Your inbox has been brimming with emails from just about any and every entity that you’ve communicated with and they’re all telling you the same thing. On 25 May the EU General Data Protection Regulation (GDPR) will come into force. They’ve updated their privacy policy. Please opt in to stay in touch. And after around six weeks of it, there’s broad consensus that it’s gotten pretty annoying.
Worse news is that it’s probably going to remain a bane in our lives for some time more.
That’s not say it’s not a fantastic piece of legislation and by now you might know why. The EU’s new rules will give us more control, more insight and more forms of redress around how companies, whatever their size, use our data. We’ll be able to access, review, delete, change or object to any of the personal data a company holds on us. While the spirit of data privacy was already present in EU law, it’s now a tour de force with violations potentially resulting in €20mn fines. Incentive enough for them to comply.
What’s more, there’s talk of some American tech giants applying GDPR standards to its users outside of the EU. Post-Cambridge Analytica, the potential ripple effect is an extremely positive development for US citizens.
However, if you were waiting for 25 May to bask in all this glory then you may be disappointed. Because at the best there will be some teething problems and at the worst, some rather heinous rights infringements.
From a practical point of view, the GDPR will be a mammoth exercise in implementation. Now companies are complying and they’ve told you so, more and more people are aware of the legislation and their rights within it. This could lead to more access requests, more breaches and not enough capacity to deal with it all. As an indication of what we could be looking at, a survey by Crown Records Management revealed that 71% of people, across a range of professional sectors, might ask a company to edit or delete their data after GDPR comes into force. This could mean 37.3million requests out of an adult population of 52.6million.
Only in the last quarter of 2017 had the Information Commissioner’s Office (ICO) reported an increase in data security incidents, explained by increased awareness of their rights. More access requests inevitably lead to more data breaches as company employees processing requests don’t get the sufficient training to do so. Of 17,300 cases under previous data protection legislation, only 16 resulted in fines, which could be down to an under-resourced ICO.
Beyond the practical nuisances, there is still some murkiness around the GDPR’s implementation in the UK, which will concern privacy advocates here.
The 2018 UK Data Protection Act (DPA) will come out on the same day as the GDPR. The bill is a copy and paste job of the GDPR with a few key amendments. This is worth paying attention to as is the fact that Brexit is just round the corner and there will be stumbling blocks.
First off, there is the exemption in the DPA for immigration data, which has campaigners up in arms and quite rightly so. Under an amendment that states immigration data will not be subject to the bill, the UK will be creating a two-tier system as the amendment prevents those facing deportation from getting hold of any personal data the government has on them. Action requests are the only way people can find out why their application has been turned down. With the Home Office’s reputation for errors, this is precarious ground for many, including EU citizens who will have to apply for ‘settled status’ to stay in the UK after Brexit.
Then there’s the less discussed impact on Investigatory Powers Act aka the Snooper’s Charter as one academic has already said that in its current form cannot comply with the GDPR should there be a hard Brexit. One of the reasons is that the UK had not attained an adequacy agreement which states that the UK has a level of personal data protection that’s equivalent to the EU’s. Already having faced high controversy, it is bound to come up to intense scrutiny against EU laws.
Looming over all these concerns is one of the worrying consequences of Brexit, which has been the government’s use of delegated powers sometimes known as Henry VIII clauses, which will allow them to amend any of the copy and pasted EU legislation they’ve brought over with little oversight. Ministers can thus claim amendments are necessary to allow the law to work effectively in the UK, outside of the EU. But it gives them huge scope to do as they please without scrutiny.
There is also the big question on how this will work without the European Court of Justice or Charter of Human Rights, which will arguably need to provide oversight of data flows between the UK and EU.
There’s therefore a bit of work to be done before GDPR and its benefits is firmly over the finishing line, at least in the UK.