It is almost a year since one of the largest scale reforms of data protection law has taken place. In the run up to May 2018 employers across the country were frantically preparing vast amounts of new documents in light of the impending implementation of the General Data Protection Regulations (GDPR). A year later we look at the key developments and decisions that have taken place.
The Data Protection Act 2018
Shortly after the implementation of the GDPR, the Data Protection Act 2018 (DPA) was also enacted. This replaced the Data Protection Act 1998 and ensured the standards set out in the GDPR were enacted in the UK.
The DPA is designed to ensure that the UK will be able to freely exchange personal data with the EU post-Brexit. When the UK leaves the EU, it will become a 3rd party country for the purpose of personal data transfer and as such it will need to show an adequate level of data protection so that transfers of data between the EU and the UK can continue. This is important given a vast amount of data transfers occur between the two. However, this all remains to be seen when the UK exits the EU and on what basis.
There have been a number of ICO penalties issued for breaches of GDPR. Some examples include:
- Facebook was fined £500,000 for collecting personal data about the Facebook friends of users, without those friends being informed that their data was being collected, and without them being asked for consent.
- Several charities including Cancer Research UK, Macmillan Cancer Support and The Royal British Legion were fined various amounts for failing to adequately indicate in their privacy notices that personal data may be processed for wealth analysis to identify those who were in a position to donate more money.
- Uber were fined £385,000 for inadequate security arrangements that led to cyber attackers being able to download a large amount of personal data about drivers and customers.
The above are, of course, all within the previous financial penalty limits permitted by the Data Protection Act 1998 and so you would be forgiven for thinking that not much has changed in this regard. However, CNIL (the French data protection regulator) imposed a fine of 50 million euros against Google, a significantly higher award than that available under the previous legislation. CNIL said Google’s processes in relation to its advert personalisation lacked transparency, contained inadequate information and lacked valid consent.
There were also data protection cases that, whilst not directly enforced by way of fine from the ICO, were particularly relevant in light of the new GDPR. In particular, Morrisons supermarket was held vicariously liable when an employee maliciously misused the personal data of nearly 100,000 Morrison's employees. Whilst Morrisons were not blamed for the way it had handled data, it will be responsible for compensating those affected by the employee’s actions. Morrisons have appealed the decision.
So, what is on the horizon with regards to GDPR going forward. Well, of course, Brexit will have a role to play in future developments and there will also be further legislation in the data protection arena including the E-Privacy Regulation.
The ICO are focusing on Artificial Intelligence (AI) and in March 2019, published a proposed structure for a new auditing framework in respect of AI. The key focus is to raise awareness of data protections risks specific to AI as this technological advancement gathers pace.
No doubt, there will be some more hefty fines along the way too.