What is the General Data Protection Regulation (GDPR)?
The development of and dependency on new technology in the modern world has altered the way in which people navigate their daily lives. Individuals can compromise their own privacy through the use of apps and online websites. Data relating to individuals is collected which can then be used to monitor and predict behaviour. With all the technological advancements in the last twenty years, privacy and data protection laws became increasingly ineffective as the scope of many of the previously defined provisions could not be applied to the advancements in technology. The GDPR replaced previous data protection rules across Europe that were almost two decades old, it also “harmonised" data protection laws across all member countries, as well as providing greater protection and rights to individuals. The GDPR which officially came into effect on the 25th of May 2018, is now celebrating it's 3 year anniversary. We take a look back on some of the standout decisions that have arisen since the GPPR's birth and their impact on data privacy.
How Have Data Controllers Been Affected?
The GDPR has provided a framework for data controllers and data processors (i.e., those who decide how and why data are processed) to ensure that the processing of personal data of EU data subjects remains lawful. For example, the GDPR outlines the principles for the lawful processing of personal data (Art.5-11), the rights of the data subject (Art.12-23), the obligations of data controllers and processors (Art.24-43) and the process for transferring data to a third country (Art.44-50). In a theoretical context the GDPR provisions are extremely clear and transparent but what does this mean in a practical sense?
The GDPR requires that data controllers adhere to the 7 overarching principles of the GDPR.
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
Data controllers must implement a privacy by design and by default approach (Art.25). Data controllers who expect data processing to pose a high risk to the rights of the data subject must conduct a Data Privacy Impact Assessment. This enables the data controller to implement safeguards to ensure the highest level of security is granted to the protection of this data (e.g. pseudonymisation and encryption).
For some companies, a Data Protection Officer (DPO) has now become mandatory. The DPO works with the organisation and the supervisory authority to ensure GDPR compliance. These officers prepare reports detailing a company’s level of compliance and offer suggestions to aid the company where appropriate.
A data controller must also be aware of the data subjects’ rights and respect any data subject wishes to invoke one of these rights. The data controller is responsible for complying with a request to delete, rectify, or to access information from the data subject. A data controller must also notify the supervisory authority within 72 hours of becoming aware of a data breach.
A data controller is expected to be able to demonstrate their compliance with the legislation.
What is a Supervisory Authority?
A Supervisory Authority is an independent public body that investigates and enforces the compliance with data protection law. In Ireland the governing body is the Data Protection Commission (DPC). The DPC release an annual report providing an analysis on the issues relating to data protection issues for a given year. The 2020 annual report showed a 9% increase in the amount of data protection related complaints from the previous year. In November 2020 the DPC imposed its first administrative fine issued under the GDPR, on Tusla Child and Family Agency of €75,000 in respect of a number of data breaches. Since then, the DPC has issued fines of €70,000 to UCD for failing to implement appropriate security measures and a sanction of €450,000 to the social media company Twitter for data breaches. With the rising number of cases, this is a proactive attempt by the DPC to enforce widescale compliance and highlight the fact that no organisation is exempt from compliance.
How Has the GDPR Addressed Some of the Challenges Facing Data Protection Law in 2020/21?
The area of data protection has been subjected to many transformative developments globally.
- The Privacy Shield
The removal of the Privacy Shield has had a significant impact in this area. The EU-US Privacy Shield Framework was designed to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the EU to the US, in support of transatlantic commerce. In July 2020 the European Court of Justice (CJEU) struck down the Privacy Shield. In the case Schrems II (C-3111/18), the CJEU ruled that under US law, personal data was not guaranteed an adequate level of protection as it received under EU law. Therefore, the privacy shield was invalidated and the CJEU suggested that the Standard Contractual Clauses (SCCs) provides more appropriate safeguards for the protection of EU data in the US. SCCs require that the level of data protection in the third country must be equivalent to that of the EU. The use of standard contractual clauses (SCCs) for such transfers was validated by the ruling, provided that the recipient country’s level of data protection was verified by the EU based entity prior to the data transfer. In May 2021, the Civil Liberties Commission urged the European Commission to assess the impact of this decision on data transfers with the US, aware that business may struggle to assess the data protection regimes of third countries themselves. MEPs have also requested the EU Commission to issue detailed guidelines on making data transfers compliant.
- Cookies & Tracking Technology
Lastly, to mention any European legislation, it would be remiss to not mention any impact that Brexit could have in this area. The main concern was whether GDPR will continue to operate in the UK. Similar to any country who handles EU personal data, the UK will be required to afford it the same protection as GDPR. In relation to data transfers, as of February 2021, the European Commission instigated the process of adopting two adequacy decisions for transfer of personal data to the UK under the GDPR and the other under the Law Enforcement Directive. In recent months, the Commission has been assessing the UK’s competency in relation to data protection practices in an attempt to ensure that the UK can provide an adequate level of protection that is similar to of GDPR. As of the 21th of May 2021, a very narrow majority (350:335) of the oppose the draft UK Adequacy Decision under the has voted to