Dena Anee (Regular Writer)
The fantastic advances in the field of electronic communication constitute a greater danger to the privacy of the individual.
Chief Justice Earl Warren
Data is of vital importance in today's digital age. Organisations – whether they be commercial undertakings, banks, educational institutions or public bodies – can rely on the information which they collect about their customers and users to make better decisions.
However, there is always a risk that the collection and retention of such data can go too far: for example, Mark Zuckerberg, the founder and CEO of Facebook, recently faced gruelling interrogation in a two-day hearing before the US Congress. The hearing focused on Facebook’s negligence in failing to protect the personal information of its users from – among other things – being used by the political consultancy firm Cambridge Analytica (CA) to allegedly engage in voter suppression and micro-targeted advertising.
The Cambridge Analytica scandal is one of many to highlight many significant issues surrounding data and privacy laws. In particular, it raised an important question concerning the extent to which the information collected, stored and used by organisations constitutes a threat to an individual's right to privacy. Furthermore, as Connor Griffith has examined for Keep Calm Talk Law, it raised a second question about whether the law has been providing sufficient remedies to individuals whose privacy is at risk of being, or has been, breached by data retention.
In light of this, this article examines how the newly introduced European General Data Protection Regulation (the GDPR), which came into force throughout the European Union on 25 May 2018, will impact upon the answers to these two significant questions.
The Law before the GDPR
Article 8 of the Human Rights Act 1998 (HRA) provides that everyone has a right to respect for their family and private life, their home and correspondence. This principle is also outlined in Article 7 of the European Union Charter of Fundamental Rights.
In the UK, before the introduction of the GDPR, the regime that attempted to uphold these rights was set out in the Data Protection Act 1998 (DPA 1998), which implemented the provisions of Directive 95/46/EC (the Data Protection Directive). This regime was introduced to harmonise the rules on data protection across Member States, in a way that would help enhance the extent to which the processing of citizens’ personal information could be controlled and regulated throughout the European Union.
As a result, any processing of personal data undertaken by companies operating in the European Union was required to comply with the Data Protection Directive and the DPA 1998 and take account of the need to respect the rights of the individuals concerned under Article 8 of the HRA 1998.
For the most part, the DPA 1998 was successful in laying down important principles to govern the way in which personal information is handled, used, and protected, with the GDPR retaining many of these such principles. However, the DPA 1998 failed to successfully implement stringent punishments against companies who violated the law set out in the DPA 1998.
Furthermore, the DPA 1998 lacked clarity and coherence in some areas. For example, the distinction contained in Section 1(1) of the DPA 1998 between ‘data controllers’ and ‘data processors’ left a gap in the protection that individuals were afforded.
This distinction represented a statutory acknowledgement that, in many contexts, two different types of persons interact with data. On the one hand, ‘data controllers’ were persons who determine the ‘purposes for which and the manner in which any personal data are, or are to be, processed’. Data controllers may themselves carry out the processing of data, but may – in other circumstances – also contract out the processing to ‘data processors’, who were defined in Section 1(1)of theDPA 1998 as:
[A]ny persons (other than an employee of the data controller) who processes the data on behalf of the data controller.
Under the DPA 1998, data controllers were placed under obligations that required them to strictly comply with data protection regulations. Data processors, meanwhile, had fewer compliance obligations: this left individuals with less protection when a data leak or breach of privacy was caused by the actions of a data processor rather than a data controller. The extent of an individual’s protection under the DPA 1998 thus became something of a lottery, dependent entirely on which type of person had caused that leak.
Secondly, as Connor Griffith has explained for Keep Calm Talk Law, the DPA 1998 failed to provide sufficient remedies and damages to individuals who had fallen victim to the unauthorised use of their private information. Thus, the courts were forced to develop a tort of ‘misuse of private information’ in an attempt to fill this lacuna in the protection of privacy rights.
In light of these two gaps in protection under the regime provided by the DPA 1998 – plus the dramatic changes in how personal data is used and processed online that have occurred in recent years – the announcement contained in the Queen’s Speech of 21 June 2017 that the government intended to update the UK’s data protection law by importing the highly-publicised GDPR into UK law using the Data Protection Act 2018 (DPA 2018) was a welcome one.
Indeed, crucially, the fact that the GDPR is being imported into UK law by the DPA 2018 means the regime it introduces will remain in force no matter what relationship the UK has with the European Union at the conclusion of the Brexit negotiations.
It is hoped that the GDPR regime will meet the goals outlined in the Queen’s Speech: to provide individuals with more control over how their data and personal information is used in a way that reinforces the respect given to an individual’s right to privacy, and to ensure that the UK’s legislation governing data protection is ‘suitable for the digital age’.
How the GDPR Enhances the Protection of Individuals’ Privacy
Over the past four years, the provisions of the GDPR have been under heavy negotiation and deliberation; it is one of the most lobbied pieces of European Union legislation of all time. The GDPR’s aims are to (further) harmonise – and thereby strengthen – the current rules regulating data protection and privacy for users of the internet and electronic communications across Member States, and to impose stricter rules and regulations upon organisations who handle, use and control personal data.
