The entry into force of the General Data Protection Regulation in May 2018 laid the foundations for a new era of legislation aimed at greater consumer protection. Basic principles such as unequivocal consent, data minimization, purpose limitation and the right to object had incorporated best data practice into law. Since then, data protection legislation has been adopted around the world. GDPR-like privacy. California’s CCPA kicked off in the United States, and many other states followed (Colorado, Connecticut, Utah, and Virginia) or are in the process of doing so (Michigan, New Jersey, Ohio, and Pennsylvania). Around the world, we have also seen the introduction of the LGPD in Brazil and the PIPL in China, to name just two. One of the challenges that data controllers and data processors now face is ambiguity. That is, what do the key provisions of these new pieces of legislation really mean? They often need to be examined in court to clarify their true intent and establish legal precedent. This is now happening in Europe, and practitioners elsewhere can learn from these cases and apply them before bucking the legislative trend in their own countries.
Europe clamps down on data privacy
European regulators have shown the consequences of non-compliance with the regulation in 2022. The Spanish Data Protection Agency sanctioned Google LLC this year with a record fine of 10 million euros for two very serious infractions, such as transferring data to third parties without legitimacy and obstructing citizens’ right to erasure, which is also known as the right to be forgotten. In Ireland, the regulator fined Meta (Facebook) €17 million for not having adequate technical and organizational mechanisms to comply with the GDPR. Clearview AI, a facial recognition company, has been fined €20 million by Italy’s data protection agency and a further €9 million by the UK’s Information Commissioner’s Office for illegal processing of personal data biometrics and geolocation. TikTok could face a fine of 27 million pounds after a possible breach of UK data protection laws for failing to protect the privacy of children when using the platform. A common theme in these cases are the basic principles of “lawfulness, fairness and transparency”, which means that companies must be clear with individuals about how their personal data will be processed, and that an adequate legal basis for doing so has been established. The GDPR has been applied mainly in cases of sending unauthorized marketing messages. In Spain, around 30% of the total claims registered by the AEPD in 2021 referred to the neglect of any of the rights provided for in the data protection regulations. 7% of these claims are linked to the right to be forgotten in search engines. Article 17 of the GDPR that establishes the right to erasure, better known as the right to be forgotten, is causing great concern among companies, and it would be one of the the reasons why Google has made the decision to stop supporting third-party cookies.
Consumers want to know how their data is used
All these cases (and others) have come to light because consumers have complained. Citizens are now better aware of their data privacy rights and are willing to exercise them if they believe their personal data is being misused. This reality makes us think that if we are going to handle consumer data, it is important remember:Valid consent requires individuals to have real choice and controlIndividuals must be explicitly informed that they will receive marketing messagesConsent must be unrelated to other privacy policies and/or terms and conditions of the sendersIndirect consent only can be valid if it is clear and specific enough There should be an easy means for individuals to refuse to have their contact details used
Some companies have fallen into other privacy pitfalls
GDPR breaches can also happen through omission, and we’ve seen some recent examples of this in the UK:Following a migration to a new CRM system, Reed Online inadvertently scheduled marketing emails to customers who had previously unsubscribed /deleted.Tuckers Solicitors suffered a ransomware attack that led to a personal data breach. The ICO ruled that the company’s failure to apply appropriate technical and organizational measures had left them vulnerable to attack. The UK Cabinet Office released the postal addresses of the 2020 New Year Award recipients, which it was a failure to prevent the unauthorized disclosure of people’s information.
Many data privacy incidents are mistakes
Many cases of GDPR violations point largely to human error and/or inadequate training, and make a compelling case for applying “Data Protection by Design and by Default” practices, as noted by the GDPR. GDPR Article 25. The UK regulator has published a report on data security, including the most recent “non-cyber” (i.e. self-inflicted) problems: Data sent by email to a Wrong recipient (22%) Unauthorized access (14%) Data mailed or faxed to the wrong recipient (13%) Lost/stolen documents or data left in an unsecured location (8 percent) Missing wording (6 percent) cent) For this reason, it is recommended that companies develop solid processes to minimize non-compliance with the regulation. At the moment, no company has been sanctioned with fines of an “amount equivalent to a maximum of 4% of the volume of business t total annual total of the previous financial year”. British Airways (BA)’s fine – as proposed – was on the verge of being reduced by a number of mitigating factors, including the impact of the Covid-19 crisis on BA’s finances. Although no company wants to deal with a privacy breach, there are mitigating factors that will be considered if it occurs, including Whether it is a first breach The seriousness of the breach Whether it was deliberate or accidental Proactive notification to the supervisory authority The measures taken to reduce impact on stakeholdersRegulators tend to be more lenient with companies that are transparent about what has gone wrong, cooperate in the investigation, and move quickly to put measures in place to prevent it from happening again. Four years after entry With the GDPR in place, we are slowly but surely seeing an accumulation of data privacy judgments and case law, and data controllers and data processors should pay close attention because we are now receiving strong legal interpretations of what they actually mean many of the more confusing requirements.Author: Guy Hanson, International Vice President of Customer Engagement at Validity
