In the run-up to its introduction
on 25 May 2018, everyone was buried in the microscopic details of trying to
become GDPR compliant. Much of the focus was on the fact that non-compliance
could mean monetary penalties of up to €20m or 4% of total annual worldwide
turnover in the preceding financial year, whichever was higher. As a result,
little thought seemed to be given to how exactly the GDPR would reshape the
data privacy regime on a global and macro level.
It soon became clear after 25 May 2018 that
the UK’s data protection authority, the Information Commissioner’s Office
(ICO), was keen to send a message that it would exercise the GDPR’s
extraterritorial scope under Article 3 of the Regulation. This states that the
GDPR can apply to controllers and processors not established in the EU, where
there are certain processing activities related to data subjects who are in the
EU. The ICO relied on Article 3 in July 2018 when it issued its first
enforcement notice, to Canadian company AggregateIQ Data Services Limited. Such
action indicated that the reach of the GDPR was going to be global as far as
data protection authorities were concerned rather than contained within the EU.
There have also been rising levels of fines by
data protection authorities in the first year of the GDPR. These have jolted
the corporate world, particularly entities operating in the technology sector.
This shows that companies that forced through GDPR compliance in a panic by 25
May 2018 were right to do so, although no one knew what level of fines would be
imposed until they happened. Pre-GDPR data protection fines had been low, and
some thought that trend would continue.
In the UK, the maximum fine the ICO could
issue before the GDPR took effect was a relatively modest £500,000 and the financial
penalties imposed rarely came anywhere near that amount. As fines under the
GDPR could be so much higher than under the former regime, there was
uncertainty before 25 May 2018 whether the amounts would creep up or leap up.
Within a short space of time, it became clear that it would be the latter. A
record financial penalty was the €50m fine imposed in January 2019 by the
French data protection authority, the Commission Nationale de l’Informatique et
des Libertés (CNIL), against Google for breaches of the GDPR.
One aspect of the new GDPR regime that has not
yet been properly addressed in its first year is how much compensation should
be awarded under the new data privacy regime. As with the level of fines,
before the GDPR came into force compensation for individuals who had suffered a
data breach was not usually very high. As such, data protection claims were
often a bolt-on to other claims in the courts for breaches of confidence,
defamation or for misuse of private information.
We have yet to see enormous damages awards in
the civil courts for individuals who have suffered from data privacy breaches.
We expect, though, that the amounts of compensation paid out to victims of data
breaches under the GDPR will gradually increase, as they have in misuse of
private information claims. This is a fairly recent but now distinct legal
cause of action that grew out of breach of confidence cases and Article 8 of
the European Convention on Human Rights. (Article 8 protects a person’s right
to respect for their private and family life, their home and their
correspondence.) Damages awarded by the courts for those claims did not breach
the £5,000 mark until Max Mosley was awarded £60,000 for his claim against the
News of the World in 2008, after which the amount of damages became markedly
more substantial. For instance, last year Sir Cliff Richard was awarded
£210,000 in damages for his privacy case against the BBC.
While out-of-court settlements of data privacy
compensation claims and awards by the courts are likely to increase under the
GDPR data privacy regime, there is still a likelihood that for a while at
least, individuals will consider bringing claims combined in large-scale group
litigation actions where data privacy is one element of a larger case. This has
been a tactic that has worked in the past, for instance in the long-running
court action against various construction companies where 1,200 blacklisted
workers secured £35m in compensation between May 2016 and May 2019 for breaches
of the Data Protection Act 1998, breaches of confidence, breaches of defamation
law, for misuse of private information and loss of earnings. Eventually,
however, compensation amounts for data privacy claims are likely to reach a
level at which stand-alone single claimant claims in the civil courts will
become viable, in a similar way to misuse of private information claims.
A final point to note about the GDPR regime is
that it may well have enthused non-EU countries to put a new emphasis on their
own data privacy regimes. In many instances, non-EU companies are likely to
need to be GDPR complaint anyway. Data privacy seems to be a new buzz phrase
across the world, and the US appears to be focusing heavily upon it,
particularly following the 2018 Facebook/Cambridge Analytica data scandal.
Facebook is said to be expecting a fine of up
to $5bn from the US Federal Trade Commission (FTC), which Facebook has said is
“in connection with the inquiry of the FTC into [Facebook’s] platform and user
data practices”. It is difficult to know if there would have been as much
enthusiasm for such large fines for data privacy issues in the US without the
GDPR having first shown the way in the EU and beyond. Everything may be said to
be bigger in the US, but to date the largest penalty that the FTC has imposed
for a privacy breach by a technology company was a $22.5m fine against Google
in 2012, a sum eclipsed by CNIL’s €50m fine against Google this year.
In short, the implementation of the GDPR on 25
May 2018 appears to be the most significant milestone so far in what looks set
to be a global shift in how data privacy is to be dealt with in the digital
age. We can expect increasing amounts of fines, compensation, litigation, and
headlines, not to mention more regulation and legislation to protect data privacy.
This will include the EU’s much delayed proposed ePrivacy Regulation, which in
March 2019 the European Data Protection Board pressed EU legislators to adopt.
The ePrivacy Regulation will probably not be
introduced for a year or two. When it is, it will affect all electronic
communications service providers, including WhatsApp, Facebook Messenger,
Skype, and Gmail. Its intention is to enhance the security and confidentiality
of electronic communications, to clarify electronic direct marketing rules (eg,
with regard to email and text messages), to clarify rules on metadata, to
define clearer rules on tracking technologies, such as cookies, and to achieve
more harmonisation of e-privacy across different countries. Like with the GDPR,
infringers of the ePrivacy Regulation will also be subject to fines up to €20m,
or 4% of total worldwide annual turnover of the preceding financial year,
whichever is higher.
The story, therefore, has just started in
relation to data privacy and the global digital market.