CDS’ Chris O’Connor and global privacy expert Jonathan Armstrong of Cordery recently discussed the latest developments in GDPR review, regulation and enforcement. Read on for a lightly edited transcript of their discussion, Part 1 of 3-part series. To view the recorded webinar, Global Data Privacy Update: GDPR Walks the Walk, click here. 

999 GDPR fines and counting

Chris O’Connor:
GDPR is now three years, four months, and four days old. During these last three years, what has been accomplished under this seminal piece of regulation?

Jonathan Armstrong:
Well, in some respects, you couldn’t have picked a more auspicious day. This no doubt will be a trivia question for years to come. We’re now up to 999 public GDPR fines. That might have ticked up to 1000 fines as we speak. In terms of enforcement, GDPR has picked up particularly in the last year or so. We’re up to about 1.29 billion euros worth of fines as we sit here at the moment, the highest single fine being 745 million euros. However, one of the things that GDPR hasn’t delivered on is the promised savings to businesses.

I always thought it was somewhat incredible and I questioned the Commission’s figures from the get-go. By now, we should have had 6.9 billion euros worth of savings for businesses since GDPR was introduced if the Commission’s predictions had come true. I just don’t think that’s true at all. In a recent sort of unscientific snapshot survey, 85% of the people we asked said that it had been a net cost not a net savings. So, I think GDPR hasn’t saved anybody any money. The fines are certainly picking up and I know you’re going to ask about enforcement in a minute, which I think is also probably not as people had predicted either. There certainly have been a few surprises along the way.

Chris O’Connor:
So, do you think that the cost-versus-savings paradigm is because the union just miscalculated completely, or the Commission did, or do you think that this is a longer trend? Maybe in a decade, there’ll be some benefits to businesses? Certainly, in the short term, making sure data is secure and handling private data correctly would come at a cost, depending on the size of the business, etc. Is there going to be realized savings later, or are we past that now?

Jonathan Armstrong:
I think it was a great work of fiction from the start. I know that the UK government for example produced its own figures, which showed a cost to businesses. They asked the Commission to justify their figures, as I recall the debate, and they said they wouldn’t. And I think it’s just because somebody had sat in a cafe in Brussels one night and made them up. I don’t think they ever stood up to any scrutiny. And you remember that the whole GDPR deal was this yin and yang, if you like: businesses are going to save loads of money and individuals will get more rights and everybody benefited. But I think most EU politicians were much more concerned about individuals getting more rights than they were about businesses saving money.

So, they were always very sketchy on the yin and always very definite on the yang. And of course, going forward under GDPR, that’s a real worry because now that some politicians know that they don’t have to deliver on the yin, then the yang can get tougher. And particularly because of Brexit, because the UK being, if you like, on a break on some of these increasing individual rights, then I think that may bode badly for the next iteration of GDPR when we might see tougher terms that are harder and more costly for businesses.

Remote work opened the door for an uptick in DSARs

Chris O’Connor:
Ephemeral data has become so regularly used in our lives of remote work. Are you seeing increased costs for businesses across Europe?

Jonathan Armstrong:
I think that’s definitely the case. I mean, one of the areas is in subject access requests. There’s a huge rise in subject access requests, for those of you who aren’t familiar with it. I can request an organization what data do you have on me? And particularly in times of COVID, with hybrid working, those costs have increased, in part it’s the fault of some corporations. But for example, when we speak over Zoom, when we speak over Teams, then there’s telemetry that’s being collected on all sorts of stuff and people are starting to make requests for that telemetry data. And as you know better than I do, Chris, it’s really hard to collect that data, to redact it, because you have to remove other people’s information and to provide it in a commonly used format that’s readily accessible to the individual. All of those things bring challenges and make the cost of compliance more significant.

Chris O’Connor:
And it’s become a strategic weapon for some individuals.

Jonathan Armstrong:
Absolutely. And there are many. I’ve got about a dozen cases at the moment of exiting or exited employees trying to use subject access requests. You’re exactly right that it can be used as a weapon and it becomes a negotiation when they say, okay, I will leave the business, but I want X for leaving the business and Y for removing my subject access request. And even more invidious, we had one case where the individual took a payment to withdraw his subject access request, banked the payment and then made another [DSAR]. And from a legal point of view, it’s hard to resist that request on the basis that we’ve already paid, because on public policy grounds, most courts won’t enforce that deal.

So far, GDPR enforcement has been about transparency, not data security

Chris O’Connor:
Let’s talk about enforcement. We’ve seen some big fines, and largely, they’ve been against US-based corporations. Are we seeing that as a general trend in enforcement, where European corporations are smarter about how they handle private data? Is this a political move by the Commission, or have Americans just done badly on privacy?

Jonathan Armstrong:
It could be a mix of all of these. I think it’s always been the case pre-GDPR, that in some countries, the higher fines went to those corporations that weren’t local. If you look at Greece, its highest fine pre-GDPR was to a UK corporation. If you look at Spain, it went to a US corporation. The higher fines are definitely directed mainly to big tech businesses. Most big tech businesses happen to be in the US but also politically in many jurisdictions. It is easier to find somebody not in the jurisdiction than it is to find somebody who is in the jurisdiction. But I think you’re right that in some respects, it’s because privacy might not be a natural bedfellow of some US corporations. Most fines under GDPR are about transparency, they’re not about data security which many people thought would be the case. If I look at the biggest fines like the 746 million euro fine from Luxembourg and WhatsApp’s 225 million euros fine from Ireland. It’s all about transparency.

