The fourth anniversary of the GDPR: what's happened and what's next

Changing the regulatory landscape

The most eye-catching feature of the GDPR was the introduction of maximum fines of up to 4% of a controller's worldwide turnover or €20m (£17.5m), whichever is greater. In fact, data protection authorities in the EU have issued a combined €1.6bn in fines for breaches of GDPR since it was implemented in 2018. With two major fines contributing heavily to this figure. Namely, Amazon Europe Core S.à.rl was fined €746 million by the Luxembourg data protection authority and 2 months later, in September, Ireland's Data Protection Commission imposed a fine of €225 million on WhatsApp.

However, in reality, the more impactful elements of the GDPR for everyday businesses are the tougher rules that effect the day-to-day operation of businesses. At the heart of this is the concept of 'privacy by design', which calls for the inclusion of data protection principles from the onset of designing operational and business systems rather than effecting compliance as an afterthought.

In addition, the GDPR brought in the following rules and restrictions relating to the processing of personal data:

• A higher threshold for consent, meaning businesses were required to obtain the unambiguous, informed and specific consent of individuals if they intend to rely on consent as a lawful basis for processing personal data;
• Timeframes were imposed for companies when responding to data breaches, with those businesses affected by a breach concerning personal data having to report said breach within 72 hours;
• The provision of increased rights to individuals, including the right of access which continues to proliferate across all sectors, becoming a regular occurrence for many businesses;
• The introduction of data portability, namely the right for an individual to receive personal data concerning them and the right to transmit that data to another controller; and
• The requirement for businesses that systematically process data to appoint a Data Protection Officer ("DPO").

On an international scale, one of the key considerations was the change to the territorial scope of EU data protection law, with all companies processing the personal data of EU citizens, regardless of the company’s location being required to comply with the GDPR.

GDPR in the UK

At the same time as the implementation of the GDPR, the UK Data Protection Act 1998 was replaced by the Data Protection Act 2018 ("DPA 2018").  The DPA 2018 was introduced to supplement the GDPR, outlining certain national exemptions and rules in relation to certain types of personal data processing. In this regard, the DPA 2018 contains a set of national derogations.

These derogations include special rules regarding the processing of personal data for journalistic purposes and in the areas of employment, health and research. The DPA 2018 also sets out the ICO's scope to exercise its powers under the GPDR, such that they have the ability to serve 'assessment notices' on businesses and the right to enter business premises, access  documents, equipment and other materials, observe personal data processing and interview staff.

Lastly, the DPA 2018 introduced a number of new data protection offences including:

• knowingly or recklessly obtaining or disclosing personal data without the consent of the data controller, procuring such disclosure, or retaining the data obtained without consent;
• selling, or offering to sell, personal data knowingly or recklessly obtained or disclosed;
• taking steps, knowingly or recklessly, to re-identify information that has been "de-identified" (although one of the defences that could be raised is where that action can be justified in the public interest).

GDPR and International Transfers: 4 years of change

Changes in the regulatory landscape did not end with the introduction of the GDPR. Rather, the likes of privacy activist Max Schrems and his non-profit organisation, None of Your Business, combined with updates from the European Data Protection Board ("EDPB") have kept businesses busy with plenty of data protection updates to consider, particularly relating to international transfers.

Schrems II

The first upset came on 16 July 2020, when the European Court of Justice ("ECJ") handed down its long-awaited decision in the case of Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems and others (Case C-311/18) ("Schrems II"). In a judgment with far-reaching implications for transfers of personal data, the CJEU made two key findings:

• It declared the Privacy Shield decision invalid. The Privacy Shield was a mechanism used to legitimise the transfer of personal data from the EU to the US but the ECJ found that it prioritised US national security requirements over the fundamental rights of respect for private and family life, personal data protection and the right to effective judicial protection. As a result, transfers from the EU to the US relying on the Privacy Shield were declared unlawful.
• On the other hand, it decided that the European Commission's Standard Contractual Clauses ("SCCs") were valid, but only on the basis that they require both the parties to the SCCs and the competent supervisory authority to assess the recipient’s ability to comply with the SCCs.

Following the decision in Schrems II, there were (and still remain) several key issues to be resolved, particularly in relation to the lawfulness of transfers of personal data to the US. The key question for all exporters remains exactly what is it that they must do in order to meet their obligation to assess the recipient’s ability to comply with transfer safeguards, and in particular the SCCs. As a result, verification of data importers’ practices and national law obligations has become a key part of exporting personal data outside of the UK or EU, with  transfer impact assessments becoming increasingly necessary for businesses with international operations.

New SCCs

Following the judgment in Schrems II, there have been two big developments in Europe.

