The recent Facebook/Cambridge Analytica case has, once again, thrust data protection laws into the limelight with the key question being whether current regulations on the use of personal data are sufficient, with some calling for further regulation. This discussion comes at a time where exactly that is happening. The EU’s General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. Alongside the UK’s Data Protection Bill, currently in front of Parliament, the new rules significantly reform, update and increase the amount of regulation governing how all organizations use personal data.
The exact nature of what has occurred in the Facebook/Cambridge Analytica case remains unclear at the moment, hence the need for the ICO to properly investigate. It is right and proper that the UK has a strong data protection regulator who takes privacy issues incredibly seriously.
While that investigation takes place, rather than simply calling for new regulation we should consider how things may have been different had this occurred in the new post-GDPR world.
GDPR significantly increases the rights of data subjects and puts far greater responsibilities on both data controllers and processors. The entire purpose of the GDPR was to put citizens at the heart of data protection and equip them with greater control over how their personal information is used. The new regulation also expands the definition of personal data, meaning more types of personal information, such as IP addresses, will constitute personal data and be covered by the new regulation.
Some key elements, seemingly relevant to this case, include new requirements around collecting valid consent. In a post-GDOR world consent will have to be ‘freely given, specific, informed and unambiguous...by a statement or by a clear affirmative action’. That raises the bar on what can be deemed valid consent from a data subject, requiring them to be fully informed of what they are agreeing to, including if their data is going to be passed on to third parties. Additionally, requests for consent must be presented “in an intelligible and easily accessible form, using clear and plain language”. Companies will have to be far clearer to citizens about how their personal data is going to be used, allowing them to object to targeted advertising if they so choose. Finally, on consent, it must be as easy to withdraw as it is to give, allowing citizens to remove their consent easily if they no longer agree to the processing.
The new regulation is also very clear on where data can be collected and for what purpose. When gathering data, data controllers must be clear to the data subject about the purpose for the processing and there can be no ‘repurposing’ of that data without seeking a fresh legal basis, or valid consent, the bar for which as already discussed has been raised. For example, collecting data for research purposes, and then using the same data for targeted advertising, or any other commercial use, without seeking fresh consent from the data subject would be a breach of the rules. Such activity would be liable for punishment.
Finally, where there is an infringement of GDPR, the fines payable by companies will dramatically increase from the current £500,000 to roughly £18 million (20 million euros) or 4 per cent of global annual turnover. Depending on the company and the circumstances that figure could be massive. Companies should comply with the law simply because it is the right thing to do and the right way to build trust with consumers. However, as with all laws, there will be punishment for those companies that do not comply, and strong enforcement will be a powerful incentive to ensure companies take privacy seriously in a post-GDPR world.
Once the GDPR takes effect on 25 May there will be much stronger data protection for citizens in the UK, so calls for further regulation may be premature. The laws are already changing amid the biggest shake up of data protection in over twenty years with a whole raft of new rights for citizens. A key aspect that this latest media storm has uncovered is the extent to which people are aware that data protection laws are changing. The effectiveness of GDPR will, in no small part, depend on the awareness of the new rights available to citizens. It is therefore timely that we have a wider public debate about data protection given the implications on people’s everyday lives, and to educate the public about changes ahead which will give them far greater control.
Jeremy Lilley is policy manager for data protection and digital single market at TechUK. Read more techUK blogs here.