GDPR 3 years on – The greatest hits (and misses)

More than three years have passed since the GDPR applied and a lot has happened in the world of data protection during that time – fines, class actions, court challenges and more. We give our “playlist” of the greatest hits (and misses). Our previous article marking 12 months of GDPR had a cinematic theme. Now, we’re giving the three-year anniversary of GDPR a musical twist.

1. All the Single Ladies (credit to Beyoncé Knowles, Terius Nash, Thaddis Harrell, and Christopher Stewart)

Brexit: “If you liked it, you should[n’t] have put a [referendum] on it…”

The United Kingdom left the European Union and now has its own data protection regime in the form of the Data Protection Act 2018 and the UK GDPR. For now, this is largely based on the EU GDPR but we expect further divergence in future as the UK seeks to establish itself as a favourable place for overseas companies to do business.

Just in the nick of time before transitional data transfer arrangements ran out, the EU has granted the UK "adequacy", allowing personal data of individuals in the EU to continue to freely flow to the UK.

Other data protection impacts of Brexit include that:

• the UK no longer has a seat at the table of the European Data Protection Board (EDPB);
• businesses may need to consider the possibility of a new lead authority and may no longer be able to rely on the ‘one-stop-shop’ mechanism under the GDPR, depending on which other countries they have establishments in (which may mean dealing with more regulators) and where decisions in relation to the processing of personal data are made;
• representative arrangements may need to be reviewed – businesses outside the UK that are caught by the UK GDPR may need to appoint a UK representative, and businesses within the UK that are caught by the EU GDPR may need to appoint an EEA representative;
• mechanisms for data transfers to and from the UK may change, and may get more complex – for example, the European Commission has just released new standard contractual clauses (SCCs) but the ICO has said it is developing its own new UK SCCs (see 6. below); and
• privacy notices, data protection impact assessments and other documentation may need to be updated with Brexit-related changes.

2. Price Tag (credit to Jessie J)

Fines: “It’s not about the money, money, money… it’s about the [privacy] price tag”

The increased fines under GDPR (of up to the higher of €20,000,000 or 4% of global annual turnover in the preceding financial year) were all that anyone could talk about in the lead up to GDPR and beyond. CMS’s Enforcement Tracker provides a goldmine of information about administrative fines from the European data protection regulators. Some key GDPR trends from May 2018 to mid June 2021 include that:

• a total of €283,757,083 in fines has been levied from a total of 654 fines;
• the Spanish AEPD has issued the highest number of fines– 233 (totalling €29,573,410);
• the Italian Garante has issued the highest total value of fines – €76,298,601 (for 79 fines);
• the highest single fine was €50,000,000 against Google Inc. by the French CNIL for not having a lawful basis for data processing (21 January 2019); and
• the GDPR provision most often fined under by number of fines is Article 6 (and 9) in respect of failure to have a valid lawful basis (and condition) for processing – 251 fines (totalling €166,759,743).

3. Bad Guy (credit to Billie Eilish and Finneas O'Connell)

Other enforcement: “Might [misuse your data] type… I’m the bad guy…”

Data protection regulators have other enforcement measures aside from fines in their arsenal, which can be just as or even more disruptive to business operations. For instance, they can order organisations to stop processing personal data, erase data or cease international transfers of data. Examples include:

• Portugal: The NDPC ordered Statistics Portugal, in carrying out the national census, to suspend processing of personal data by its service provider in multiple non-EEA jurisdictions, including the United States, that lacked adequate privacy protections.
• UK: The ICO issued stop processing notices against Aggregate IQ, arising out of the Cambridge Analytica, and Her Majesty’s Revenue and Customs (HMRC) for non-compliant collection and use of Voice ID data. The UK regulator also ordered credit reference agencies that were using personal data obtained for credit referencing purposes for direct marketing to stop doing so.
• Germany: The Bavarian BayLDA ordered a German company to stop using a 'Mailchimp' tool due to concerns over the international data transfers requirements not being met.

4. You’ve Lost That Lovin’ Feeling (credit to Phil Spector, Barry Mann, Cynthia Weil)

Data breaches: “You lost that [password data]. Now it's gone, gone, gone (whoa-oh)”

‘Personal data breach’ is a broad term that covers accidental losses of personal data, as well as malicious cyberattacks such as ransomware and phishing. Nearly 150 fines have been issued to date by the various European regulators for infringing the security provisions of the GDPR, with more than 45 for failing to comply with obligations to notify the regulator(s) and/or affected data subjects of a personal data breach.

Notable data breaches during the last three years include:

• British Airways (UK) – The breach affected more than 400,000 customers, with hackers accessing log-in details, payment card information, and other information such as contact details.
• Marriott (UK) – Hackers gained access to 83 million guest records (including of 30 million EU residents) in the hotel chain’s guest reservation database, including guests’ names, addresses, passport numbers, and payment card information.
• Budget airline (UK) – Email addresses and travel details of around 9 million customers worldwide were allegedly compromised, including some payment card details. The ICO is still investigating.

Social media data being leaked onto hackers’ forums is also becoming a more common occurrence, which may ultimately result in enforcement action following investigations (eg Facebook, Clubhouse and LinkedIn all were reported to have sustained data losses in April 2021).

5. Come Together (credit to John Lennon and Paul McCartney)

Class actions: “Come together, right now, over m[y data rights]”

The last three years has seen the rise of the data protection class action. Often this will come off the back of a data breach, or other GDPR infringements, following the regulator(s) bringing enforcement action. The procedural aspects of how these claims will work and the types of losses that can be recovered are still being decided in the courts. However, if they become the norm, organisations could face multi-million euro damages claims if the claimant class is large enough (on top of fines and other losses).

