The behemoth of EU data protection legislation – the General Data Protection Regulation ("GDPR") - was implemented into UK law five years ago today, on 25th May 2018. Although an EU instrument, the GDPR imposes obligations on organisations anywhere in the world if they offer goods or services to or monitor people in the EU. It applies directly in the UK following the UK's departure from the EU in 2020, and is supplemented by the Data Protection Act 2018 ("DPA").
Whilst the law itself has not changed since 2018 (although it looks set to, see "Looking ahead" below), our understanding of the implementation and implications of UK GDPR and the DPA have developed significantly over the last five years, since those initial projects to prepare for the 2018 legislation coming into force.
We had many questions over what to expect, so now, five years on from its implementation, we ask ourselves, has perception and reality of the GDPR changed?
1. Transparency and GDPR 2.0
A key objective of the regulators when creating GDPR was to create transparency of processing and trust between controllers and data subjects. Those objectives manifested themselves in the requirement to create documentation (policies, privacy notice, records of processing), the carrying out of risk assessments (Data Protection Impact Assessments (DPIAs) and Legitimate Interest Assessments (LIAs)), the number of data subject rights and governance within an organisation.
Much of this was first-perceived as daunting but over the past half-decade, we have seen a paradigm shift in data handling practices across every single industry in the UK (and in other jurisdictions), with organisations reinventing their data protection practices and frameworks and finding pragmatic solutions to make the law a reality. Privacy notices are taken seriously and time is invested to ensure they are accurate and complete. DPIAs are conducted not just where mandated, but (in many organisations) for any project that involves significant processing of data. The role of the Data Protection Officer, both mandated and voluntary, has become commonplace, with many in that role undertaking external qualifications.
After the first wave of creation of policy-level documentation, we have observed a second wave of compliance where organisations have realised that a one-time GDPR project does not maintain privacy compliance. Theoretical statements in policies are, over time, being turned into process-level documentation for teams in organisations to follow – colloquially known as "GDPR v2.0". Particularly in areas like data subject rights requests, vendor due diligence and breach escalation, we have seen organisations create practical step-by-step instructions for teams to set out very clearly what to do in those situations.
2. Controller-to-controller (C2C) and joint controller data sharing
GDPR contained no specific requirements where controllers shared data (unlike the contractual requirements for controller-to-processor ("C2P") sharing and no GDPR implementation projects included any diligence on C2C sharing. However, the Information Commissioner's Office ("ICO") produced the statutory Data Sharing Code of Practice on 17 December 2020 in response to the fast-growing area of more sophisticated sharing of data between controllers. This has put C2C sharing almost on a par with C2P sharing in terms of serious legal obligations to be considered and documentation to be produced. Helpfully, the Code of Practice recognises that C2C sharing takes many different forms, with different objectives between different numbers and types of organisations, meaning that the actual compliance documentation required can vary. But the discipline now required when analysing and preparing for C2C sharing is now arguably even greater than for C2P processing as the C2C documentation needs to capture much of the practical reality of the sharing of the data, as well as the legal responsibilities. We have seen many examples of organisations in many sectors entering into data sharing agreements to document their C2C sharing, which has helped create more standardised drafting and contractual structures.
In a similar vein, we have seen more examples of joint controller relationships, agreements and privacy notices than we anticipated which again has led to more typical approaches and contractual drafting
3. Fines
In excess of £75 million has been paid in fines issued by the ICO for breaches of UK GDPR, which is a big number, but probably not as big as was anticipated when the ICO was empowered to give GDPR-level fines.
