GDPR Season 1: Off to a Slow Start?
30 May 2019
Like winter in the popular HBO series Game of Thrones, privacy professionals warned that ‘GDPR is coming’ many months, years even, before the army of supervisory authorities (SAs) and data subjects started to amass on their doorsteps. For the most part, the warning fell on deaf ears. It was only when the first snows had already started to fall, signalling the imminent arrival of winter, that GDPR preparations began in earnest – with panic soon turning into hysteria, for some.
But 25 May 2018 came and went and, much like Y2K, there weren’t any cataclysmic events. Many felt that it was all a bit of an anti-climax (much like the finale of the HBO series, according to some fans). In fact, once the wave of repermissioning emails had crashed, it was pretty much back to business as usual (albeit that the data focus was on the ‘B’ word – see here for our guide on how to get Brexit-ready).
So you might be forgiven for wondering what all the fuss was about. After all, where were all those headline-grabbing €20m / 4% of global turnover fines and the large-scale data litigation, often overegged by pundits, the prospect of which had C-suites breaking out in cold sweats?
Well, when it comes to enforcement action, over this last year SAs have – for the most part – been clearing the backlog of pre-GDPR cases, and (save for CNIL) haven’t yet had the opportunity publicly to flex their regulatory biceps. There are rumours of some ‘big’ fines in the pipeline though, so watch this space. To the extent that action has been taken, it would certainly seem that the pre-GDPR speculation of SAs making early examples of organisations for minor infringements, or that maximum fines will become the norm, was indeed scaremongering.
We’re also going to need to ‘watch this space’ when it comes to large-scale data litigation. In the UK, Richard Lloyd (a former director of Which?) tried to bring a claim, as a ‘representative claimant’, against Google for secretly tracking the internet activity of iPhone users via a method called the ‘Safari Workaround’. This attempt at an US-style class action failed at first instance late last year, but there’s been talk of an appeal. In April of this year, the Supreme Court granted Morrisons leave to appeal the controversial Court of Appeal decision upholding the first instance ruling against it by which Morrisons was found vicariously liable for a substantial data breach caused by a rogue employee.
It’s probably fair to say that there’s generally been more of everything this last year. Most organisations will have experienced an upturn in data subject rights requests, with the vast majority of those being access requests. Not really surprising given media headlines, as well as campaigns by SAs to bolster the right to be informed and to make tools available to those wanting to exercise their rights. On the issue of rights requests, it’s worth noting that ‘None Of Your Business’ (whose complaint to CNIL about Google’s ad personalisation resulted in a €50m fine) has also – in its capacity as a representative body – filed complaints with the Austrian SA against 8 online streaming services in relation to their automated systems for handling DSARs.
We’re also seeing more compensation claims by individuals; and the claims are getting more creative rather than those we’ve previously become accustomed to where (typically) an unsolicited marketing email or two pinging in the middle of the night apparently wakes the recipient claimant and causes damage.
Reported data breaches are up. The ICO apparently received around 14,000 of them this last year compared with 3,300 in 2017/18. As an aside, in its recent Cyber Security Breaches Survey 2019, DCMS noted an apparent reduction in the number of cyber incidents. Good news? Not quite. Rather than this just being down to organisations becoming more cyber secure, DCMS observed that the reduction could in part be explained by businesses, in responding to the survey question, being less willing to admit to having breaches as a result of the GDPR. Complaints to SAs by data subjects are, of course, up too. The ICO has apparently received some 41,000 of them since last May (compared with 21,000 for 2017/18).
If you like numbers, here are a few plucked from the EDPB’s recent ‘overview’ on the implementation and enforcement of the GDPR:
- 206,326 cases were reported by SAs from 31 EEA countries;
- 94,622 cases related to complaints;
- 64,684 cases were initiated on the basis of data breach notification by the controller;
- €55,955,871 in administrative fines were imposed by SAs from 11 EEA countries (presumably the bulk relates to CNIL’s fine against Google);
- 45 One-Stop-Shop procedures were initiated by SAs from 14 different EEA countries, of which only 6 are final decisions (they relate to the exercise of rights, the appropriate legal basis for data processing, and data breach notifications).
So while the first season of GDPR might be characterised as getting off to a slow start, all the signs are that season 2 is likely to be much more action-packed. CNIL describes this last year as a ‘transition’, and we’re going to take a closer look at what we’re transitioning to in our trailer for season 2, in an article to follow shortly. Meanwhile, the DCMS survey referred to above included the following quote attributed to a ‘medium business’: “GDPR has been kicked into pretty long grass now.” If that can also be said of your organisation, now is probably a good time to start looking for it.