If Europe’s data regulators hoped that the transition to its new rules would be smooth and simple, they are in for a shock.
Six months on from when the European Union’s General Data Protection Regulation (GDPR) came into force, organisations still say that there is a lack of clarity about what they can—and cannot—do with personal data, or in what circumstances they might be flouting the law.
Added to that, several EU member countries—Czech Republic, Finland, Portugal, Greece, Poland, and Slovakia—have not actually updated their data protection laws to align to the regulation, and others have been slow to pass theirs (Spain and Italy only did so in August and September, respectively, while France also passed legislation in August to take effect retrospectively from May).
While lawyers say that in the absence of refreshed domestic legislation companies would need to follow GDPR, they admit that there could perceivably be a question about whether regulators in those countries would be able to enforce the regulation without new legislation. Another complication is that without implementing legislation, organisations don’t get the details they need to be able to comply easily.
“Complications for international businesses have arisen because a number of countries around Europe haven’t implemented their local laws supplementing GDPR,” says Mark Taylor, a partner specialising in data protection at law firm Osborne Clarke. Added to that, he says, “where those local laws do exist, they have adopted variations of GDPR to a greater extent than we might have ideally hoped for. So while GDPR has made international compliance easier, it hasn’t unfortunately made it a one-size-fits-all approach everywhere.”
GDPR is meant to bring uniformity in data protection across the European Union, as well as ensure that the regulatory approach and level of enforcement is consistent across the 28-nation bloc. The regulation, however, does provide some leeway. For example, Article 9 gives member states latitude to decide on local exceptions to the ban on the processing of special categories of personal data, such as data about ethnic origin, religious beliefs, health, and sexual orientation. Member states can allow the processing of such data in order to enable research or to support employment law or the public interest, but they need to clearly spell out their derogations in their implementing acts aligning national data protection laws to GDPR. As a result, GDPR may not be as uniform in practice as the European Commission, the EU’s executive body, had hoped it would be.
Compliance professionals believe that there is still a lot of detail around GDPR that is unclear.
“Every week I am asked by management whether we are fully GDPR compliant and I don’t know how to answer,” said one compliance officer attending the Compliance Week European Conference in Amsterdam in November. Others said that their main concern was that “legitimate interest,” which relates to how personal data is used and how long it is retained for, was too vague. One compliance officer was unsure whether a request to check a candidate’s criminal record would now be considered illegal under GDPR, despite his company routinely conducting such checks previously.
Some compliance officers said that another key problem was that they did not know whether national regulators would take a proactive approach to check on companies’ compliance with GDPR, or if they would be more “reactive” and only act on specific complaints or industry-wide concerns, such as the way financial services firms use personal data for direct marketing, for example.
“Generally, companies have their heads around compliance, but putting their programmes into practice is a whole new challenge. We are seeing a lot of ‘GDPR in practice’ questions relating to specific business activities, including how compliance programmes apply to the actual day-to-day running of a business and what needs to change.”
Brian Craig, Legal Director, TLT
Privacy campaigner Max Schrems told delegates during his keynote address at Compliance Week Europe that there is a lot of “legal uncertainty” regarding GDPR and said he believed, “we’ll have some kind of ‘GDPR 2.0’ sooner or later, because so many of these issues are so unclear that we’ll have to update the law somehow.”
Several conference attendees said that they are awaiting the first “significant” enforcement cases under GDPR to give them a better understanding of the regulation and how it is likely to be enforced.
During a keynote address at the conference, Ventsislav Karadjov, chair of Bulgaria’s Commission for Personal Data Protection and vice-chair of the European Data Protection Board, the body set up to assist and monitor how data regulators across the European Union enforce GDPR, told delegates they could be in for a long wait. He said: “2018 was the year for making companies aware about the new rules, to prepare data protection authorities to prepare for the new competencies, and also to familiarise individuals—the data subjects—with their rights. I would say that 2019 will be the year for GDPR implementation.”
Lawyers agree that there is still a great deal of confusion surrounding GDPR. They add, however, it is not necessarily the fault of data regulators. “Certain myths about the GDPR still persist,” says Robert Lands, a partner at law firm Howard Kennedy, “including that it’s all about getting consent for everything you want to do with personal data (it’s not) and that GDPR does not apply to small businesses (it does).” Sophie Chase-Borthwick, director of privacy services at data specialists Calligo, says that companies are still confused by what they need to do, but adds that “how much of this is wilful is unclear.”
