GDPR in England and Wales. If the Supreme Court allows claims for “loss of control” of personal data to proceed, damages claims arising out of large-scale data breaches are likely ultimately to dwarf the fines that regulators can impose – with knock-on effects for business compliance and for insurers.”
For Cacy-Leigh Neilson, this is only the start of a global adaption of privacy legislation,”we are likely to continue to see this trend develop as more countries adapt their data privacy legislation and this will in turn allow easier data flows between entities in different jurisdictions, ultimately lowering the cost of compliance which will allow for greater alignment between different countries from a data protection perspective, which in turn will aid cross border business operations.”
As Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centr, points out however, all legislation is based on the problems prevalent when it was enacted, “while GDPR was enacted to address the data processing issues of personal data, for a cyber-criminal access to user data maybe secondary to a larger objective such as holding a business up for ransom. In effect, obtaining a ransom payment might be more lucrative than attempting to sell user data on the dark web. The evolving cyber security threats underscore a GDPR reality that only the minimum data required to perform a task should be created, and that data should only be retained for the minimum duration required to complete that task and to comply with other regulatory requirements.”