The UK’s data protection authority, the ICO, has announced twice in two days this week that it proposes to levy significant fines on organisations for breaches of the General Data Protection Regulation (GDPR), which took effect in May 2018. First it announced that it intends to fine British Airways some £183 million for a data breach in 2018 that affected 500,000 customers (see our Data Blog here for more details). The following day it announced that it proposed to fine Marriott hotels group nearly £100 million, again for a data breach that affected customers (see our Data Blog here for more details). Both BA and Marriot may make representations to the ICO before final decisions are taken. These proposed fines dwarf previous fines issued by the ICO which were capped at £500,000 under the old privacy regime.
Until now the business world has been waiting to see how the ICO would use its powers under the new GDPR regime. Under the regime, the ICO can now impose a broader range of significant civil penalties for data protection breaches than was previously possible. This includes penalties of up to €20 million or 4% of a company’s global annual turnover, as well as potentially ordering companies to stop processing personal data altogether. The ICO is clearly now baring its teeth. Continue reading
The GDPR came into force on 25 May 2018 and brought with it additional rights for individuals and additional obligations for organisations. It also extends its reach beyond European borders and applies not just to companies within the EEA but also to some organisations outside the EEA.
With the legislation now in force, all eyes will turn towards the regulators to see how this piece of legislation will be enforced. We have already heard from the Information Commissioner in the UK that high fines can and will be levied on those that persistently, deliberately or negligently flout the law. And the ICO’s specified areas of focus are reportedly cyber security, artificial intelligence and device tracking. How this will all play out in practice remains to be seen.
For those organisations still on the compliance journey, there is a wealth of information to assist. We have published a GDPR hub, accessible here, which includes a series of briefings and webinars that take a deeper dive into some of the key considerations in any compliance programme. Copies of the briefings are accessible by clicking on the links below:
- The GDPR: the “whole of business” issue at the top of your board agenda
- The rise of the intelligent business: spotlight on employers
- Extending the long arm of the law: Extra-territoriality and the GDPR
- Data use – protecting a critical resource
- Supply Chain Arrangements: The ABC to GDPR Compliance
The post below was first published on our Employment blog
Last week the UK Government released its negotiating position paper on international transfers of personal data within the EEA (The Exchange and Protection of Personal Data). Once the UK leaves the EEA it will no longer be subject to the General Data Protection Regulation (the “GDPR”) and would no longer form part of the EU “safe data” zone throughout which personal data may be freely transferred. The GDPR will however continue to apply to UK businesses who provide goods or services to individuals in the EEA.
In line with previous declarations, the position paper outlines the Government’s desire to maintain the “frictionless” movement of data to and from other countries within the EEA. It cites the economic benefits for the UK and EU as well as cooperation in respect of law enforcement matters (such as serious crime and terrorism).
The position paper sets out the Government’s preferred outcome in three key areas:
- An EU adequacy decision in relation to the UK’s post-Brexit data protection legislation;
- The continued input of the UK data regulator (the Information Commissioner’s Office (the “ICO”)) in the EU’s regulatory dialogue; and
- Interim arrangements, from the point of Brexit to the time when more permanent measures have been put in place, to maintain stability and consistency. Continue reading
On 18 July 2017 the House of Lords European Union Committee (the “Committee“) published a report covering the impact of Brexit on four aspects of the EU Data Protection Package:
- the General Data Protection Regulation (the “GDPR“) which will become directly applicable in all EU member states with effect from 25 May 2018. A Data Protection Bill is expected to be introduced by Parliament after the summer recess.
- the Police and Criminal Justice Directive (the “PJC“) which EU member states must transpose into national law by 6 May 2018;
- the EU-US Privacy Shield which enables personal data transfers from the EU to the US for commercial purposes and replaced the previous Safe Harbour international transfer mechanism to the US; and
- the EU-US Umbrella Agreement which establishes a common framework for the protection of personal data transferred between the EU and the US for criminal law enforcement purposes.
The European Commission published its first draft of the EU General Data Protection Regulation (“GDPR“) in January 2012, which set out a comprehensive reform of the current existing EU regime. The reform was designed to give citizens more control and protection over their personal data. In April 2016, the final text of the GDPR was formally approved.
The GDPR then entered into force on 25 May 2016 with a two year implementation period before it comes into effect. This period gives organisations until 25 May 2018 to prepare for the new rules to apply. Continue reading