The year 2018 witnessed one of the most revolutionary regulations in the last 20 years of data protection – the implementation of the General Data Protection Regulation (GDPR) in the European Union. In fact, within the last year, including GDPR, there have been around 100 new data protection laws enacted in countries around the world, and for many, this is a first-time law.
With the introduction of the GDPR, 2018 was a very busy year for data protection compliance. Many businesses from all sectors left updating their GDPR compliance programs later than they would have liked. Research shows that companies struggled to get ready for the May 2018 deadline.
France fines Google €50 million under GDPR
Google has become the first US tech giant to be fined under the GDPR with the French data protection authority, the CNIL, fining the company €50 million for violating obligations of transparency and failing to have a legal basis for processing related to personal advertising.
On 25th and 28th May 2018, immediately after the implementation of the GDPR, the CNIL received complaints from privacy advocacy groups claiming that Google did not have a valid legal basis for processing personal data of its users, particularly for the purpose of personalising advertising on the search engine.
Google states that the legal basis it relies upon to process data for targeted advertising purposes is consent. However, the CNIL found that consent is not validly obtained by Google as it is neither sufficiently informed, specific nor unambiguous, as required by the GDPR.
The decision of the CNIL to fine Google €50 million is an initial indicator of how regulators’ powers under the GDPR to issue fines of up to €20 million or 4% of a company’s annual turnover, whichever is highest, will be interpreted and enforced.
Looking to the year ahead
2019 provides an opportunity to take a fresh look at data protection compliance:
- Without any looming deadlines;
- With planning, involvement and buy-in from all areas of your business;
- With the benefit of further guidance documents issues by the European Data Protection Board and national regulators, like the Information Commissioner’s Office and better developed industry standard approaches to compliance.
We expect businesses in all sectors to further develop their data protection compliance programs in 2019 as the ways and means to become compliant, including ePrivacy Regulation and Brexit.
On 19th December 2018, the Data Protection, Privacy and Electronic Communication (Amendments etc) (EU Exit) Regulations 2019 were published in draft form. Their purpose is to replace the GDPR with a version that will make sense once the UK has left the EU, a “UK GDPR”.
Organisations in the UK and outside the UK could be regulated under both the UK GDPR and EU GDPR. Policies, agreements and other compliance documents will need to be updated to reference the new UK GDPR. UK businesses trading into the EEA will need to consider appointing Article 27 representatives within the EEA. Likewise, businesses outside the UK which trade into the UK will need to consider appointing a UK representative.
Non-EEA businesses may need a representative in both the UK and EEA. It is unlikely that the UK will benefit from an adequacy decision immediately after Brexit, therefore transfers of personal data between the UK and EEA will need sufficient safeguards in place, such as use of the European Commission’s standard contractual clauses.