Whilst the nine-step mechanism for calculating proposed monetary penalties, introduced in October 2020, still stands, the ICO's behaviour and use of its ability to fine organisations is changing. In the earlier years of the GDPR, we saw British Airways and Marriott each receiving penalties for insufficient technical and organisational measures to ensure information security. However, the fines of £20 million and £18.4 million respectively were significantly reduced from the initial much greater amounts proposed (of £183 million and £99 million respectively), partly against the backdrop of the COVID-19 pandemic, which, had such a huge impact on businesses in the aviation and hospitality sectors, amongst others. Much more recently in March this year, Easylife saw the amount of its monetary penalty notice reduced from £1.35 million to £250,000 once it ceased the unlawful processing. So whilst the ICO has the ability to levy punishing fines, the ICO's approach is much more pragmatic in reality.
This is evidence of the ICO's shift towards regulating for "outcomes" not "outputs". To quote the UK Information Commissioner:
"Getting better outcomes, and sharing those stories with the wider economy, can have a much greater effect on the lives and rights of the people of the UK than a fine might. That's my regulatory philosophy, and I'm sticking to it".
There has also been an announcement regarding the change in approach towards penalties for public authorities. This is with a view to avoiding the "money-go-round" of public funds. To demonstrate, the Cabinet Office saw, at the end of last year, its fine for disclosing the addresses of the 2020 New Year Honours recipients decrease from £585,000 to £50,000 in recognition of "the current economic pressures public bodies are facing".
The ICO's recent approach to enforcement action also includes a shift towards public reprimands, reminiscent of the ICO's pre-GDPR 'name and shame' policy. As of January 2022, the ICO is publishing reprimands, as well as records of breaches reported to it.
There is a continued reliance on monetary penalties in relation to Privacy and Electronic Communications Regulations (PECR) issues and breaches (albeit the fines that the ICO can issue in this area are more limited). Watch this space to see whether the ICO will change its enforcement approach in this area in the future noting its position towards fines more generally.
4. Class actions
The judgment of the Supreme Court in the case of Lloyd v Google LLC (see our insight 'Google defeats Supreme Court claim preventing data protection litigation floodgate' for more details) was a huge milestone in the development of the UK data protection legislation, particularly with regard to the viability of representative class actions under CPR 19.6. In this case, the Supreme Court decided that damages were not available for alleged loss of control of personal data without in fact proving there has been some financial damage or distress caused.
One of the key questions on everyone's mind following this case was; "would you get a different result under GDPR?" The claim for loss of control of data in Lloyd was made under the Data Protection Act 1998, rather than the DPA 2018 and UK GDPR.
At present, the jury is out, noting that other large representative class actions have also been discontinued, most notably the case of SMO v TikTok [2022] EWHC 489 (QB) issued prior to the outcome of Lloyd due to perceived procedural advantage relating to Brexit. Whilst SMO had the potential to consider the representative action in a DPA 2018 and UK GDPR context, it ultimately followed in the footsteps of its representative action predecessors - it was discontinued in May 2022 prior to TikTok's application for strike out which would have been based on the Lloyd judgment.
The highly anticipated judgment in Prismall v Google [2023] EWHC 1169 (KB) casts further doubt on whether representative actions are feasible. In this case, Mr Prismall brought an action against Google and its subsidiary, DeepMind, on behalf of 1.6 million NHS patients for damages for the misuse of confidential medical records. It moves away from data protection legislation and instead is brought under the common law relating to the misuse of private information. Judge Heather Williams ruled on Friday 19 May 2023 that the case should not proceed, concluding that: "it cannot be said that every member of the class across the board has a viable claim […] each member of the claimant class does not have a realistic prospect of establishing a reasonable expectation of privacy in respect of their relevant medical records". The Judge's ruling explained the claim was found to fail.
European case law would suggest that loss of control damages are not available under the GDPR. There is a clear concern from European Courts of creating a disproportionate outcome resulting from claimants being able to mount claims without having to prove harm. Whilst European rulings do not have an impact on English Courts, it seems reasonably likely judges in the UK would reach a similar outcome.
If representative actions under the GDPR or for misuse of private information are not viable, there will no doubt be greater focus on potential alternative case management tools available to claimants. The solution could potentially be the "opt in" model under CPR 19.10 (concerning Group Litigation Orders ("GLOs") or the lead claimant model.
