On 24 June 2020, the EU Commission issued a Report into the first two years of the operation of GDPR (the Report). Though the Report is interesting in relation to its main findings, it is more relevant in indicating the EU Commission’s direction of travel in relation to the continued implementation and enforcement of GRPR. We also provide below our own reflections on major developments since May 2018.
Amongst the important issues flagged in the Report are: changes in arrangements around data transfers from the EU to third countries; codification of Article 28 controller/processor terms; some possible relief for Small and Medium Sized Enterprises in terms of compliance; a reminder to Member States to properly fund national regulators; a wish for less divergence amongst Member States in areas such as the balance between data privacy and freedom of expression; a greater focus on requirements to appoint EU representatives for directly regulated entities based outside the EU; and the latest position on the process for determining whether the UK will obtain an Adequacy Decision after the end of the Brexit transition period.
As might be expected for an organisation writing its own end of term report, the Commission concludes that GDPR has been successful in strengthening individuals’ rights in relation to personal data. It notes that 69 per cent of the EU population above the age of sixteen have heard about GDPR and 71 per cent of people in the EU know about their national data protection authority.
In terms of individuals policing those rights, we see this most commonly in the exercise of Data Subject Access Requests (DSARs). The blaring sirens of “DSAR, DSAR, DSAR” are seldom welcomed by clients who find compliance time-consuming and costly. The fact that the English courts now consistently hold the view that the purpose behind the DSAR is irrelevant has not helped matters. This has led to a growing practice of DSARs being used by individuals and their lawyers as a means to obtain early disclosure of material in support of litigation. Organisations are plainly also not responding to DSARs as individuals believe they should. In the first year of operation of GDPR, the UK Information Commissioner’s Office (ICO) reported that of 41,661 complaints it received from individuals, by far the highest proportion (40 per cent) related to subject access.
Compliance and what has been driving this?
In the lead up to 25 May 2018 there was a rush to comply with GDPR. This continued after May 2018 (with some understanding on the part of the ICO that organisations needed further time) and through into 2019. Compliance has been driven by pressure from customers and employees. However, a consistent factor that we have seen as a continuing lever towards compliance throughout the first two years has been the requirements of other organisations with whom personal data is shared. Supply chain participants have dictated that if an organisation wants access to personal data then it has to be able to demonstrate a sufficient level of GDPR compliance first. In addition, the level of compliance has become an increasingly important consideration for investors and those acquiring businesses.
This trend has led to much more detailed negotiation of contractual terms around data sharing, subject to the constraints imposed by GDPR, in particular in relation to Article 28 requirements in Controller/Processor contracts. The Report recognises this and refers to codification around Article 28 explaining that work is being carried out to produce standard terms akin to the approach taken in issuing Standard Contractual Clauses (SCCs) for cross-border data transfers. This might be helpful in creating greater certainty in relation to what regulators expect to see in controller/processor contracts, but we would hope it will not be as rigid and inflexible as what we see in SCCs.
One recurring theme around data sharing and contractual provisions is who bears the risk if something goes wrong? A particular issue which has not yet been resolved is whether indemnities from one party to another to cover the consequences of non-compliance with GDPR are enforceable, particularly when it comes to regulatory fines. The prevailing view in English law is that an indemnity (including insurance cover) for regulatory fines is unenforceable as being contrary to public policy, but we await a definitive court decision on this.
Cross border data transfers
Turning to cross border data transfers in more detail, a gaping hole in GDPR has always been that the existing SCCs (derived from the now defunct 1995 EU Directive) do not cover many of the cross-border data transfers that actually take place. This means that parties have had to shoe-horn SCCs into situations they were not designed for. Thankfully, no regulators have objected to this as far as we are aware. However, this looks set to change as the Report indicates that the Commission is working on a comprehensive modernisation of SCCs so that they are fit for purpose for GDPR. In addition, the Report flags the impending decision of the Court of Justice of the European Union (due on 16 July 2020) on the challenge to the validity of the existing SCCs (the so-called Schrems II case). The Commission is clearly waiting to see what guidance the CJEU gives about data transfer mechanisms before moving forward with producing GDPR appropriate SCCs.
Marketing – misconceptions and solutions but trouble ahead
There was a lot of concern in the lead up to the implementation of GDPR about whether marketing could be effectively undertaken around the stricter requirements for obtaining consent from individuals to use their data. This led many organisations to try and obtain valid consents, but fail to do so, cutting off contact with large numbers of their customers and contacts. Since May 2018, a lot of work has gone on to re-engineer this, relying instead on legitimate interests as a basis for processing data for marketing, rather than consent. Indeed, regulators have encouraged this, provided that sufficient legitimate interest assessments are carried out and documented beforehand and, of course, objections from individuals are respected.
However, the Report highlights the need for strong and effective enforcement in areas such as online advertising and micro-targeting carried out by large digital platforms and associated organisations. This is reflected in the ICO’s focus on Adtech which we highlighted here. The ICO announced in May 2020 that it is pausing its investigation in light of the difficulties caused by Covid-19, but that it will pick it up again when appropriate. The Report gives impetus to this.
