Adaption and (little) enforcement: the GDPR one year after implementation
The EU General Data Protection Regulation (GDPR) was implemented across EU Member States in May 2018 and represents one of the world’s toughest privacy regimes. Its arrival forced companies, even those based outside of the EU, to consider how they handle individuals’ data and in some cases required companies to make significant changes. A year after the GDPR’s implementation date, Margaret Taylor investigates its impact, its enforcement and how in-house lawyers have adapted to ensure their organisations are compliant.
The internet has come to dominate almost every aspect of our lives, as more and more of us have become comfortable doing everything from buying our weekly shop to paying our monthly bills in an online marketplace.
And why not? After all, the benefits of being able to complete in a few smartphone clicks tasks that would previously have taken time, effort and physical presence to achieve are clear. Yet with organisations including Yahoo and Marriott International, TSB and TalkTalk among the many that have suffered data breaches in which customers’ personal information has been compromised, the drawbacks are clear too. Indeed, in the case of Yahoo the names, email addresses, dates of birth and telephone numbers of up to three billion users were stolen across two separate hacking incidents in 2013 and 2014, while a botched IT upgrade at TSB in 2018 saw many customers temporarily unable to access accounts. No wonder lawmakers are taking online privacy so seriously.
Rules around how companies can use customer information in the regular course of business have been in existence since the 1980s, with the United Kingdom passing its first Data Protection Act in 1984. That and similar laws in other countries have been gradually updated as internet use has increased, with the 1998 update to the law being enacted to take account of the European Union’s Data Protection Directive 1995.
In 2018, though, things really became onerous. The EU’s General Data Protection Regulation (GDPR) was implemented by Member States as part of their own data protection laws, ushering in the world’s toughest privacy regime yet. In addition to giving individuals greater rights to demand that companies reveal or delete the information they hold on them, the GDPR has also put the onus on businesses to either ensure customers’ private details remain just that – private – or face not only public censure but fines of up to the higher of €20m or four per cent of turnover too. Unsurprisingly, companies had their work cut out preparing for the change.
Abhijit Mukhopadhyay is Secretary of the IBA Corporate Counsel Forum and general counsel at London-headquartered Indian conglomerate the Hinduja Group. His organisation is made up of 100 companies and employs 127,000 people, does business in 150 countries and has a physical presence of its own in around 70. The amount of customer data it stores across these entities is frighteningly large and frighteningly sensitive, not least because its business process outsourcing arm, Hinduja Global Solutions, provides back-office functions to businesses operating in the health insurance and financial services sectors.
As the group is headquartered in London and has operations in 20 European countries it must comply with the GDPR. Though the organisation would have had the option of creating a dual standard, where consumers outside the EU were afforded fewer protections than those within it, the complexity of its group structure – not to mention the fact that the GDPR also applies to non-European companies that offer goods and services to EU-based consumers – meant that creating such a dual standard would have been needlessly complicated to achieve. Additionally, Mukhopadhyay says that because Hinduja is ‘a mega, mega organisation’, designing a system that is foolproof has been impossible.
‘We have substantial operations in Asia, South East Asia, the Middle East and the US,’ says Mukhopadhyay. ‘US data protection and privacy laws are very strict so if you comply with EU regulations you comply in the US also. In South East Asia things are not that stringent and in the Middle East they’re not that stringent, but since we are operating globally it’s not possible to have different policies and procedures; we have to have a policy that’s available to everyone. Yes, we have our policy, and yes, we have more or less the same policy everywhere, but it’s not a uniform one because the kind of stringency that’s required in a service department [such as Hinduja Global Solutions] will not be required in other areas.’
‘Since we are operating globally it’s not possible to have different policies and procedures; we have to have a policy that’s available to everyone’
Abhijit Mukhopadhyay, Secretary of the IBA Corporate Counsel Forum
The scope of the GDPR is so broad that it is catching businesses that would not ordinarily have to take action in other parts of the world. Indeed, so far-reaching is the regulation that even companies that do not deal directly with the public – and so do not hold the kind of personal information the law was designed to protect – must comply.
Bart Selden, Committee Liaison Officer of the IBA Corporate Counsel Forum and General Counsel at San Francisco-headquartered Fintech company Taulia, notes that as his employer provides payment systems to other businesses and never deals directly with consumers, the protection of personal data is not something it had previously given much thought to. Its clients, which include Allianz, AstraZeneca, eBay and PayPal, may hold the personal details of millions of consumers, but it is only the details of those clients – all of which are business entities – that Taulia itself holds.
However, as the regulation classes anything that links a person’s name with their place of work as personal data, it relates to work email addresses as well as personal ones. As a result, Taulia, which has a physical presence in Bulgaria, Germany and the UK and clients operating across the globe, had no option but to update its systems ahead of the May 2018 implementation date.
‘We have policies that evolved in the run up to the GDPR becoming effective because the regulation doesn’t make any distinction between personal emails and work ones – they are classed as personal data even though they only identify you in your role as an employee,’ Selden says. ‘As that is classed as personal data we are required to treat it in the same way as if we were talking to consumers.’
‘As a B2B network provider it was not something we had thought about at a deep engineering level,’ he adds. ‘There had been no need to because for us it was not related to a person as a person but as the role they play within a company; they submit an invoice but their identity as an individual means nothing to us.’
‘The very legitimate concerns about personal data and the issue of protecting that data are being applied quite broadly to an area where there’s not really an economic incentive for that misuse, yet we’re caught up in that just the same,’ continues Selden. ‘I don’t think that’s providing protection to individuals in the way that it does at a consumer level.’