The first was the publication of a new set of SCCs by the European Commission which replaced outdated versions produced before the introduction of the GDPR. Draft versions of the new SCCs were published in November 2020, with the final versions being released in June 2021. The new SCCs address both the provisions of the GDPR and the issues arising from Schrems II. Since 27 September 2021, these new SCCs have been mandatory where a party is seeking to rely on SCCs as a transfer safeguard, meaning any new processing terms entered into since that date are required to use the new SCCs as opposed to the old. In addition, the old SCCs will be obsolete from 27 December 2022, meaning that businesses are required to carry out a repapering of all international transfers relying on the old SCCs.

The second development was the issue of two long-awaited sets of guidance by the EDPB. One set makes recommendations about potential supplementary measures for international transfers (the “Recommendations”), whilst the other is guidance on the European Essential Guarantees for surveillance measures (the “Guarantees”). Whilst neither the Recommendations or the Guarantees are directly binding on companies, they represent the views of supervisory authorities responsible for enforcing the GDPR.  They have therefore become a critical tool for all companies exporting or importing personal data relating to EU or UK data subjects, serving as guidelines for businesses required to update their procedures and documentation in light of Schrems II.

What can we expect from the next 4 years?

Following Brexit, the role of the GDPR within UK domestic law came into question. However, since 31 December 2020, the GDPR has been incorporated directly into UK domestic law as the "UK GDPR". As a result, the key principles, rights and obligations remain the same as before Brexit, but the UK government now has the capacity to significantly change the data protection legislation and regulations.

International transfers

Prior to the end of the Brexit transition period on the 31 December 2020, the future of transfers between the EU and UK was secured with the European Commission publishing their adequacy decision confirming that the UK is not a third country in respect of international transfers of personal data. As a result, the free flow of data between the EU and UK has continued to date.

While this adequacy decision will apply until at least 27 June 2025, the EU Commission must monitor developments in the UK on an ongoing basis to ensure that the UK continues to provide an equivalent level of data protection. The EU Commission can amend, suspend, or repeal the decisions if issues cannot be resolved. This is something that should be borne in mind as the UK data protection regime begins to diverge from the strict GDPR protection principles.

The UK's first derogation from the strict EU data protection regime came when the ICO published an all new International Data Transfer Agreement ("IDTA") which is the UK's equivalent to the SCCs as well as a UK addendum ("Addendum") which can be used alongside the EU SCCs for transfers that are subject to both the EU and UK GDPR. From 21 September 2021, all new UK transfers must use either the IDTA or Addendum as opposed to the old SCCs, with the final date for reliance on the old SCCs being the 21 March 2024.

Legislative reforms

More recently, the UK's Department for Digital, Culture, Media & Sport ("DCMS") issued a consultation (the "Consultation") on suggested reforms to the UK's data protection regime following Brexit. The stated aim is to "create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data". The Consultation considers the following broad areas: innovation; burden of compliance and improving outcomes; trade and data flows; improving public services; and reform of the ICO.

Further, earlier this month it was announced in the Queen's Speech that the UK's data protection regime would be reformed through the introduction of the Data Reform Bill (the "Bill").

Some key points flowing from the Consultation and Bill are proposals to:

• Eliminate the balancing test associated with the "legitimate interests" ground for processing in several areas, in favour of certain "pre-approved" interests;
• Lower the compliance burden on organisations by: (i) introducing a materiality threshold for mandatory reporting of data breaches to the ICO; (ii) (re)introducing a fee regime for making Data Subject Access Requests ("DSARs") and a costs threshold for response; and (iii) removing the requirement for organisations to obtain consent for the use of analytics cookies;
• Empower organisations to be flexible in their transfer mechanisms to countries where no adequacy decision exists;
• Make changes to the ICO's structure and operation, including increasing enforcement powers for direct marketing in line with UK GDPR, such that PECR fines are no longer limited to £500,000;
• Public bodies will be able to share data to improve the delivery of services; and
• A more flexible, privacy outcomes-focused approach to data protection will replace the "tick box exercises" required under current data protection law.

Finally, the UK Government is planning on introducing the Brexit Freedoms Bill which will aim to end the supremacy of European law. This would enable the Government to change the position of retained EU data protection law which is currently enshrined under UK data protection law. This could have a significant impact as a vast amount of UK data protection law is derived from the EU. At present, the extent of such changes remains unclear.

With all the legislative proposals on the table, the future of the GDPR remains unknown in the UK and the next four years definitely promises new change for UK businesses.  While some businesses may prefer the certainty of the EU rules, the potential flexibility of the new UK rules may offer some businesses an easier and more commercial option to processing, protecting and holding personal data.