The Mishcon Academy Digital Sessions
Conversations on the legal topics affecting businesses and individuals today
Adam Rose
In this episode, what are the key issues that have arisen from the introduction of GDPR two years ago? Has it changed behaviour? And what has and hasn’t worked? Hello and welcome to the Mishcon Academy Digital Sessions podcast. I am Adam Rose, a Partner and Head of Data Protection at Mishcon de Reya. I’ll be chatting with my data protection colleague, Jon Baines, and Jon and I are recording this suitably distanced from north London and even further north. So, to start off, we are now two years on from GDPR coming into force, would you say the GDPR has been a success?
Jon Baines
Hi Adam. What do we mean by success? I think is the question I would throw back rhetorically or not. I think it’s important to look at where GDRP comes from and what was actually proposed when GDPR was put on the European statute book. Let’s not forget that data protection law in its modern iteration has been with us since at least 1995 and it looked at, in the round, in fact GDPR was really just a refiguring, a development, of those existing laws, let’s say for the digital age so I think it’s important to say that when we talk about “Has it been a success?” I think we have to push to one side some of the hype and the overly enthusiastic business creation that went with the build up to GDPR. I don’t think it was ever intended to change the world and I certain don’t think it was ever intended to destroy business but some of the communications that we saw in those days before May 2018 gave that indication. I think better to look at is, in what ways has behaviour changed as a result of the law change and by that I mean behaviours of businesses, of organisations who handle data but also the behaviour of us, you and me and anyone listening, we are all data subjects. Our rights, our obligations are all triggered by this law.
Adam Rose
And I think it’s worth noting from my perspective as a practitioner who has been active in this area for far too many years probably, it certainly affected individuals awareness of their rights, I think we can say that the nature of people and understanding what their role is, what rights they have, that they have a right to ask for information, has certainly increased over this time and I suspect from a business perspective certainly businesses seem to be far more aware than they used to be and whereas data protection used to be something very much in the back office that you didn’t really want to touch if you could avoid it, I think businesses now recognise in so many occasions that data is what really brings value and adds value to what their business is, so whereas compliance might have been seen as purely an administrative, boring, possibly expensive thing, I think that GDPR has raised the value of data in business’ minds to a level where they treat it just far more seriously and are prepared to spend more money, more time and more effort in not just getting it right but being seen to get it right and using it as a way of encouraging their consumers to trust them more. And I guess one of the things that was feared by business was the size of fines that were being banded around as likely to happen, it might be worth us just spending a moment addressing whether anything has really happened or not in that regard.
Jon Baines
I think everyone knew that GDPR changed, or at least potentially changed, the landscape with it came to financial sanctions for getting it wrong so the headline figure almost everyone could recite was that there were potential fines of up to 20 million euros or 4% of global annual turnover, whichever is higher. They were sort of raising awareness in boardrooms the sort of figures, well, since then, let’s call the English speaking part of Europe by which I mean the UK and the Republic of Ireland, there has been the grand total of one fine in the two years go date since GDPR came in and that was in the sum of £275,000 in the UK.
Adam Rose
So pretty much half of what the cap used to be, so not a major fine, nothing like 20 million euros.
Jon Baines
Nothing like it and it was for a, let’s call it a good old-fashioned security failure where a pharmacy left a load of papers and other materials in a yard at the back of their offices. I mentioned that in Ireland and the UK, across Europe the picture has been quite different and there have been some largish fines, 50 million euros by the French data protection authority for Google and some large fines, one in Germany of about I recall 18 million euros for a real estate company but what we’ve also seen across Europe is small fines in quite large numbers, at least in some countries, for minor infringements of the law and I think when we go back to those heady pre-GDPR days I think a lot of people anticipated that in the UK. We haven’t seen that and I don’t think we are going to, there’s been no obvious change of approach from the information commissioner.
