Griffith College’s Steven Roberts takes a closer look at the challenges Irish businesses still face on the third anniversary of GDPR.
The General Data Protection Regulation (GDPR) has been a priority area for Irish businesses since its introduction on 25 May 2018. With potential fines of €20m or 4pc of global turnover, it has captured the attention of media and the general public.
As the European base for many of the world’s leading technology companies, Ireland and its Data Protection Commission (DPC) have maintained a high profile. Among EU member states, Ireland recorded the third highest number of data breaches per 100,000 population during the period from 25 May 2018 to 27 January 2021.
In addition, last year saw the DPC issue its first significant fine under the GDPR. As the regulation marks its third anniversary, it is timely to consider some of the challenges businesses continue to face and a number of key trends of which firms must remain mindful.
Delays to a new ePrivacy Regulation
Privacy and data protection are separate rights under the EU Charter of Fundamental Rights. The GDPR marked a substantial step forward in European data protection laws. It was envisaged that a new ePrivacy Regulation would be introduced simultaneously to provide a similar overhaul of electronic communications privacy across member states. The current directive is widely viewed as outdated and no longer fit for purpose.
Unfortunately, the ePrivacy Regulation has become mired in lobbying and disagreement among EU countries. It is currently unclear if or when legislation will come into effect. In the meantime, supervisory authorities across EU member states have introduced their own guidelines in a bid to provide a consistent approach in relation to the GDPR and the standard it requires for informed, specific, unambiguous and freely given consent.
This has led to varying interpretations as to the best practice use of website cookies and other tracking technologies. The DPC launched its own guidance in April 2020, allowing a six month grace-period for compliance.
Irish companies with a footprint in a number of EU countries must ensure they are aligned not only with the Irish DPC’s standards but also with local requirements in each jurisdiction. The cost of non-compliance can be punitive.
Adtech model under scrutiny
The advertising technology or adtech model remains under significant scrutiny by data protection supervisory authorities across Europe.
Spurred by continued concerns about what author Shoshana Zuboff has termed ‘surveillance capitalism’, agencies such as the Information Commissioner’s Office in the UK and France’s CNIL have questioned adtech’s transparency, while noting its complexity and the volume of personal data shared through services such as real-time bidding.
It presents fundamental questions for the future of this technology model, which underpins the marketing activity of most businesses in Ireland and internationally.
The future of work will be increasingly determined by technologies such as AI, big data and the internet of things. These use personal data in evermore sophisticated ways and, while providing considerable service benefits to customers, many firms struggle to clearly articulate how an individual’s data will be used in the straightforward, clear and transparent terms required by GDPR.
As use of such technologies develops across the economy, businesses and their compliance and legal teams will face further challenges in identifying what constitutes personal data and how to ensure that the transparency principle continues to be adhered to.
Lack of clarity on fines
Supervisory authorities have been active in issuing fines under GDPR. However, there remains a lack of clarity for businesses on the likely scale of fine that might be imposed in the event of a breach. This ambiguity is challenging for boards and their executive teams, as they seek to manage a company’s risk profile.
The DPC’s largest fine so far was a €450,000 penalty imposed on Twitter in December 2020. Other jurisdictions have been considerably more punitive. The French supervisory authority issued Google with a €50m fine in 2019, while British Airways was penalised £20m by the UK’s Information Commissioner’s Office for a breach that affected more than 400,000 of its customers.
It is likely to take a number of years before we see some level of harmonisation and the emergence of a standard baseline for fines.
International data transfers
Another aspect of ongoing concern to technology businesses is the lack of clarity around international data transfers. The EU-US Privacy Shield, a key mechanism for transferring personal data between both jurisdictions, was ruled invalid by the European Court of Justice in July 2020.
This has left firms seeking alternative options. Due to the cost of implementing binding corporate rules and the lack of progress by authorities in developing codes of conduct and certification mechanisms, most firms now rely on standard contractual clauses (SCCs). These are a set of EU approved clauses which, when included in a contract, can demonstrate compliance with GDPR. Last November, the EU proposed a new set of draft SCCs. If implemented, businesses would have 12 months within which to update their existing contracts.
Of particular concern to companies, however, was a set of proposed supplementary measures issued by the European Data Protection Board that same month. These outlined a range of organisational, contractual and technological measures a business could take if it ascertained that the country receiving the data transfer did not meet GDPR standards.
Industry groups have questioned how this will operate in practice. They believe that it will be especially burdensome for smaller businesses without the resources to undertake an in-depth assessment of the relevant country’s data protection framework.
An update on both the draft SCCs and proposed supplementary measures is expected in the coming months. Businesses will be watching closely to see if some of these ambiguities can be removed. Legislators in Europe and the US must also move with speed to provide a long-term replacement for Privacy Shield.
Data protection will remain a priority for Irish businesses in 2021. The DPC notes in its draft regulatory strategy that ambiguities still exist in how GDPR is interpreted across EU member states. A considerable journey remains before the EU’s promise of a harmonised data protection environment is achieved.
Steven Roberts is head of marketing at Griffith College. He is a certified data protection officer and vice-chair of the Association of Compliance Officers in Ireland’s data protection and information security working group. He is also the author of Data Protection for Marketers: A Practical Guide.