August 06, 2018
Developments in the General Data Protection Regulation
Our friends in the UK at Cordery reached out to share their insights on the changes within the General Data Protection Regulation (GDPR). With confusion over what is going on in data protection and privacy, we wanted to share their thoughts with you. See below for updates on rules and regulations in this constantly changing sector.
There has been lots of data protection developments since GDPR came in on the 25 May 2018 and I thought you might be interested in hearing about some of the things that we have been up to.
Volume of Complaints
There has been a large number of complaints since GDPR came in. We know that there are at least 3,500 from the research that we have done, but the exact number is likely to be higher since most of the information from DPAs does not include complaints about data subject rights and German regulators (traditionally very active) have not provided much information.
There has also been lots of activity on security breaches as well – for example the UK had 1,792 in June alone and Ireland had 547 data breach notifications in the first the month of GDPR.
We have updated our GDPR FAQs to look at some of the lessons we have learnt since GDPR came in. You can look at the new version here.
The European Court of Justice (ECJ) has had a busy few months with data protection litigation. In June they ruled that the administrator of a fan page could be jointly liable with Facebook for the activities on that page. This will have potentially significant implications for anyone who has a company page on Facebook or uses it to communicate with customers for example. Details of the case are here.
Data Protection Damages
One of the things we have talked about previously in our alerts is the fact that it is not just up to regulators to enforce GDPR. There is a real rise in civil actions and a number of hearings coming up. GDPR makes it easier for individuals to issue proceedings when their data protection rights have been compromised – for example in a data breach. A recent UK Court of Appeal case is helpful in giving a sign of the range of damages after a data breach, but also confirms that the right to bring proceedings is not limited to data subjects – in this case identifiable family members could also get compensation. There is more on this case here.
Jehovah Witnesses Case
We have also had a useful reminder from the ECJ that measures need to be taken to protect hard copy data. The case concerned the Jehovah Witnesses in Finland. They used maps which they had marked up to steer them in their door-to-door activities. The court decided that even in this hard copy format the information that they wrote down was covered by data protection legislation. This case has a number of other interesting aspects, including reminding us how easy it is to become a data controller (like the Facebook case above), showing the limits of the domestic purposes exemption and reminding us how tough it can be to deal with Subject Access Requests. You can read more about this case here.
Subject Access Requests (SARs)
We have seen a real rise in the volume of SARs since GDPR. There have also been quite a few cases on what is in scope for a SAR and this has also been before the UK Court of Appeal recently in a case involving a doctor and the General Medical Council. Our alert on that case is here. One of the takeaways is that SARs can be used in a litigation context – this is all the more worrying given the rise in data protection litigation which we have already mentioned.
GDPR Progress so Far
I took part in a webinar hosted by Verint looking at some of the GDPR cases so far, including a large data breach investigation and a Spanish case looking at disclosure on Apps. You can listen to that webinar here.
It is important to remember that GDPR is not the only law that deals with cyber security. The Network and Information Systems regime (known as the NIS regime) is coming across in Europe and has important implications, particularly for some types of technology businesses and those engaged in healthcare, financial services, energy, transport and digital infrastructure. In some cases there is an obligation to register. There are more details of the UK’s implementation of the NIS regime here.
New UK Registration Regime
GDPR (theoretically at least) abolished the prior registration requirements with data protection regulators across Europe. However, just as GDPR came in the UK brought in a new registration regime which, in some respects, is similar to the pre-GDPR regime but in many cases with a higher fee to be paid. There are some basic details of the new regime here.
New UK Data Protection Act 2018 (DPA 2018)
Whilst GDPR brought in some uniformity across the EU, we are also seeing quite a lot of country specific legislation which is altering the data protection landscape. In the case of the UK the DPA 2018 has some specific criminal offences that companies could commit over and above their GDPR liability. Our alert on the DPA 2018 is here.
There are more details on many of these topics in GDPR Navigator which provides up to date advice on data protection issues for a fixed fee. We also discuss issues like this on our monthly call. There is more information on GDPR Navigator here and if you are interested in taking out a subscription do let us know.