Adam Rose
So what I guess many listeners will have thought about or read about, are the huge fines, and I am using the word carefully, but huge fines issued to BA and to Marriott during the course of last year. BA fined, what was it £183 million and Marriott fined £99 million but of course, as you and I know and as many listeners will know as well, those haven’t actually materialised as fines, those were simply notices of intent to fine issued by the Information Commissioner, the regulator, one in the case of a major data hack in the case of BA and the other one following the acquisition of the Starwood Hotel chain by Marriott but both of those keep being delayed, keep being delayed, the Covid-19 pandemic has pushed it further back in both cases and I guess there’s got to be a realistic possibility of no fine in the end so, I just sort of think it’s interesting that the whole of UK plc’s boardroom sat up and listened when those data protection people and the whole industry was saying there’s going to be huge fines but in fact very little has happened. What I wonder is whether the threat of those fines and the profile given to GDPR that had never been given to this area of law before, has changed behaviour particularly and I just wonder if your sense is now that businesses still mindful of the question of fines are nonetheless treating it as a serious subject, something that they do need to essentially get right and whether citizens, consumers, individuals… we often find this in the context of former employees trying to find out what their employers were thinking before firing them or while firing them, whether people’s attitude to privacy, to GDPR generally is something worth noting or whether GDPR has sort of has come, has gone and life just sort of carried on as it did in 2017, 2016 and 2007 before that.
Jon Baines
Yeah, I think there has not been zero effect and I think those who know me perhaps know that I sometimes approach this with a slight world-weariness or pessimism and people might think I am saying nothing has changed. I actually think if one steps back, a huge amount of money and thought and time went into dealing with, complying with GDPR by which I mean policy reviews, data audits, information campaigns from companies and that was in total a good thing. I think that despite the fact that we haven’t yet seen really a great deal of enforcement…
Adam Rose
Maybe that’s a good thing, maybe there’s been nothing particularly to enforce, maybe people have been essentially getting it right rather than essentially getting it wrong.
Jon Baines
I think that’s right. I think essentially people try to do the right thing and generally do do the right thing. I think the enforcement approach of the Information Commissioner has generally been to recognise that most companies try and most companies generally get it right and if they get it wrong, what the Commissioner will say is why did it go wrong? Did it go wrong because of any corporate, institutional failings or was this a sort of one off mistake and I think that’s generally a sensible regulatory approach.
Adam Rose
So the thing that’s interesting, I guess, is you’ve got the regulatory approach, the sort of the public sector, central Government, effectively approach to looking at this and enforcement and then you’ve got the private sector, the suing each other, the litigation side of things and it might be worth us sort of moving on briefly to talk about how that has played out because one of the things, again, when GDPR was coming into force that people were talking about was is this going to lead to more data protection litigation and I think our experience has been the answer is yes but again interesting to see where that’s actually gone because obviously if you are going to enforce it rather than just relying on sort of people’s enlightened self-interest to get it right, if you are going to have enforce it from the outside there’s the regulatory enforcement piece or there’s the private litigation piece and I can think of two or three cases where litigation has been started, has got some way, for full disclosure we’re involved in, in one of these cases which is still… is currently alive and waiting for the next round of Court hearings, the Morrison’s case for example was an interesting case, I’ll maybe just say a tiny bit about it before we talk about it but that was a case where an internal auditor had got a copy of the company’s payroll and for perfectly lawful purposes he had that but then he used it for unlawful purposes separately when he had a grievance with his employer, with Morrison’s the big supermarket chain, he published it and is then doing time for criminal offences relating to what he did but a number of employees then decided to sue Morrison’s for damages and Morrison’s has been found not liable for the actions of its internal auditor because he was acting outside the scope of what he was expected to do but it raises a couple of interesting questions around do people sue their employers in that regard? Would the damages be big enough? How do you gather that number of people in? Do you think Morrison’s is sort of the end of litigation of that kind? Does it mean companies don’t need to think about it any more or was it a…?
