This week marks the six-month anniversary since the General Data Protection Regulations took effect. The GDPR significantly increased the ability of regulators to impose fines with the maximum for some offences now set at 20 million EUR or 4% of global turnover, whichever is highest. The GDPR adopted the same principle-based approach as the preceding Data Protection Act 1998. However, the obligations on data controllers are more onerous under the GDPR than they were before and the consequences for non-compliance, more severe.
The GDPR was implemented at a time of heightened public awareness around data protection and misuse. The regulator, the ICO were under greater pressure than ever to ensure effective compliance on the back of a series of high-profile data breaches and the Cambridge Analytica scandal.
So, six months in, I’ve examined how the data protection landscape is changing in the UK and outlined below the biggest developments over the past six months.
In June, the European Court of Justice considered whether the administrators of Facebook fan pages were data controllers in the case of Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, in the presence of Facebook Ireland Ltd (Case C-210/16).
The Court held that administrators of Facebook Pages are join data controllers and as such are jointly responsible with Facebook for the processing of visitors and users’ data anywhere within the European Union.
In July, the ICO published a progress report on its investigation into the Cambridge Analytica scandal. The report included the regulators intention to fine Facebook up to £500,000 for two breaches of the old law as laid out in the Data Protection Act 1998. The report also laid out that warning letters had been sent to eleven political parties.
In terms of Cambridge Analytica’s parent company, the ICO announced a criminal prosecution for failure to comply with an earlier Enforcement Notice and a new Enforcement Notice compelling it to properly deal with an existing subject access request. Data Broker, Emma’s Diary and Cambridge University also faced regulatory action. Alongside the report, the Information Commissioner called for a statutory code regulating the use of personal data in political campaigning.
The report represented a clear statement of intent from the regulator that it will make use of its powers to tackle data misuses for political purposes.
The Child Sex Abuse Inquiry
In July, the Independent Inquiry into Child Sexual Abuse was hit with a £200,000 fine after a staffer to the inquiry emailed 90 individuals regarding a forthcoming hearing. The staff member in question accidentally inserted the recipients into the “TO” field rather than the “BCC” field. The ICO held that the Inquiry had failed to take appropriate organisational measures to avoid unauthorised processing of personal data by failing to make use of an email account which could send emails individually to each recipient and providing staff with appropriate training. No doubt, the extremely sensitive subject matter of the inquiry and the emotional distress caused to the complainants influenced the very high fine.
ICO annual report
In July, the ICO published their 2017/2018 annual report covering the twelve months ending 31 March 2018. The report detailed a 29% increase in the number of self-reported data breaches from 2,447 to 3,156.
In 60% of cases, the ICO took no further action at all. Remarkably, only 0.3% of breaches attracted a monetary penalty. This underlines the ICO’s approach of reserving fines for only the most serious of breaches. Whether this approach will be sustainable following the introduction of the GDPR remains to be seen. However, the ICO’s Regulatory Action Consultation suggests that this approach will remain the status quo for the foreseeable future.
The Government just consulted on whether the ICO should be given the power to fine directors, senior officers and partners personally. The Government’s concern is that the ICO currently only recovers 54% of the fines it imposes as fines can currently only be levied against corporations. The result being that if a company is dissolved or goes into liquidation, then the directors are able to create a new legal entity and continue their activity without payment of any fines.
The consultation closed on the 20th of August. Its results could have a significant impact on director liability for breaches of the GDPR.
The data protection landscape in the UK is rapidly shifting and breaches can now have devastating financial implications for your organisation. Depending on the outcome of the Government’s consultation, they could also lead to you being personally liable. Because of the principle-based approach of the GDPR, compliance isn’t simply a check box exercise. Therefore, if you’re at all unsure about your obligations or compliance you should seek specialist legal advice.
If you find yourself requiring advice or representation in respect of a matter of this sort you may contact Quentin for a no obligation conversation about your case.
My thanks to my media partners for their additional coverage of this important issue: