Privacy by design

  • Posted

GDPR – the aftermath

The world didn’t end, the marketing emails didn’t stop, cookies didn’t spontaneously combust. The questions then begs – what is life after GDPR?

The GDPR has cemented pre-existing data protection rights by bringing culpability and responsibility to the table. The strict obligation to report breaches within 72 hours, to maintain records showing compliance and to put in place adequate security measures for the safe keeping of data has put the rights of the individual firmly on the “important” list of day-to-day management of businesses, this will undoubtedly lead to complaints and litigation.

What you may not know

Rights to privacy do not just arise under GDPR.  There are other ways in which the right to privacy is enshrined as we explain for you.  We look at:

  • The consumer net
  • Subject access requests
  • Global reach

The consumer net

When looking at the GDPR, its sister legislation on Consumer Rights (solidified under the Consumer Rights Act 2015) and Consumer Credit (which was taken under the helm of the Financial Conduct Authority in 2013) have weaved a net of protection for individuals.

Credit Consumer Act

For an individual to borrow money they must take a loan from a bank (or other regulated institution) or from a private lender. The FCA has a number of rules, regulations and restrictions that any regulated or authorised entity has to comply with. However, this does not cover private lenders. The Consumer Credit regulations were therefore brought in to prohibit private lenders from exploiting naïve borrowers. Unfortunately, the practical ramifications of this are that every private lender, including family members, can be caught by this legislation and may be prohibited from excessive charges and interest, security and enforcement.

Consumer Rights Act and Unfair Contract Terms Act

The Consumer Rights laws and regulations are vast and deliberately ambiguous to cover the widest scope possible. The reason for such legislation is to protect consumers from excessive charges and interest, but also offers protection such as:

  • rights relating to cooling-off periods;
  • rights relating to varying or ending consumer contracts;
  • prohibition on unfair terms.

There are also may be remedies available to consumers in contracts such as repair and replacement, specific performance, rectification and refunds as well as damages for loss.

This could create a ‘kitchen sink’ effect in litigation with rights under any and all laws being used against businesses for damage claims, however, such cases will need to have clear pleadings and claims with a primary focus.  The Consumer Net may also bring an increase in group actions, with a pattern of consumer failings having far more of an impact on the liability of a business than a one-off breach.

Subject access requests

Records, Security Measures and Subject Access Requests are likely to be where breaches occur and could be under security in the event of complaints. Subject Access Requests should therefore be taken seriously and maintained by a nominated person within the company.  Issues arise over proportionality which in practice require judgement calls.

Global reach

The GDPR is reaching worldwide, setting the standard for consumer rights and protections. Privacy and Security measures are being adapted not only within the EU and EEA but also outside to allow continuance of commercial relations, pushing GDPR into the de-facto global framework for data protection.

For example, Facebook is among the first worldwide organisation to announce global compliance with the GDPR in a ‘one size fits all’ policy.

Facebook and individual culpability

The European Union Court of Justice has held that the administrator of a fan page on Facebook will be jointly responsible with Facebook for the processing of data of visitors to the page. Administrators can obtain anonymous statistical data on visitors to the fan pages via a function call ‘Facebook Insights’ which Facebook makes available to them free of charge under non-negotiable conditions of use. The data is collected by means of evidence files (‘cookies’) which are a unique user code which are active for two years. This user code is collected and processed when the fan pages are opened and can then be matched with the connection data of Facebook users.

One single employee now carries the responsibility for the entire business

It was undisputed that Facebook must be regarded as the ‘controller’ responsible for processing the personal data of Facebook users, including those visiting fan pages. However, an administrator of such a fan page must now also be regarded as a controller jointly responsible, within the EU, with Facebook for the processing of that data. The administrator determines the purposes and means of processing the personal data of fan page visitors.

The fact that a fan page administrator uses the platform provided by Facebook in order to benefit from the services cannot exempt it from compliance with its obligations concerning the protection of personal data.

The entire business covers all jurisdictions in which it operates

A data protection supervisory authority of one country within the EU may now exercise its powers of intervention in another EU member state without prior authority of that country to intervene.

This recognition of joint responsibility for Facebook and the administrator of a fan page hosted on that network contributes to ensuring more complete protection of users’ data protection rights.

If I were that data controller director or employee

Controllers of data protection administration now carry huge responsibility and risk.  If I were that employee I would be taking a close look at my contract of employment to make sure my employer was protecting me from being thrown out to the lions.   At the very least I would be looking for a long notice period from the employer so that I was compensated whilst job searching.

All directors have a duty to take responsibility and should be aware of what their fiduciary duties require of them.