Is the European Union’s General Data Protection Regulation (GDPR) still important and relevant a year after the compliance deadline? Now that all the fuss made around the famous 25th May 2018 deadline has calmed down, it’s time to analyse the GDPR one year on – does it still matter, how has it affected the level of data protection, and what has it brought to various industries such as social media, marketing, IT and surveillance? We look back and discuss the changes and the repercussions with our expert David Cauchi, Head of Compliance at the Maltese Information and Data Protection Commissioner’s office, who has worked in the field for more than 15 years.
Cauchi has developed a high level of expertise, particularly in handling complaints, inspections and audits. He also has experience dealing with cross-border issues including international data transfers, providing guidance and raising awareness on data protection to various sectors, including banking and financial services, online gaming, employment, and the public at large. In this interview he also talks about real-life cases, tendencies to use the GDPR as a revenge weapon and how the GDPR helped a convicted murderer.
What have we learned from the GDPR one year on?
One thing we have surely learned is that businesses cannot keep taking data protection matters lightly. Indeed, complying with the GDPR should be at the forefront of business initiatives involving personal data.
Why does the GDPR still matter?
Complying with the GDPR is an ongoing process and should still be a top priority for entities if they care for their clientele and reputation. We all have learned how data breaches can severely affect business profits – not only through direct sanctions, but also through other indirect costs, such as litigation, and adapting or fixing issues when they arise.
Are people more aware of their rights?
Yes, naturally, due to the hype that accompanied the build-up to May 2018, increased public expectations, and the overall awareness levels. Certainly, individuals have become more demanding and, at times, there is the tendency to use the GDPR not necessarily for a genuine claim, but also as a revenge weapon.
How would you comment on the effects and consequences of the GDPR today, from three separate key perspectives – of data protection authorities, companies, and data subjects?
Data protection authorities have stepped up their game, especially with regards to their enforcement (not only sanctioning) and their advisory roles. They clearly had to, in view of the increasing demands both from the citizens and also the industry. Companies have put data protection on their compliance radar, although at times, other priorities may take the lead. They should keep it there and never lower their guard. Data subjects’ perceptions have changed. They are more confident about their rights and invoke them far more under the GDPR when compared to the previous framework.
Who are the biggest winners, and who are the biggest losers? Who gained the most benefits, and who suffered the most losses with the GDPR? Which kinds and sizes of businesses and industries?
Entities offering DPO service or data protection consultancy might have derived benefits. Other companies putting privacy-by-design and privacy-by-default as an integral part of their business are also likely to derive benefits by mitigating risks. On the other hand, businesses whose operations involve large-scale data processing may be exposed, and are likely to suffer higher damages in the event of breaches, taking into account the number of data subjects affected.
How has the GDPR affected social media, marketing, financial and other different industries?
Large entities have been inundated with requests from data subjects apart from the fact that DPAs are also constantly looking at their processing activities. Furthermore, with the new rights and obligations, such as the right to object to profiling, have raised several issues in those sectors where targeting and profiling are clearly some of the competitive advantages.
The European Commission recently released an infographic, which revealed that 95,180 complaints have been lodged with EU national data protection authorities. Most complaints were related to the use of CCTV cameras and direct marketing activities (telemarketing and promotional e-mails). What are your predictions about problems that occurred in these cases? What kinds of new problems and solutions can be expected?
Both the use of CCTV cameras and direct marketing activities have historically caused headaches to data protection authorities. The main issue with CCTV cameras is the question of proportionality in what is actually captured and processed. When these exceed what is necessary for security purposes, problems with data subjects are inevitable. The use of CCTV to monitor employees is probably one of the reasons why there is an increase in complaints on this topic. In addition, an ECJ ruling clarified that private individuals generally cannot install surveillance cameras to film people on a public path. This meant that data protection law, which normally was interpreted to exclude processing by private persons as part of their private (household) activities, was still to be applied in these cases. Thus, individuals are using this remedy more often.
As to the question of marketing, the problem lies with business practices and, at times, the inability to ensure proper consent or even opt-out procedures. This is not only GDPR-related, but it triggers the e-privacy framework when communications are sent electronically or through automated calling (which happens most of the time). It is quite strange how companies still inundate individuals with unwarranted communications, when such individuals have either opted out or have actually never signed up to receive such marketing. With all the awareness, it is unlikely that such companies will get away with this.
How high are the costs of the implementation for the companies compared to the fines they risk for being non-compliant?
While in the short-term, companies may think that GDPR compliance is too costly and they might as well take the risk of non-compliance, in the long-term, taking such risk will result in higher costs. Data protection violations will not only put pressure on companies to remedy the situation and address gaps, but they may, in case of recurrence, send a signal to their clients or even employees that the company does not seriously care about their data. This may lead to mistrust and ultimately result in loss of business.
How does the GDPR affect the reputation of a company?
Apart from the costs incurred to deal with sanctions and remedial measures, data breaches are likely to be discovered and reported by the media, thereby leading to reputational damage, as well as possible decreases in the share price.
Are there some examples of GDPR exceptions or exemptions? Are there any subjects that GDPR doesn’t apply to?
Although one of the reasons for having a Regulation instead of a Directive was to achieve harmonisation, the GDPR still allows for possible exemptions that may be provided for under national laws. Major examples include restrictions or limitations on the rights of data subjects, and also exemptions applicable for journalistic purposes. One aspect where the GDPR is often invoked, but would not apply, is where the processing falls under the so-called household exemption, such as in those instances where a natural person processes data for personal use (e.g., taking images during an outing and keeping them on their personal phone).
Which GDPR articles or sections usually get wrongly understood or misinterpreted?
Perhaps the requirements for a valid consent in terms of Article 7 are at times overlooked by business entities. The same applies to the transparency requirements (Article 13). The problem with these articles is that the law sets far more onerous requirements than those imposed under the former regime.
The DPAs initiated more than 250 investigations in the context of EU cross-border processing activities, most of them following individual complaints. What are some of the most common complaints that you know of?
While I do not have specific information, my impression is that apart from the cases relating to direct marketing, which may also involve cross-border issues, other questions would definitely concern the exercise of data subjects’ rights of access and erasure, and also the transparency requirements (privacy notice).
At least three fines have been issued under the GDPR so far. The Austrian DPA imposed a €5,280 fine on a sport betting café for unlawful video surveillance. The German DPA imposed a €20,000 fine on a social network operator for failing to protect users’ personal data. The French DPA imposed a €50 million fine on Google for lack of consent on Ads. How do you comment on these fines?
This shows that the fine regime was not just a legislative decoration, but is effectively used. DPAs have initially been cautious, but had to upgrade their game, and they are keeping up with the expectations of what the legislator had in mind. This is extremely important to ensure that the overall effects of the legislation are not lowered by its application.
Can you single out some significant cases of lawsuits that came up within the first year of the GDPR?
Two particular lawsuits come to mind – one relates to a German court ruling concerning the public availability of ICANN “WHOIS” data, and the other relates to a Google’s right to be forgotten case, whereby Finland’s Supreme Court has ordered Google to remove from its search engine the personal data, including all connected URL links, of a convicted murderer.
To learn more about the GDPR, enrol in this free online training: EU GDPR Foundations Course.