“Most confusion among the companies we engage with seems to come down to scope—both geographic and what personal data actually is,” she adds. “Many appear to be confused over their lawful reasons for holding and processing personal data. But, upon questioning, you realise this is because there is no lawful reason, and yet they want to still carry on with their activities without defensible, transparent, and lawful grounds to do so.”
Generally, however, most experts believe that organisations and compliance functions are working well toward their GDPR preparations. “Companies that had inadequate procedures under the old data protection legislation are likely to struggle under the new GDPR,” says Jonathan Compton, a partner at law firm DMH Stallard. “But companies that had adequate structures and controls in place are likely to find adjustment to the new legislation fairly straightforward.”
Brian Craig, legal director at U.K. law firm TLT, says that “generally, companies have their heads around compliance, but putting their programmes into practice is a whole new challenge. We are seeing a lot of ‘GDPR in practice’ questions relating to specific business activities, including how compliance programmes apply to the actual day-to-day running of a business and what needs to change.”
He adds: “There is a lot more guidance available now than in the run up to 25 May—compliance officers should feel a lot better equipped to deal with any challenges that present themselves.”
Several data lawyers believe that clarity over some of the GDPR’s finer points will come when companies see how stringently some national data protection authorities are prepared to investigate complaints and enforce the rules. Germany, for example, has a data regulator in each state and they have started proactively auditing companies for compliance: One of these regulators, the Bavarian Data Protection Authority (the BayLDA), is currently undertaking a number of targeted audits into, for example, the secure operation of online shops and accountability for large corporations. The Dutch Protection Authority is similarly actively auditing businesses to ensure they are achieving GDPR compliance.
“Historically, certain EU regulators, such as the Austrian, French, German, and Spanish regulators, have been seen by some as having a more stringent approach to privacy enforcement,” says William Long, a partner in law firm Sidley Austin’s privacy and cyber-security practice. “It remains to be seen whether and how these patterns will translate to the post-GDPR world, especially now that all EU regulators have the same enforcement powers,” he says, “but we have noted that while some regulators are more fully up-to-speed with the GDPR, others may not be in a position to take enforcement action at this stage, mainly due to the lack of resources.”
GDPR cases are beginning to come through the pipeline. Besides Schrems’ high-profile class-action-style complaints against Facebook and Google for coercing user consent, in October the French data protection regulator (the Commission nationale de l’informatique et des liberte´s) decided to take enforcement action against Vectuary, a marketing agency that was processing individuals’ geolocation data for marketing and profiling purposes, but reportedly without valid user consent or another legal basis for such processing. Also in October, the U.K.’s data regulator, the Information Commissioner’s Office (ICO), issued its first enforcement notice under the GDPR against a Canadian company called Aggregate IQ Data Services in respect to its processing of personal data for political organisations, such as “Vote Leave” during the 2016 Brexit referendum.
Other potential enforcement actions by the ICO may be forthcoming, with speculation mounting that there is likely to be regulatory action against British Airways for a data breach between August and September 2018 that affected 380,000 customers.
“This could be the first ‘mega’ fine delivered by the ICO, possibly exceeding £1 million [(U.S. $1.27 million)]. No one can be sure exactly what will happen here, but it is the most obvious case to watch for a large post-GDPR fine,” says Matthew Holman, a principal at EMW Law.
Horne—and others—also point out that there is continued interest over the case of U.K. supermarket chain Morrisons and a disgruntled employee who stole and deliberately leaked the financial and personal records of thousands of company workers. The case led to the first class-action-style lawsuit in the United Kingdom under the country’s previous data protection rules; and while the Court held that Morrisons had adequate data protection procedures in place, it also deemed the company “vicariously liable” for the breach. The Court of Appeal did so, too. Morrisons has said that it will take the case to the Supreme Court.
“If you wanted to watch a big case in the world of data protection, you won’t be able to find one attracting more attention than the appeal of the Morrisons decision to the Supreme Court which, if it goes ahead (and we believe it will), is likely to be heard in 2019,” says Horne. “This case could open the floodgates for class-action GDPR cases in the U.K.”
Special report: Data privacy
- Currently reading
Compliance is feeling GDPR’s growing pains