Examples include:

• Budget airline (UK) – A class action is being brought on behalf of around 9 million customers claiming up to £2,000 each for losses in respect of a personal data breach involving their data.
• British Airways (UK) – A class action is being brought on behalf of over 400,000 customers whose personal data was compromised in a data breach. The solicitors running the action estimate that claimants could get an average of £2,000 each.
• Lloyd v Google (UK) – Mr Lloyd has brought a representative action (under the previous (pre GDPR) UK data protection regime) against Google, on behalf of around 4.4 million smartphone users alleging that Google unlawfully bypassed a third party cookies blocker to collect and use browser generated data. Submissions have been made by the parties to the UK Supreme Court and judgment is awaited.

Rise Like a Phoenix (credit to Joey Patulka, Alexander Zuckowski, Julian Maas and Charlie Mason. Performed by Austrian Eurovision winner Conchita Wurst)

International data transfers: “Just when you thought it couldn’t get any wurst…”

The recent history of international data transfers looks a little something like this:

• 6 October 2015 – the Safe Harbor regime was shot down by the CJEU following a court action brought by Austrian privacy activist Max Schrems against Facebook objecting to the transfer of his personal data to the US (Schrems I).
• 12 July 2016 – from the ashes of the Safe Harbor rose the EU-US Privacy Shield as a mechanism for EEA-US data transfers.
• 16 July 2020 – Mr Schrems struck again, and the Privacy Shield was also invalidated by the CJEU (Schrems II). However, the validity of the standard contractual clauses (SCCs) was upheld as one of the few remaining adequate safeguards for international data transfers, although their use was made subject to a raft of additional requirements on businesses wanting to transfer personal data out of the EEA and the UK to high privacy risk jurisdictions. See CMS’s Law-Now Schrems II update.
• 4 June 2021 – new EU SCCs were adopted by the European Commission following a consultation and can be used as an adequate safeguard to transfer personal data from the EEA to third countries.
• As at early June 2021 – the UK ICO has said that it plans to release its own UK SCCs in 2021 but in the meantime the previous SCCs plus supplementary Schrems II measures will need to be used.
• As at early June 2021 – the European Data Protection Board (EDPB) published guidance on supplementary measures to the SCCs (on 10 November 2020) and released this for consultation. Currently, this is waiting to be formalised.
• As at early June 2021 – talks are underway between the US and the EU for the new and improved EU-US Privacy Shield 2.0.

6. It’s Long Way to the Top (credit to Angus Young, Malcolm Young and Bon Scott (ACDC))

Codes of Conduct: “It’s a long way to the top if you wanna [write a co-oode]”

It’s only taken three years(!) but the very first Codes of Conduct were approved by the EDPB in May 2021. The EDPB adopted two Article 64 GDPR opinions on the first draft decisions on transnational Codes of Conduct: the CLOUD Code of conduct for cloud service providers (from the Belgian DPA), and the CISPE Code of conduct for cloud infrastructure service providers (from the French CNIL). The Codes aim to provide practical guidance and define specific requirements for processors in the EU subject to these Codes (ie under Article 28, GDPR).

7. Paranoid Android (credit to Ed O'Brien, Thom Yorke, Jonny Greenwood, Colin Greenwood and Philip Selway (aka Radiohead))

AI gets its own regulation: “Rain down, rain down… [the mega fines].”

In March 2021, the European Commission released its Proposal for a Regulation laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) on 26 April 2021 to address the risks of Artificial Intelligence (AI). The Regulation aims to:

• develop a new framework of regulators, monitoring and testing, compliance and governance;
• impose pre-release checks and balances on high-risk AI systems, including regarding security, risk assessment, audit logs, dataset quality and human oversight; and
• prohibit use of AI systems that result in an unacceptable risk to individuals.

To keep any bad robots in check, it will also carry with it a heavyweight enforcement regime – for the most serious infringements, maximum administrative fines of up to €30,000,000 or, for corporates, up to 6% of total worldwide annual turnover for the preceding financial year, whichever is higher, will apply.

8. Toxic (credit to Cathy Dennis, Christian Karlsson, Pontus Winnberg, Henrik Jonback. Performed by Britney Spears)

GDPR for a global pandemic: “You're toxic, I'm slippin' under [the weight of GDPR compliance]”

The COVID-19 pandemic has been a good litmus test for the GDPR regime, as businesses have had to grapple with the privacy risks associated with things like:

• moving their workforces to remote working arrangements;
• implementing testing processes for on-site workers;
• dealing with track and trace, vaccination and COVID status certification schemes;
• reopening international travel; and
• COVID-related scams.

In our view, more could have probably been done to help out businesses that were already struggling by way of industry-specific guidance from the regulators and pragmatism in respect of enforcement action.

9. The Key The Secret (credit to Rohan Heath. Performed by Urban Cookie Collective)

Governance and training: “I've got the key. I've got the secret. I've got the key to [accountability].”

When dealing with enforcement, the data protection regulators have emphasised time and time again the importance of good data protection governance and staff awareness of data protection obligations. During an investigation the regulators will almost always ask to see copies of data protection policies and procedures and evidence of staff data protection training such as training records.

CMS’s eLearning team offers a range of on-demand or tailored training options to help your organisation stay ‘privacy aware’ and on top of its data protection compliance. Please contact us to request a demo or discuss your training needs.