A key development is the lead claimant model. This is where a group of claimants with common issues are tested through a small number of lead claims, with judgment in the lead claims being treated by the parties as binding across the entire potential claimant cohort. The non-lead claims are stayed pending the outcome of the lead claims. In the event the lead claims are successful, the non-lead claims are decided on an individual basis by reference to their own particular facts.
The lead claimant model has recently been held to be more proportionate than a GLO in the case of Beck v Police Federation. However, organisations should be wary of the risks of "claim-stacking". This is where low value lead claims are effectively "stacked" adding up to a high value claim tested in the High Court.
5. International transfers
The story of international transfers over the past five years has been very complex.
First was the introduction of new European Commission approved Standard Contractual Clauses ("SCCs") – although the UK was not affected by those as it had left the EU by the time they were introduced in 4 June 2021. The major change in the UK was the introduction of the UK International Data Transfer Agreement ("IDTA") on 21 March 2022 which is the ICO's equivalent of the SCCs as an approved safeguard mechanism for transfers of personal data to countries that do not have an adequacy decision. The ICO also helpfully acknowledged that many organisations with European entities would want to use the new EU SCCs and produced the UK Addendum to the EU SCCs (as an alternative to using the IDTA). Whilst we still await the ICO guidance to accompany the IDTA, companies have had to adapt to using these and re-papering ongoing transfers to use the new safeguard mechanisms.
In contrast, we have also seen the fall of another safeguard mechanism, the Privacy Shield. The Privacy Shield was an agreed framework introduced in 2016 as the successor to the Safe Harbour framework, which intended provide a safeguard mechanism for the transfer of personal data between the European Union and the United States. However in July 2020, the Court of Justice of the European Union ("CJEU") ruled in the case of Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (otherwise referred to as Schrems II), that the Privacy Shield did not adequately protect the personal data of European citizens. This led to the Privacy Shield being invalidated and organisations who previously relied on this framework to transfer personal data were forced to seek alternative mechanisms. There are now ongoing, separate discussions between both the UK and EU with the USA to create a new framework to replace the Privacy Shield.
The other consequence of Schrems II was the rise of transfer risk assessments ("TRA"). The CJEU stressed the importance of this tool to demonstrate the data exporter's diligence in assessing the risks involved in the transfer of personal data to a third country. The ICO has subsequently created a useful template and set of guidance notices to guide organisations through the TRA process, which itself balances the depth of the TRA with the nature of the processing being undertaken.
Another moving piece is that the UK Government, newly empowered post-Brexit, is looking at adequacy decisions for other countries. It has already awarded South Korea adequacy in December 2022, but other priority countries include Australia, Columbia, Dubai, Singapore and the USA. This aligns with the focus on the UK's international trade agenda post-Brexit but must be balanced against the UK's own finding of adequacy from the EU for transfers out of the EU to the UK.
Finally, the UK has applied to join the Global Cross-Border Privacy Rules Forum, which the UK hosted in April 2023. This forum is made up of many jurisdictions globally and is looking at more globally-aligned rules on privacy, building on the Asia-Pacific Economic Co-operation cross border privacy rules system.
Looking ahead
Reform to UK data protection law is now imminent. The UK's Data Protection and Digital Information (No.2) Bill is currently at Committee stage. An original bill was delayed and then revised following the change in government leadership in 2022.
The UK Government is looking to use its independence from Brussels to develop data protection law to enable UK organisations to facilitate international trading, lighten bureaucracy for low risk processing, enable innovation and reform the role of the ICO whilst maintaining high standards of personal data protection for individuals. The Government believes this will save £4.7 billion for British business over the next ten years. Whilst the new Bill will bring change, it seems likely that organisations operating across Europe and beyond should be able to maintain one GDPR standard.
If you have any questions about this article, please contact Patrick Arben, Jocelyn Paulley or Saha Deyshehkhi.