Jon Baines
I don’t think it can be the end, you know, as you say, we’re certainly aware of cases and there are some that are in public. I think whenever one sees a big data breach in the news, very soon after, if you look closely you will find various law firms trying to run big data breach cases. I think the recent EasyJet data breach that we heard about over the last few weeks, already there are, I understand there are a number of firms who are, and again, full disclosure, we are not one of those, a number of firms who are looking to bring big group action claims under GDPR and our domestic Data Protection Act. One hears a lot about these, one doesn’t see many of them after that initial skirmish. Now there may be a number of reasons for that, the two most obvious are that the case has settled, as in there may have been some sort of settlement paid to data subjects but probably more likely is, and again I am drawing partly on experience of seeing some of the details of some of the claims, another reason is simply they haven’t got the legs in them, the basis is not there to bring a claim. Now that might be because in fact there was no infringement. As you and I know, just because there has been a security breach doesn’t mean that there was an infringement of the GDPR itself. It may be that the company involved had done everything that it reasonably could and something beyond what was reasonable for them to prevent happened or it may be, and we got back to the Morrison’s case in fact here, that in fact it was a rogue employee or a… someone acting beyond their authority that caused this. So I think as you said, Adam, in those heady pre-GDPR days, a number of Boardrooms, or lots of boardrooms, were bothered about these multi-million pound pay-outs for big group action claims with lots of compensation for GDPR infringements. We’ve not yet seen those and I don’t think we’ll see them in the sort of way that people feared but it’s not to say that there aren’t some cases that might not lead to that. A big question for me though is going to be, and we still don’t really know is, just how much are these claims worth. If my data protection rights are breached, what value does a Court or society give to my data? We’re still not sure.
Adam Rose
I guess that’s one of the issues that we’ve been grappling with in that if you are an individual who has had some sort of data rights breach affecting you and just say you can claim in round figures a thousand pounds, it’s going to cost you far too much to seek a thousand pounds in remedy so in a way you’ve got to have these groupings of people bringing together, a number of people bringing litigation together, and really you’d probably have to have a thousand or so people bringing claims for a £1000 each which is a million pounds worth of damages to justify, and as a lawyer I shouldn’t say this but, to justify the legal fees in bringing such an action and that maybe means it’s only the big data breaches or the big data wrongs that can end in that sort of action and maybe it’s the smaller ones that might turn out to be quite important but no one can ever really do that much about it. I want to move on from sort of the enforcement side, whether that’s regulatory or litigation, to some of the other compliance challenges that we have been involved with, with clients and I guess I am thinking around the increased number of subject access requests, the breach notification issue whether you do need to notify your regulator, whether you do need to notify people affected or not and then the third thing was around data protection impact assessments which are the things you need to do, you need to look at, what are we actually doing when we are instituting new systems, new processes, new software that might have a privacy impact and I think the combination of those three things, of subject access requests, of data protection impact assessments and breach notification, have actually changed some of the landscape in that although they’re a continuation in part of what went before, they’ve been a detail that I think, I think at least has actually changed the way good businesses have been looking at things.
Jon Baines
Yep, yeah, I mean all three of those examples, they all existed in some form or another under the old law. As you and I know very well, in a lot of disputes, especially employment disputes or disputes involving private individuals, the subject access request is a common, I am loath to use the word ‘weapon’ but I will use the word ‘weapon’ , a commonly used weapon which can be wielded as part of that dispute. That’s been the case, again, for let’s say twenty years, perhaps gradually increasing to recent…
Adam Rose
But I feel it’s really increased over the past couple of years, it’s sort of it’s gone from being something that we are aware of, sort of, a slightly sort of jokey comment was made at the time because you used to have to pay £10 with your subject access request and now you don’t and everyone sort of said well that’s not going to make any difference. I think it has actually made a difference that you don’t need to do, you don’t need to do anything, you don’t need to sort of, in modern times even harder, you don’t need to find your cheque book to send a £10 cheque, you just make the subject access request and I think that ease by which people can it, coupled with the raised profile of the area, has really increased the power of that as a personal weapon, to use your word again, against sort of businesses and Government that has probably exceeded certainly my expectation. On the other hand, as a law firm, we’re sort of advising clients and we are receiving subject access requests as well and I think there is a sort of somewhat hidden cost of GDPR in that sort of compliance space that maybe was looked at less fully than the regulatory fines and mitigation piece had been and which is probably affecting more people, more regularly.
Jon Baines
I agree. There were some people who, when we think that we’re talking about subject access requests, commonly known as SAR or SARS, and people, some people predicted a SARMageddon or requests. We haven’t seen that but, yeah you are quite right, we’ve seen a noticeable increase, and you are right, we act for clients who have received these, we act for clients who are making them and as a firm we receive them as well and if you factor that out across the whole economy, the costs of dealing with them are certainly not inconsequential. Each one is different and there are still ones that are relatively cheaply dealt with but when we remember that each one is a legal notice that requires a response, that each one has a cost, however minimal, so that’s certainly been a, well it’s more a change, a development, not something new but a noticeable change.