In order to realise this aim, the GDPR seeks to enhance the rights and remedies available to individuals whose data is being processed (referred to as data subjects). As Aydeniz Baytaş has explained for Keep Calm Talk Law:
One of the main differences between the regime under the DPA 1998 and the new regime introduced by the GDPR is that the position of data subjects has been enhanced. Indeed, the GDPR introduces a number of new rights for data subjects and a welcome strengthening of their existing ones.
Direct Introduction of Remedies
One of the most significant changes that the GDPR introduces is the ability for an individual to be compensated if they have suffered any damage following a data controller’s infringement of any of the obligations set down in the GDPR. This is explained by Article 82(1) of the GDPR, which states that:
[A]ny person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
Crucially, this compensation can also be claimed for damage that is non-financial; it need not be financial. This is a significant development that puts on a statutory footing the precedent stemming from the seminal case of Vidal-Hall v Google , which Chris Bridges has examined for Keep Calm Talk Law. In essence, before that case, raising a claim for infringement of data protection was not possible in the UK under the DPA 1998 without evidence of financial loss. However, in Vidal-Hall v Google , the Court of Appeal confirmed that the Claimants were able to bring a claim for non-material and non-financial damages, namely emotional distress.
The Right to Be Forgotten
The GDPR will also bring into effect a crucial ‘right to erasure (right to be forgotten)’ remedy for individuals. Article 17(1)of the GDPR provides that individuals will have the right to obtain from persons who control their data the erasure of their personal data ‘without undue delay’, subject to a number of grounds under Article 17(1)(a)-(f) of the GDPR.
This right has taken influence from the European Court of Justice’s landmark decision Google Spain SL v AEPD  that was considered previously for Keep Calm Talk Law by Chris Bridges. The implementation of the right to erasure affords individuals with an enhanced level of control over their online profile and public information.
Indirect Enhancement of Individual Rights
Accountability Obligations and Fines
Other changes introduced by the GDPR – though not directly introducing new rights and remedies to data subjects – will nevertheless aid the protection of their privacy and data. For instance, as Aydeniz Baytaş has articulated in more detail for Keep Calm Talk Law, Article 5(2) of the GDPR imposes accountability obligations upon both data controllers and data processors to maintain records – which must meet the form and contain the information prescribed by Article 30(1)(3) of the GDPR – that allow them to produce evidence of their compliance with the GDPR regime.
Significant fines are levied for a failure to do so. Indeed, these fines can be severe in cases where organisations continue to process data without having produced the evidence to show they have one of the lawful bases – outlined in Article 6(1) of the GDPR as being consent, contract, legal obligation, vital interests, public interest and legitimate interests – to do so.
In particularly severe breaches of this requirement, Article 83(5) of the GDPR provides that the fine levied can be up to €20 million or 4% of a company’s global annual turnover, whichever is higher. Even for breaches deemed ‘less severe’, Article 83(4) of the GDPR holds that fines can reach whichever is higher of €10 million or 2% of a company’s global annual turnover.
In addition, to be able to rely upon a data subject’s consent as a lawful basis for data processing, the requirements in Article 4(11) of the GDPR must be satisfied. This requires any consent relied upon to be a ‘freely given, specific, informed and unambiguous’ indication of the data subject’s agreement to the processing of their personal data.
Expansion of the Scope of Personal Data
Furthermore, the GDPR expands and clarifies the scope of the definition of personal data. Under the DPA 1998, the definition of personal data included any information that could allow for the direct or indirect identification of an individual – such as a person’s name, address, and telephone number – but did not explicitly include identifiers associated with digital mechanisms, such as IP addresses and internet cookies.
It is therefore welcome that the definition of personal data in Article 4(1) of the GDPR provides an enhanced coherence and understanding as to the distinction between what is, and what is not, personal data, by extending to include online and digital identifiers. This brings data protection legislation into the internet age.
Conclusion: A Significant Step in the Right Direction?
Ultimately, the GDPR represents a welcome legislative attempt to address concerns around the use and protection of personal information, and implements extensive measures to be taken by public bodies and organisations to process information while respecting the fundamental right to privacy.
It is clear that the GDPR helps move the law towards ensuring the more effective protection of the fundamental right to privacy found in Article 8of theHRA 1998. The new protections provided to individuals, and the increased level of accountability placed upon organisations, are increasingly vital in an age in which more and more personal and commercial activities rely on digital records, and the risk of cyber-attacks and the misuse of data is increasing.
Indeed, in an area of the law that – as Connor Griffith has explained for Keep Calm Talk Law – has long failed to provide meaningful and substantial remedies for citizens, its introduction of new rigid obligations and stringent penalties represents a clear recognition of the need for the right to privacy to be protected, and even prioritised in most contexts.
It is therefore hoped that the GDPR encourages organisations to recognise and uphold their responsibilities to appropriately protect personal data. This seems likely: given the new obligations and powerful remedies that form part of the GDPR’s new regime, organisations will almost have no choice but to take expensive and affirmative steps to mitigate any circumstances where an individual’s personal information could easily be accessed. In light of this, it can be concluded that the GDPR is a piece of legislation that will change the landscape of data protection for the foreseeable future.
For the latest articles straight to your inbox, you can subscribe for free. Alternatively, follow @KeepCalmTalkLaw on Twitter or Like us on Facebook.