The Report claims that GDPR has created a level playing field for all companies operating in the EU market. This seems to us to be questionable. The level of complexity and the cost associated with compliance with GDPR favoured larger organisations who were better able to cope. Rather than breaking the hegemony over personal data of larger (American based) organisations, GDPR has had the opposite effect in our opinion.
However, the Commission acknowledges that it has been a struggle for many organisations to comply with GDPR, particularly Small and Medium Sized Enterprises (SMEs). At the outset, we saw that one reasonably popular misconception about the application of GDPR was that it had a de minimis exemption for SMEs. However, this has been quickly dispelled as rights have been exercised by individuals against SMEs and other pressures for compliance have emerged, particularly through supply chains. Nevertheless, the Report indicates that the Commission will review and possibly amend GDPR to better accommodate SMEs that do not have the processing of personal data at the core of their business. At the same time, the Report encourages regulators to provide more guidance, templates, and access to day-to-day advice for SMEs.
Territorial scope – does GDPR apply to me and to what extent?
Another area where we have seen a degree of misunderstanding is in the territorial scope of GDPR. This has mainly been caused by misconceptions about the gateway provisions in Article 3 of GDPR. First, for those organisations based in the EU there has been, and continues to be, a view that their processing of personal data is only regulated insofar as it consists of the personal data of EU based citizens. This is wrong. EU based organisations owe GDPR obligations in respect of the personal data they are processing regardless of citizenship, residence or location of the individuals concerned. In that sense it is a truly global standard. Then, in relation to the “pay to play” provisions in Article 3.2, confusion arises because it is assumed that any organisation based outside the EU which is processing the data of EU citizens is held to GDPR standards. Again, this is wrong. Such organisations are only directly regulated if they are processing the data of individuals based in the EU (they do not need to be EU citizens) if that processing takes place either: (i) in the context of offering goods or services to those individuals in the EU (so, for example, this doesn’t apply where the services are offered to an employer of those individuals); or (ii) in the course of monitoring the activities of those individuals in the EU. We continue to receive enquiries about compliance with GDPR from organisations based outside the EU who assume they are directly regulated when they are not. An initial “triage” process assessing the applicability of GDPR usually resolves these gateway questions. Of course, organisations based outside the EU should not forget that they might be indirectly regulated by GDPR through contracts entered in to with EU based organisations sharing data with them, for example through Article 28 Controller/Processor provisions and/or SCCs.
The territorial scope of GDPR has also been curtailed, somewhat surprisingly, by the CJEU in determining the territorial extent of the right to be forgotten. We discussed this decision in Google v CNIL here. In summary, the CJEU decided that when delisting search results, Google only has to ensure that searches emanating from the EU are returned with no result. Does this indicate a nervousness more generally on the part of the CJEU about the presumed extra-territorial application of GDPR? We would expect to see this point tested in other areas.
However, the Commission rightly acknowledges the global impact of GDPR in other ways, including encouraging the development of similar laws in other jurisdictions (the Report lists a diverse range of jurisdictions in this respect from Chile, Brazil, South Korea, India, Japan, Indonesia and Kenya to California).
Is it all fines?
The Report notes that Regulators have been prepared to issue serious fines for non-compliance. The first example was the fine for €50m issued by the French regulator, the CNIL, to Google in January 2019.
In the UK, we had to wait until December 2019 for the ICO to issue its first GDPR fine, more modestly to SME, Doorstep Dispensaree. This isn’t to say that the ICO has not been busy issuing fines based on pre-GDPR breaches. Two that stand out are the maximum pre-GDPR fines of £500,000 each that were levied on Cathay Pacific and DSG Retail. These decisions are important in mapping out the ICO’s thinking on what will inform its level of sanction post-GDPR in terms of what it considers to be critical failings in data protection compliance. The accompanying Monetary Penalty Notices are well worth a detailed read in this respect.
Of course, we should not forget the proposed mega-fines in the BA and Marriott data security breach cases which were announced in July 2019 (amounting to £183m and £99m respectively). Unsurprisingly, there has been significant push-back on the proposed level of these fines by both BA and Marriot and final announcements (and Monetary Penalty Notices explaining the reasons for the fines) have been delayed three times. They are now expected in August or September this year.
The Report notes that it isn’t all about fines, however. We agree that other sanctions, such as “stop processing” notices can have a more serious impact on an organisation. These notices require organisations to cease using personal data that has not been lawfully acquired. The first post-GDPR enforcement notice issued by the ICO was in fact a stop processing notice issued to a Canadian company, Aggregate IQ, arising out of the Cambridge Analytica scandal. Subsequently, the ICO issued a similar notice to Her Majesty’s Revenue and Customs (HMRC) for non-compliant gathering and use of Voice ID data.
There appears to be a concern in the Report that individuals whose rights have been infringed do not currently have sufficient access to courts to obtain appropriate remedies. To deal with this the Commission references the proposed Directive on representative actions (COM/2018/0184 final - 2018/089 (COD)). The Commission’s expectation is that once this Directive is adopted it will enable individuals to bring collective actions in all Member States and will lower the costs of cross-border actions.