Despite this, Carolyn Jameson, who was until April 2019 Chief Legal Officer at holiday-booking website Skyscanner, says that one of the main benefits of the new regulation is that it allows compliant businesses to reassure customers that their processes are sound, regardless of the level of information they hold on them. Skyscanner, which aggregates holiday deals before passing prospective customers onto the companies providing those deals, holds limited information about users on its systems, with payment details in particular not being part of the information it asks for. Nevertheless, Jameson believes the GDPR has made all companies think more about how they handle customer data of any kind, something that will work in Skyscanner’s favour as and when it begins to do more around billing in its own right.
‘The very legitimate concerns about personal data and the issue of protecting that data are being applied quite broadly to an area where there’s not really an economic incentive for that misuse, yet we’re caught up in that just the same’
Bart Selden, Committee Liaison Officer of the IBA Corporate Counsel Forum
‘My view is that it’s more about businesses having to catch up with public sentiment; we can all see that there’s been a shift,’ she says. ‘People are starting to ask more questions about what the big internet companies are doing with their data. There’s a lot of upheaval [to ensure your business is compliant] but you have to do that if you want the public to trust you and use your website.’
Mukhopadhyay agrees, noting that ‘confidentiality is becoming a huge issue’, not least because consumers are so alive to the problems that arise when their personal details are either stolen or sold by unscrupulous businesses. This is particularly true as the potential consequences of data breaches such as those at TSB and TalkTalk are easy for customers to quantify, while those at the likes of Facebook are not. Indeed, while British political consulting firm Cambridge Analytica allegedly harvested the personal information of millions of Facebook users so they could be targeted for political purposes, those users would have been unaware they were being targeted either at the time of the alleged breach or, potentially, afterwards.
‘There’s a huge need from a personal point of view for there to be very strict legislation in place,’ Mukhopadhyay says. ‘These days everything is going online and it’s becoming a big problem. It’s very easy to keep track of what I’m doing from morning to night, from home to work – everything is being tracked. When I touch my Oyster card to get on public transport, park my car, come out of a restaurant, come into the office. Even how many times I go to the washroom is being recorded because I touch out of the office. This is how our lives are monitored and we have no control over this.’ Mukhopadhyay notes that in this kind of situation, he is very worried that his personal information should be protected.
But just how effective has the new regulation proved so far? Selden notes that ‘significant fines’ are starting to be handed out, with the Dutch and French authorities proving to be particularly strict when it comes to GDPR compliance. At the beginning of 2019 the French data protection watchdog the Commission Nationale de l’Informatique et des Libertés issued tech giant Google with a fine of €50m for failing to meet GDPR standards on transparency and consent, as well as failing to sufficiently inform users how their data would be used to personalise ads. The Dutch data protection authority, the Autoriteit Persoonsgegevens, meanwhile, published a detailed GDPR fining policy last month, making the Netherlands the first European country to do so. In the Republic of Ireland, the country’s Data Protection Commission is currently investigating activity at big-name businesses such as Apple, Facebook, Instagram, LinkedIn, Twitter and WhatsApp.
‘We’re starting to see a mixture of targets,’ Selden says. ‘Some you could have named in advance, like Google or Facebook, but some of the names coming in now I hadn’t heard of.’
Yet Selden remains unconvinced that the GDPR will solve all data protection issues by itself, with some onus having to be put on consumers to better protect themselves too.
‘By this point I think pretty much everyone with a concern in this area in Europe would be aware that Google uses information in order to put ads in front of them and probably a bunch of other things too,’ he says. ‘There are alternatives to Google and yet Google’s share of the search market in Europe [as a percentage] is in the high nineties.’ He suggests that, if people were really concerned about it, they would use more of the alternative offerings out there.
‘As a policy matter is it the best response to say prohibit commercial activity so no one needs to think about what they’re doing or is it better to educate people so they know what’s being done and require service providers to clearly tell you what they’re doing and let people have a choice?’ adds Selden.
Mukhopadhyay, too, believes that the GDPR can only do so much and that unless businesses – and big tech firms in particular – start to self-regulate more, ‘there’s no possibility that you and I will be safe’.
‘Around 50 per cent of the world’s population has data stored in one form or another,’ he says. ‘When you talk about data it’s extremely intimate – [for example], bank details, a driving licence – and it can make me penniless and insolvent if it’s not used properly.’
Noting that even with the stricter regulations data breaches remain commonplace, Mukhopadhyay says that ‘much more needs to be done, there’s no doubt about it, but the legislation can’t really do it’. The answer, be believes, is for individual businesses – and technology-driven businesses in particular – to ensure they are not simply taking steps to comply with an overarching set of regulations, but to come up with their own internal rules for better practice too.
While €50m may seem like a huge fine, for a company like Google, which turned over close to $140bn in 2018, it may not be punitive enough to make a difference. That, and the fact that so few fines have so far been issued, add to the impression that the GDPR is all very well in theory but far from ideal in practice, says Jameson.
‘So far we haven’t seen any significant enforcement, or at least not enforcement that you would think is significant in terms of what’s been happening,’ she says. ‘The law needs enough teeth to be able to make a difference but it’s questionable whether it has that at the moment. The GDPR is a starting point, but there would have to be fines combined with personal liability for directors [for it to be effective].’
‘So far we haven’t seen any significant enforcement, or at least not enforcement that you would think is significant in terms of what’s been happening’
Carolyn Jameson, former Chief Legal Officer at Skyscanner
Mukhopadhyay agrees, asking ‘how many people have gone to jail [for data breaches] in the UK or Europe? None.’ He adds that for the moment at least there appears to be ‘no will to do that’.
Just as Jameson believes that as the law ‘catches up to public sentiment’, regulations around online data protection and privacy ‘will develop further’, Mukhopadhyay feels the GDPR will only be truly effective when it is coupled with ‘strong punishments to act as a deterrent’ as has been the case with similar areas of law.