Cordery’s Jonathan Armstrong reflects on the first six months of the General Data Protection Regulation.
The GDPR won’t live up to the Doomsday scenario painted by many – but that was never realistic. It will, however, change the way we use data for good
The General Data Protection Regulation (GDPR) came into force around six months ago, on May 25 2018. You would have had to have lived in a cave to miss it, but has it lived up to the hype? The simple answer is yes and no. There has clearly been a lot of GDPR action in terms of complaints, live investigations and some early enforcement activity. The pre-GDPR ‘fake news’ has been shown to be just that – there weren’t millions of fines on day one (this was never likely), businesses didn’t close down en masse (also not likely) and the Thames didn’t flood (again, not likely). We have seen a lot of activity though and some pointers to the shape of things to come.
Reported Data Breaches on the Rise
One of the easiest predictions to make was that the number of reported data breach actions would rise. Pre-GDPR, only a few EU countries had data breach reporting restrictions. The UK had a voluntary process which the GDPR replaced with the obligation to report data breaches to data protection authorities (DPAs) unless the data controller could show that the personal data breach “is unlikely to result in a risk to the rights and freedoms of natural persons.”
Where feasible, this report has to be made within 72 hours of the breach being discovered. Pre-GDPR, some of us said that the 72-hour deadline was too short a time to make a proper assessment. Early evidence under the GDPR regime would suggest that this is true. In June 2018 alone, the Information Commissioner’s Office (ICO) received 1792 data breach notifications. The rise has continued across Europe, for example the Data Protection Commission in Ireland said in August that it was receiving about 230 breach notifications per month. Some of those notifications might prove not to have been necessary, but it is understandable that since the burden is on a data controller to prove that a data breach is unlikely to result in risk, organizations reporting breaches will err on the side of caution. This is a trend that we are likely to see continue.
As a result, there’s been a sharp focus on rehearsing breach reporting and investigation. We’ve trained over 300 individuals in the skills needed and, for some, the skills they have learned in those rehearsals have already been tested in the heat of battle.
There is a different threshold for reporting a breach to those who could be affected. Here the data breach must be likely to “result in a high risk to the rights and freedoms of natural persons.” DPAs are worried about breach notification fatigue – an issue in the US where individuals don’t take breaches seriously because they get so many notifications. We have seen significantly fewer notifications to individuals because of this different test, and in recognition of data breach notification fatigue. Having said that, the UK has seen some mass notifications including those from Dixons Carphone, British Airways and Facebook.
Significant Volumes of Complaints
Complaints to DPAs are also on the rise. The ICO in the UK received 4214 complaints in July 2018 alone and again we have seen this trend across most of Europe with just under 4000 complaints in France in the first four months of the GDPR being in force. There are also a significant number of cross-border complaints – the new European Data Protection Board (EDPB) met on May 25 to allocate the first cross-border complaints made by Max Schrems’ pressure group European Center for Digital Rights (or NOYB for short). There were more than 100 complaints designated as cross-border by mid-July and these are likely to be significant. A number of pressure groups are also involved in making ‘super complaints’ including NOYB, La Quadrature du Net in France and a well-funded group targeting the advertising industry. We are likely to see some significant announcements in some of these complaints in the next few months.
A Rise in Subject Access Requests
There has also been a substantial rise in the number of Subject Access Requests and those that are being made have increased in complexity. We are seeing a significant number of current and former employees make wide-ranging Subject Access Requests and it is more difficult to narrow down the search under the GDPR than it was before. We have also seen the first examples of mass Subject Access Requests being coordinated to almost work like a DDoS attack on an organization.
Fines Are Not the Only Penalty
In the run up to the GDPR, much was made of the high levels of fines available to DPAs under the new regulations. However, DPAs get far more powers, some of which (in some circumstances) can be more damaging than fines. On July 6 2018, the ICO issued what is thought to be the first ‘stop processing’ notice against AggregateIQ, a Canadian entity which is on the ICO’s radar because of its connection to the investigation into Facebook and Cambridge Analytica. The notice required AggregateIQ to stop processing data on UK and EU citizens. AggregateIQ has appealed, with the appeal having been lodged on July 30 2018. This will prove to be an interesting early look at the additional powers of the ICO and the extra territorial reach of the GDPR.
Civil Actions on the Increase
As well as giving more powers to regulators, the GDPR puts more power in the hands of individuals. They can enforce their rights and in some circumstances they can hold DPAs to account as well. Pre-GDPR we had already seen a rise in civil actions – individuals using the courts to claim compensation after a data breach or a mishandling of their information. Examples like the Vidal-Hall case showed us that our courts were willing to grant compensation for multiple claimants, although the Lloyd case in October has shown it is not as easy as some may have thought to bring these cases procedurally. In the US, civil actions after data protection breaches have become commonplace. The GDPR has accelerated the rise of a similar class action culture in the UK. The ‘where there’s a blame there’s a claim’ culture has been prevalent in some of the pre-GDPR data breaches – for example, in the BA breach, class action lawyers worked over the weekend to send a letter before action to BA claiming damages. That’s just a taste of things to come.
As well as giving more powers to regulators, the GDPR puts more power in the hands of individuals
What’s Next?
It’s clear that the GDPR is having a real effect on companies big and small. In the next year we’ll see some big fines – but not at the top level. We’ll see a rise in citizen policing of the GDPR as individuals make more data subject requests and litigation kicks in. We’ll also see an even greater concentration on information security and data breaches as organizations realize they’ve reported significant numbers of breaches and they’re living in the last chance saloon. The GDPR won’t live up to the Doomsday scenario painted by many – but that was never realistic. It will, however, change the way we use data for good.