If I look at the H&M case regarding employee data from one of the German regulators, that’s about transparency. And a lot of the cookies cases that we’re seeing out of France are about transparency. The gay dating app Grindr was fined by Norway’s data protection agency was again about transparency. Still the highest fine in Spain was against a domestic bank was about transparency. So, transparency fines of that figure that I gave you earlier, about 1.29 billion, more than a billion of that is about transparency during the last year. So, if you look at the curve of GDPR enforcement, it’s accelerating rapidly in terms of quantum, but it’s also shifting from security and data breach to transparency as comprising the majority of fines.

How will Brexit impact global data privacy?

Chris O’Connor:
That’s an interesting trend. We’ve seen so many cybersecurity breaches here in the United States where data is not necessarily accessed, it’s just trapped. We’ve seen a lot of encrypted attacks, but we haven’t seen lawsuits against lost data or somebody’s access to information, but that is also because our privacy rules are lighter. Do you anticipate changes coming as the union and the UK separate further? Do you think the UK will design their own rules, and heighten or lessen them?

Jonathan Armstrong:
I think as far as GDPR is concerned there are proposals to change the rules in the UK. They include proposals to re-introduce the charge for subject access requests to try to address the knee-jerk reaction of “I’m mad, I’ll get even by making a subject access request.” Some people say that if the UK tinkers with GDPR to any extent, then the UK will lose its adequacy decision and that will create a whole world of pain around the transfer of data. I think some people are perhaps overstating that, if you look at fines for example, I think I’m right in saying that the UK has levied higher fines than any other jurisdiction that has adequacy. The last time we spoke, we discussed the Japanese adequacy decision.

Is the UK more adequate than Japan, even if some of the proposals get through? Well, yes, it is. There’s a debate as to whether Canada will lose its adequacy decision. Is UK legislation tougher than Canadian? Probably yes. So, I think there will be some tinkering at the edges. Of course, we’re going into a new regime in terms of enforcement. Elizabeth Denham is leaving, and we’ve got a new regulator joining. And I think we might see some differences and enforcement in some non-GDPR areas. Cookies, for example, is a really hot topic here at the moment. Lots of litigation about cookies. I’ve handled two cases today alone. Lots of nuisance claims kicking around that. And because of the setup, because that’s under the e-commerce directive and in the UK, there’s much more scope for that maneuver.

But one of the things that we often lose in this debate, is that the UK had data protection legislation before the directive that was the predecessor of GDPR. We’ve had active data protection legislation in the UK since 1984. It is at the heart of UK law. EU law came later, and I think it’s still in the heart of the British psyche, so I don’t see data protection law going away. I don’t want to be too political but there are reasons that the current government wants to water it down. In some respects, it’s because of the non-compliance of key members of the current administration and that cabal. So, if you’re always getting a ticket from the traffic cops then you’ve got to protest that the traffic cops are too aggressive and they should issue less tickets. But once we change regimes people realize that you can’t be self-interested in changing legislation. Then I think the mist will clear a bit from these proposals.

Regulators ratchet up activity while consumers seek new avenues for redress

Chris O’Connor:
So, the majority of claims made in the UK, are they merely nuisance ploys? I mean, is GDPR accomplishing the goal of protecting European privacy? Is it getting there or are we largely seeing this as either a political tool or legal exercise, but it doesn’t get to the heart of why GDPR was implemented in the first place?

Jonathan Armstrong:
I think that’s a really good question and it’s a bit of a compound answer. But, in terms of regulatory activity I think it’s interesting that some regulators have very recently gotten with the program. Take Luxembourg for example, no cases at all until June of this year, now I think there are 22 cases including a 746 million Euro case. By the way, I think WhatsApp will be appealing so don’t write those numbers down in stone just yet. But I think in terms of regulatory enforcement, then in some respects it’s still been somewhat haphazard. Spain has brought the most cases, but they tend to be relatively trivial in terms of fine, Germany not so many cases tend to be at the higher end, and France similarly with an increasing number of cases and higher fines.

So, enforcement is patchy, and as a result people are trying to use the civil courts to enforce GDPR. Colonel Sanders, the Big Mac and class action litigation are perhaps the three things that we have to thank the US people for. And we’ve certainly seen some innovative class actions, some involving Mack Schrems, the Bank of America data breach litigation, the Safari work-around against Google. Group actions were challenging to bring in Europe, but in many jurisdictions, people found an innovative way of getting a class action off the ground, like forming an incorporated association in the Netherlands to get drivers together, to bring litigation.

And some of those techniques are being used for private actions after data breaches and to enforce transparency. But we’re certainly seeing nuisance actions as well, particularly around cookies. One individual has probably written hundreds of claim letters to corporations, and it’s a little bit like a ransomware attack. If you pay me $1000, I will ride off into the sunset, if you don’t pay, I’ll publicize the fact that your cookies banner doesn’t comply, and you will be paying out forever more. We are starting to see much more innovative uses of GDPR, but it ain’t all good.

Click here to read Part II: The Evolving Role of AI in Protecting Data Privacy.