William Fry’s Leo Moore takes us through the data dilemmas and legislation hurdles data protection managers need to look out for in 2019.
Leo Moore has been a partner in the technology group at law firm William Fry since 2010. In that time, he has seen his practice shift from a focus on pure technology matters to an increasing concentration of data protection cases.
While we had the introduction of the General Data Protection Regulation (GDPR) across European Union member states in 2018, it’s this year that will see this regulation truly borne out.
“We’ve been talking about fines for the last 18 months being a prevalent part of what this GDPR means, and that has brought it to boardroom level,” said Moore. “The next year will involve much more in terms of fines, but smart management of dealings with the regulators will be an important facet of that.”
In Ireland, we’re yet to see our first GDPR fine, but Moore said we’re likely to follow what precedent is set in other EU countries. Yet, so far, inconsistency has brewed confusion as to the law’s application and interpretation. Seemingly similar cases in Portugal and Germany, for example, saw different outcomes for the organisations involved. In Portugal, a hospital was fined €400,000 for GDPR infringement, while Germany’s first fine under GDPR amounted to €20,000. Anecdotally, at least, it appears that the offending business in the German case was more engaged with the local commissioner’s investigation, apparently to its benefit.
As well as the regulators, organisations will have to deal with individuals more and more under GDPR. Data Subject Access Requests (DSARs) are up 56pc since the implementation of GDPR and Moore predicts a continuing increase as “people become more aware of their rights under the GDPR over the course of the next year”.
If organisations are to find themselves repeatedly inundated with DSARs, they might reconsider how much data they store and process. This is quite the quandary in the data age where almost every business is now dealing in data.
“Today, all companies are regarded as big-data companies. We conducted a survey of 200 C-suite executives, culminating in our Europe for Big Data report, and in that report a significant proportion – up on 90pc of companies – indicated that they were big-data companies, and that was irrespective of the sector from which that executive’s company came,” said Moore. “The importance of data to organisations cannot be understated.”
Data transfer in danger
Another issue of the data age is how we can keep that data flowing across borders, passing through different local legal requirements.
The ongoing Schrems II action threatens the free flow of data between Europe and the US, while Brexit challenges the links between Ireland and the UK. To mitigate data transfer issues when the UK leaves the EU, our neighbour across the Irish Sea needs to strike a deal for ‘adequacy’.
“Adequacy is a very important part of the Brexit deal for the UK,” explained Moore. “Adequacy would mean that UK data protection laws would be deemed to be of an equal standard to that in the EU, and that in itself would allow for the free flow of information between the European Union and the UK.”
Countries such as Canada, Argentina and, most recently, Japan have all been deemed adequate for EU data transfer, so hopes are high for a similar agreement with the UK. Otherwise, doing international business from Ireland could be under threat.
“A necessity in the context of doing business in Ireland – for a lot of the technology companies and the international companies – is that what we have here is the ability to facilitate free flow of information,” said Moore. “And I think the challenges that we see with Brexit and litigation [are] likely to cause difficulties for a lot of companies in continuing to operate on a globalised basis.”
Always playing catch-up
For Moore, “Europe certainly seems to be … driving the agenda on privacy across the world”, with US states such as California looking to reflect these policies in their own legislation. But it’s not unusual for legislation to be behind when it comes to the fast-moving tech environment. These days, technology involving artificial intelligence (AI) and blockchain is evolving at pace and the law is always playing catch-up.
“The technology will be miles ahead of where the law is so it’s incumbent upon technology lawyers to try and develop thinking and legal practices based on, in some cases, quite antiquated legislation, to apply to these new technologies,” said Moore.
He highlighted how traditional sectors are converging with tech, resulting in offshoots such as insurtech, regtech, agritech and adtech. In the case of that last area in particular, Moore said the very “norms that have built up around the adtech business” will face their own GDPR challenges in the coming year.
Moore also discussed the EU ePrivacy Regulation and, as with GDPR, he advised companies to prepare in advance of any deadline for implementation.
“Companies are going to have to adapt now and over the next 12 months to get ready for that legislation coming into force,” he said. “They’re going to have to think very carefully about the types of consent that they’re obtaining from individuals, and they’re going to have to think very carefully about the types of marketing that they are going to be able to conduct going forward.”