Tech and data protection law, post-GDPR
James Castro-Edwards of law firm Wedlake Bell argues that the UK needs to demonstrate that it protects personal data to EU standards as Brexit looms
The General Data Protection Regulation (‘GDPR') took effect on 25th May, replacing the Data Protection Act 1998 (DPA) and the 1995 Data Protection Directive, from which the DPA stems. The Directive was implemented to enshrine privacy as a fundamental human right.
The intervening years between the adoption of the Directive and its replacement by the GDPR have witnessed an exponential increase in the development and adoption of consumer technology. In two decades, connected devices have become so compact, user-friendly and powerful yet affordable that they are now ubiquitous. The proliferation of connected consumer technology has both fuelled and been fuelled by the wholesale adoption of the internet by the general public.
This in turn has spawned a whole digital economy, in which personal information is a fundamental resource.
Many web users have enthusiastically uploaded information about themselves into cyberspace, both knowingly through their engagement with social media, and unknowingly, by expressing interests and preferences in the course of online searches and commerce.
At the same time, online businesses have eagerly harvested and found progressively more sophisticated ways of exploiting this personal data. Some of these techniques may be so subtle that the affected individual has no idea that the processing is taking place, nor any idea of the associated risks.
Not that long ago, the most likely harm an online ‘over sharer' risked was being bombarded with unwanted advertisements, however, recent developments such as Cambridge Analytica demonstrate how times have changed. In an environment where ordinary people do not fully understand how their information is used by highly sophisticated and commercially-motivated online operators, the need for legal protection is readily apparent.
The GDPR was introduced by the European Commission as a means of promoting the digital economy by increasing individuals' trust. The GDPR aims to enhance trust by granting members of the public choice and control over how their personal information is used. A critical element of control consists of making individuals' consent a prerequisite for the use of their personal data.
However, as the online economy has matured, as have ways of circumventing genuine consent, such as pre-ticked boxes, indecipherable small-print and purported consent that is conditional for accessing a product or service.
These practices have had the effect of eroding individuals' rights. However, the GDPR reverses the trend by specifying that consent must be freely given; there must be a genuine choice, not ‘take it or leave it'. Consent must be specific, rather than vague ‘catch-all' wording designed to grant a collecting business ‘carte blanche'.
It must be indicated by an unambiguous, positive affirmation by the data subject. In other words, the individual must positively do something that indicates he or she consents to a particular processing activity, rather than their agreement being inferred from the fact that they have not objected.
The GDPR does not always require consent where personal data is used. It includes a number of alternative grounds, for instance where processing is necessary for the performance of a contract with a customer, or where processing is necessary for legitimate interests pursued by the organisation collecting personal data, often relied upon by employers to process staff personal data. However, where organisations have no alternative but to rely on individuals' consent, for example, in the context of online profiling and marketing, those individuals must have a genuine, informed choice.
The GDPR is not a revolution, but an evolution of the Directive; it includes the same principles and concepts, albeit updated in places and often more stringent, but there is a lot of common ground. Like the Directive, the GDPR imposes the requirements of ‘fairness, lawfulness and transparency' on organisations that process personal data, but the GDPR goes further in its efforts to grant individuals choice and control.
As Brexit looms, the UK will need to demonstrate that it protects personal data to European standards if it is to avoid complicated data transfer restrictions with the remaining Member States. As a result, the UK is likely to have to adhere more closely to the GDPR, making compliance a more pressing issue for operators that collect and store large volumes of personal information to run their businesses. The GDPR is not Y2K; for businesses that process personal data, the challenge of data protection compliance is not over. It has just begun.
James Castro-Edwards is a partner at Wedlake Bell LLP