GDPR Turns 5!

To celebrate the GDPR's fifth birthday, we asked Bobbie Bickerton, an associate in the international data protection practice at Stephenson Harwood, to talk about her experience over the past five years.

The 25 May is a date burned into my memory. I remember this time five years ago as if it was just the other day, when I was a trainee deep in the trenches of the GDPR preparation battlefield - a true baptism of fire. Until that point, for me data protection had really just been another boilerplate clause to include in a contract. It didn't seem to me to be a priority for businesses from a risk perspective. Everything changed with the imminent new law, and I spent my seat in our international data protection team fire-fighting the various needs of all of our clients who (surprisingly…) all had the same deadline for compliance – 25 May. 

It was also a very exciting time for the field where data protection was on board meeting agendas across the board (pun intended), GDPR became a household name and organisations were realising the true value of the data that they held. People were becoming aware of the harm that can be caused if our data is put into the wrong hands (with a variety of scandals such as Cambridge Analytica) and were starting to think seriously about what should be done to protect that data effectively.

So, what has happened in the last five years since implementation? It has certainly not been boring and legal developments seem to come in constantly. It has been essential to keep our ear to the ground and regularly reassess the impact of these changes for our clients to ensure they remain compliant. Some key developments in my five years as a data protection lawyer have been:

  • Schrems II: this is the nickname for the claim brought by Max Schrems in relation to alleged violations of the GDPR against Facebook (now Meta). The decision handed down by the European Court of Justice in July 2020 overhauled the rules on international transfers and invalidated the EU-US Privacy Shield as an appropriate transfer mechanism for transfers of data from the EU to the US (see here for our summary). The replacement EU-US Data Privacy Framework is still yet to be finalised.
  • New EU Standard Contractual Clauses ("SCCs"): Introduced in June 2021 by the European Commission. The new SCCs required all companies carrying out international transfers in reliance on SCCs to revisit the transfer safeguards that they had in place and replace the old SCCs with the new ones. They also introduced different modules designed to provide for different roles of importers and exporters, making them more complicated to put in place, but also making them more accurate and adaptable (see here for further information on the new SCCs). The ICO has also introduced the UK equivalent of the EU SCCs (the International Data Transfer Agreement) and the UK Addendum to the EU SCCs for UK transfers. We are also seeing other countries such as China following suit with their own sets of transfer clauses.
  • Brexit and UK Data Protection and Digital Information (No. 2) Bill: as we all know, the UK left the EU with effect from 31 January 2021. For now, the UK has retained the GDPR as national legislation, meaning the standard of data protection is largely the same as in the EU. This resulted in the European Commission granting the UK adequacy in June 2021, a critical decision providing for the continued free-flow of data between the UK and EU post-Brexit. While the dust has only just settled on Brexit and the UK's adequacy, the UK government has introduced the new Data Protection and Digital Information (No.2) Bill (the "Bill") in March this year. The Bill (which had its second reading in the House of Commons in April – see here for our commentary) proposes changes to the UK data protection legislation, in a move heralded by the Government as a move away from the constraints of the EU GDPR to allow for innovation and flexibility. As the Bill continues to pass through Parliament, it remains to be seen how far the UK will diverge from the EU's position and whether this will threaten the UK's own adequacy status with the EU.
  • EU digital decade: The EU Commission introduced its Digital Decade policy programme, which sets common objectives and targets for Europe's digital transformation by 2030. Since the advent of the Digital Decade, the EU has introduced a swathe of new legislative proposals, including the EU Data Governance Act, the Digital Services Act, the Digital Markets Act and the NIS2 Directive. It is clear that digital rights are at the forefront of the EU Commission's priorities now more than ever and businesses operating in the EU are facing a decade of legislative changes and increased scrutiny over data handling practices.
  • The launch of Generative AI and ChatGPT: It is inevitable that the regulators will always be chasing the tail of technology innovation. The rapid developments in generative AI and other AI tools across the last couple of months is a classic example of this. The use of personal data in the training and outputs of AI tools poses a whole new data protection conundrum. We have seen ChatGPT banned in Italy over alleged privacy violations, and then lifted again after OpenAI "addressed or clarified" issues raised by the Italian regulator. The ICO also issued a warning that data protection laws still apply to publicly available data used to train generative AI tools. We will need to "watch this space" on data protection issues in AI as the world learns how to live with AI as a practical reality. Both the UK and the EU have started on the path to regulating AI, with the UK's AI White Paper being released earlier this year and the EU's AI Act currently making its way through the European Parliament.

And, is this progress? With the news this week of the record-breaking EUR 1.2 billion fine issued by the Irish Data Protection Commission against Meta calling into question yet again US transfers of personal data, it wouldn’t be unreasonable to say that there is still a long way to go. What the GDPR did do, however, was spark a global dialogue about data protection and privacy and it has led to improved practices beyond just the UK and EU and increased awareness on an international scale.

Data protection as a global conversation is not going anywhere and in the next five years we expect to see more global laws on a par with the GDPR, political alignment on international transfers and more regulation on Big Tech. It will be fascinating to see the ripple effects this has across the technology industry. What I think we really need to see going forwards, is for innovators to work closely with regulators to restore the imbalance between innovation and regulation with protection of our data as a key priority.

Let's see what my next five years in data protection brings!