The General Data Protection Regulation (GDPR) came into force in May 2018 threatening fines of up to 4% of revenue for firms that abused the privacy of EU citizens. Last week, we saw the first major GDPR fine as the Irish regulator punished social media giant WhatsApp/Facebook with a €225m penalty.
We also saw the appointment of a new Information Commissioner at the UK’s data protection watchdog. As he stepped into his new role, John Edwards promised a post-Brexit “shake up” of data rules and watering down of GDPR.
At first glance, the Facebook fine would indicate a move toward tougher enforcement within the EU. Meanwhile, the UK changes, which could include getting rid of cookie pop-ups, has been positioned as a weakening of GDPR to adjust the balance between protecting rights and promoting “innovation and economic growth”.
So are we seeing real divergence here between the EU and UK? And what are the implications for businesses operating in the UK or seeking to trade with the EU?
And why should this matter to anyone other than the compliance department?
The Irish move
The Irish regulators can hardly be said to be taking the initiative here. In the three years since the start of GDPR, the Irish Data Protection Commission (DPC) received 10,000 complaints a year and has been sitting on more than 20 major cases against the tech giants, over half of which are against Facebook. And this is its first major fine.
On top of this, the DPC had initially proposed a fine of €50m, which was only bumped up to €225m under pressure from the other European data protection authorities.
The reality, as recently explained on RT, is that the Irish are dragging their heels and are reluctant to rock the boat. Having used its favourable tax regime to entice most of the tech giants to base their European headquarters in Ireland, it finds itself as their lead regulator, facing the task of having to hold them to account.
If it is reluctant to do so, then GDPR enforcement becomes ineffective, GDPR becomes meaningless and the privacy rights of citizens across the whole of Europe is compromised.
European data protection authorities exasperated
Understandably, other European data protection authorities and their collective grouping the EDPB are exasperated and the European parliament has gone so far as to request that the European Commission take action against the Irish. The last thing that they want is anyone undermining or diluting GDPR. This is where the UK move comes in.
While GDPR is seen as the gold standard for data privacy and is being copied not only by other countries, but also by individual states in the US, there has been no progress at all to create an equivalent federal privacy law in the US Congress.
Furthermore, the EU’s focus on privacy as a human right and the US prioritisation of mass surveillance for national security are fundamentally at odds. Two transatlantic data sharing treaties have been struck down, Safe Harbor and Privacy Shield.
We now face a legal reality in which organisations are not allowed to use cloud or data services from US tech firms as none comply with GDPR. Then add to this, a political reality in which everyone is turning a blind eye as there is currently no realistic alternative.
It is unlikely to be any breakthrough as long as there is partisan gridlock in Congress and no real will in the US to uphold the privacy of its allies by protecting them from its own surveillance regime.
UK GDPR regulation position
The UK, as ever, occupies a mid-Atlantic position: as a member of the Five Eyes Consortium it is complicit in the US mass surveillance, but as a necessity for its post-Brexit trading arrangements it has been granted a GDPR adequacy decision by the EU, allowing data to continue flowing freely between the EU and the UK.
Enter John Edwards, a notable Facebook critic who led the Office of the Privacy Commissioner In New Zealand for the last seven years and who is now going to replace Elizabeth Denham as head of the UK’s Information Commissioner’s Office.
In the wake of the 2018 Cambridge Analytica data misuse scandal, Edwards publicly announced that he was deleting his account with the social media company – accusing Facebook of not complying with the country’s privacy laws.
His appointment aligns with the UK government’s agenda to tame the tech giants as it works to bring in safety-focused legislation for digital platforms and reforms of competition rules that take account of platform power.
Boris Johnson had already commissioned a special task force to investigate how the UK could reshape its data policies outside the EU. The report this summer recommended scrapping some elements of the UK’s GDPR altogether, branding the regime “prescriptive and inflexible”. Calling for changes to “free up data for innovation and in the public interest,” as it put it, the report includes pushing for revisions related to AI and “growth sectors.”
UK on the back step
Currently, the Irish – largely viewed positively by their EU colleagues – are being rebuked for failing to uphold and enforce GDPR. At such a time, any move from the UK to diverge from its data-sharing commitments and dilute its own version of GDPR is likely to cause alarm.
Despite the fact that its GDPR ‘adequacy’ decision is limited to four years, the UK government is risking any chance of renewal by preparing to reveal how it intends to “reform” (aka: reduce) domestic privacy standards.
Those in favour of reform, point to the cost of compliance, the chance to do away with frustrations such as cookie pop-ups and the need to resolve the legal problems around use of US cloud services – rather than ignoring the problem. They also question the point of a more rigorous regime, if, as in Ireland, it is not being enforced.
Those against reform argue that if a UK firm trades with Europe or even processes or stores the personal data of a single EU citizen, it needs to comply with EU GDPR anyway. Most organisations will therefore need to conform to the higher standards set by the EU and will want to avoid having to run two separate systems in parallel.
They will experience no benefit from any dilution of UK GDPR if the adequacy decision is not renewed in a few years time.
Security and compliance to increase
Senior executives need to be aware of the potential costs of complying with two different systems, or of facing regulation or litigation from either the EU or UK.
Cybercrime will cost companies worldwide an estimated $10.5tr annually by 2025, up from $3tr in 2015. At a growth rate of 15% percent year over year, cybercrime represents the greatest transfer of economic wealth in history according to Cybersecurity Ventures.
Whatever your situation, expect the cost of your cybersecurity to increase over this period. Your data privacy compliance costs are also likely to increase – more so if you end up complying with both the UK and EU versions of GDPR.
Being on top of what is potentially your greatest business risk and also a continually rising expense will be essential for finance managers.