In the UK, there has been a growing development of collective claims by groups of affected individuals using either opt-in Group Litigation Orders (GLOs) or opt-out representative (class) claims. The leading case on representative claims is Lloyd v Google which is set to be heard by the UK Supreme Court later this year or early in 2021. It is expected to further clarify the extent to which representative claims can be brought in the English courts by, potentially, millions of affected individuals (as in the Lloyd v Google case). It is also expected to clarify whether the mere deprivation of an individual’s control over their personal data entitles that individual to compensation. This controversial finding by the English Court of Appeal is not currently supported in some other countries (e.g Austria). GLOs also continue to be another mechanism for bringing collective actions, and one is reported to be getting underway in relation to the recent EasyJet data breach with, apparently, 10,000 individuals having signed up already. Our earlier article on these issues is here.
Could do better
The Report identifies various areas for improvement. Of particular note is a reference to EU Member States not providing sufficient resources to national regulators to carry out their functions. The Commission praises Ireland, the Netherlands, Luxembourg and Finland in this respect but says that the position is still “uneven between Member States and is not yet satisfactory overall”. The Commission reminds Member States of their obligation under GDPR to provide regulators with adequate resources. Could action be taken by the Commission against Member States if they continue to fail to do so?
The ICO is not specifically mentioned in the Report, but there has been some recent criticism in other quarters that it has not been doing enough in terms of enforcement. We think that is a little unfair and in any event warned in this recent article that it would be foolhardy to think that the ICO has downed tools.
Another issue that the Report highlights as an area for improvement is the degree of fragmentation in the national application of GDPR. This is a little odd as there are various parts of GDPR that give Member States a large degree of latitude in relation to how it is to be applied at a national level. This reflected that there were certain areas where Member States simply could not reach detailed consensus during the four years of negotiation over GDPR. Nevertheless, the indications in the Report are that the Commission does not like the degree of divergence which is emerging. Areas such as the age at which children can provide consent, the balance of data privacy with freedom of expression and the use of personal data in research are amongst those specifically mentioned. We would anticipate that the Commission will be seeking greater convergence in these areas or even changes to GDPR.
The difficulties in seeking greater convergence are illustrated by the response of Member States to Covid-19. Broadly, each country has been grappling with how to deal with the virus whilst staying on the right side of the line of GDPR. Different countries have different answers to this, which illustrates the difficulties of a uniform application of GDPR in the context of much wider areas of regulation (e.g health and safety laws) and political and cultural issues. Our recent articles on track and trace apps and temperature testing touch on some of these issues.
The Report also contains a warning on EU representatives. These are individuals or other entities who are supposed to be appointed by directly regulated controllers or processors who are located outside the EU as their GDPR representatives in the EU. The difficulty from the very beginning of the implementation of GDPR has been finding anyone willing to do this. The assumption was that these representatives would not only be a port of call for individuals and regulators seeking to ensure compliance with GDPR but could also be sanctioned for the relevant controller/processor’s failings. However, In November 2019 the European Data Protection Board clarified that an EU representative would not be directly liable for fines and other sanctions imposed on the controller/processor it is representing. This still does not seem to have led to a larger number of EU representatives being willing to take the role. Nor does it appear that regulators have so far been particularly bothered by this. The obligation to appoint an EU representative has rather been observed in the breach. The Commission clearly doesn’t like this. The Report calls on regulators to involve EU representatives in ensuring that effective enforcement of GDPR takes place against ex-EU controllers/processors. As the Report puts it, “This approach should be pursued more vigorously in order to send a clear message that the lack of an establishment in the EU does not relieve foreign operators of their responsibilities under the GDPR”. It seems that the honeymoon period around insisting on the appointment of EU representatives is coming to an end.
Finally, a word on Adequacy Decisions. The Report notes that the Commission is reviewing the existing Adequacy Decisions with third countries which pre-date GDPR. The issue is whether each of the eleven territories who benefit have sufficiently kept pace with the changes introduced through GDPR. Additional safeguards are apparently being discussed with some of these territories, but the Commission is waiting to see the imminent decision of the CJEU in Schrems II before finalising and reporting on its deliberations about each of the existing Adequacy Decisions. Any ex-EU data transfer arrangements which are currently benefiting from an Adequacy Decision are fine for now, but a careful watch should be kept out for any further communications from the Commission about this.
The Report also references the current review by the Commission of whether the UK should be granted an Adequacy Decision once the Brexit transition period expires on 31 December 2020. It says nothing more than that this is ongoing, but references that the assessment is being made both by reference to the GDPR and the Data Protection Law Enforcement Directive. The Achilles heel in any granting of Adequacy to the UK (absent political considerations) is likely to be the use of personal data in law enforcement and the protection of national security. The problem will be unlikely to lie in alignment with GDPR itself (given that the UK has adopted a mirror UK GDPR), but in the issues underpinning the Law Enforcement Directive, so the specific reference to it seems quite deliberate and pointed.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, July 2020