Five years of GDPR – standing the test of time?

Our key conclusions are:

  • The fundamental data protection principles have stood the test of time and have the flexibility to adapt to apply to new technologies.
  • Public engagement and education is key for good outcomes.
  • The ICO continues to use the carrot, although a range of sticks
    are available.
  • It is the courts who are shaping the compensation landscape.

Principles

The fundamental data protection principles long pre-date the GDPR. Concepts such as fairness, transparency, purpose limitation and data minimisation have been part of UK law since the Data Protection Act 1984.

Although Brexit created parallel regimes in the UK and EU, the key principles, rights and obligations remain the same. We have however seen differences in interpretation between the ICO and its peers in the EU. Further divergence is now likely following the introduction of the Data Protection and Digital Information (No.2) Bill. The changes do not represent a wholesale shredding of the existing GDPR system in the UK, instead focusing on targeted changes and clarifications to a risk-based approach.

Evolving technologies such as facial recognition technology and artificial intelligence now must be considered within the GDPR framework. Our view is that the GDPR does have the flexibility to address these challenges. Indeed, it features heavily in current discussions in the EU and UK. In the short term at least, it is the key piece of legislation which currently exists to govern these technologies.

In our view, principles based regulation is the best way to ensure that laws do not quickly become outdated. There have already been efforts on the part of European data protection authorities to seek to ensure that ChatGPT, the pre-eminent generative AI system, is operated and used in compliance with the GDPR.

Public engagement

The implementation of the GDPR saw a positive change in public awareness of data protection and privacy rights. The European Commission reported in 2020 that ‘69% of the population above the age of 16 in the EU have heard about the GDPR and 71% of people heard about their national data protection authority.’

However there is still much to do to avoid expectations of rights which go beyond those set out in the law and, conversely, ensure that certain rights are not simply ‘agreed away’. The fundamental right of access is one of the cornerstones of data protection law. However, the extent of the right and its application is often misunderstood. For example, we frequently deal with requests for access to non-personal data or access to documents. Those requesting do not understand that the right is subject to a number of exemptions (including the balancing of third party privacy rights). This can cause frustration for data subjects, who often view refusals as deliberate obstruction of their rights, and can lead to extensive exchanges of correspondence and subsequent unfounded complaints (including complaints to the ICO).

DSARs and cookies, as elements frequently experienced by the public, are two examples which present an opportunity for data protection authorities, governments and organisations to extend public awareness. The DPDI (No2) Bill should help avoid the weaponisation of DSARs, but more public education on their scope and exemptions remains critical both to ensure both their proper use and public trust that any limitation is being applied compliantly. Despite wide familiarity with cookies, we suggest that many users do not actually know what they are agreeing to. More could be done in this area, both by regulators and organisations, to ensure that the public is better able to make an informed decision about consent.

Carrots and sticks

The ICO upholds data protection rights under the UK GDPR by providing extensive and user friendly guidance on rights and responsibilities of organisations. It has developed a reputation as one of the most pragmatic regulators, as it tries to strike a difficult balance; encouraging reporting and fostering accountability.

The ICO has been reticent to make public details of all reported breaches, partly to encourage reporting. However, as part of a planned change set out in the ICO25 strategy, it has started publishing details of complaints about data protection concerns and self-reported personal data breaches. Information on data security trends is also made available. Commenting on the change, current Information Commissioner, John Edwards, stated that ‘every regulatory action must be a lesson learned by the rest of the economy and play a role in behaviour change.’

The courts

The courts have been left to shape the compensation claim landscape for data breaches, which have seen a significant rise in claims.

In 2021, the Supreme Court comprehensively dismissed the claim in Lloyd v Google, closing the door to the prospect of the widespread use of the group litigation process being used for data breach claims. The recent decision of the High Court to dismiss the claim in Prismall v (1) Google (2) DeepMind has reiterated that approach.

Low value data breach claims pursued on an individual basis have proved more resilient, but a number of judicial decisions will help to ensure the proper allocation of these claims. DACB has been at the forefront of defending data breach actions comprising a number of overlapping or inadequately pleaded number of actions; breach of data protection legislation, breach of confidence and misuse of private information being common examples.

Incorrectly issued in the High Court, these claims often included claimed costs inflated far beyond the value of the claim itself. The further introduction of fixed recoverable costs will likely limit the prospect of many claimant practitioners viewing data breach claims as a viable income stream.

The ECJ has recently confirmed that not every infringement gives rise to a right to compensation on its own, but that there is no threshold of seriousness for non-material damage claims. The UK position also recognises that compensation is only payable in respect of damages shown to be caused by a breach of the UK GDPR, but that a de minimis threshold does exist in respect of those damages. Although the decision is unlikely to trigger a wave of GDPR litigation in the UK, this is a dynamic environment and further precedents may occur in time.