Adam Rose
Yeah. So I think the area that has changed that certainly we have been looking at and other organisations have been looking at is the way data is now so important in so many businesses and I am thinking of this from two perspectives; one, when buying a business knowing that the value of the business can rest in its data and whether that data has been collected properly, used properly, how the business has approached its use of personal data, that I think has been a change over time but I feel particularly since the introduction of GDPR it’s just sort of raised its profile and its value but the second area, and again what you and I have looked at is the way other regulators have looked at data and I am thinking particular areas like competition law, anti-trust law and online advertising, online platforms, areas like that where I think fifteen years ago or so no one had really thought of data as both an asset and an asset of such value that a competition law authority might look at it and I am just wondering where you think that might head. We know because it's sort of published data that I think the UK authorities looking at this have worked out that Google earns something like 90% of all online search advertising revenues and Facebook has a not entirely dissimilar percentage of all online display advertising revenues so that’s massive, massive control or massive share of a massive market and I just wonder where you think and I’ll say where I think that sort of cross-legal discipline, cross-business area thing might end up.
Jon Baines
Yes, it’s such an enormous and enormously interesting area. It’s a facile point but, you know, for a long time we saw these huge tech companies as that, as huge tech companies providing social media services etcetera. Well, yes they do that but let’s bear in mind that really where their revenue has come from is from advertising and where the reason that the advertising has such tremendous value is that it's in large part based on our data, on the data of those who use it and some of these companies have become, let’s say some of the largest companies the world has ever known and that is bound to raise the notice of regulators in the competition and anti-trust areas and we’ve seen that so they, you know, the CMA, the Competition and Markets Authority is looking into digital markets, looking into whether there are any of these that the companies are in positions of dominance that require regulatory intervention. Yeah, that’s something that I don’t think, certainly I’ve been in this field for what, fifteen/twenty years and if you’d asked me only five years ago, I wouldn’t have, I wouldn’t really have predicted that.
Adam Rose, Partner and Head of Data Protection
Mishcon de Reya
Yeah, I think that’s true. And I think the way data has value, the way it’s used, the way it impacts on our everyday life, sort of whether it’s how we are recording this podcast or searches that we might have done before or the rest of our day’s work and we’re far from unique, you just sort of think of everyone from sort or probably three year olds to hundred year olds being online and using these services and becoming effectively the product, we are the thing that these businesses are making their money from as much as selling us stuff. It’s an interesting development that yet again and in a way I want to go back to the introduction of GDPR and the process which began probably in sort of 2013/2014, effectively became law 2018, I guess like so much law in developing areas, the law hasn’t kept up with where we are so that probably when it was enforced in 2018 it was already out of date but I just think even in the two years since, the recognition that data has changed and become such a force within the economy is a very interesting position to find ourselves in, we’re in sort of real time, we can see a law coming in and not necessarily being able to keep up with where we are and I think actually the Covid-19 pandemic has sort of shown how technology is so pervasive and so powerful so that so many people who have sort of desk jobs have been able to just carry on largely unaffected from a ‘can we do our job or not’ perspective, forget sort of everything else but just from can I do my job because the technology enables one to do one’s job and therefore the data that’s being processed, both personal data and other data that’s being processed, is sort of an indication of the power and the importance of data in the economy nowadays, it’s… it is quite exceptional. The one thing… go ahead Jon.
Jon Baines
Well, just on the Covid example, I think you develop that from discussion around competition and just the prevalence of digital information in our society and I think one question is really whether our regulatory regime actually is fit to deal with it so, I think we talked about the CMA being involved, we’ve got the Information Commissioner investigating advertising technology, we’ve got a different approach across Europe and when we look at Covid we were talking about, there was some potential for a new regulator there and I think that’s because I think society and policy is starting to recognise that data is all pervasive and can it be dealt with under the existing regulatory structure or do the existing regulators need more powers or do they need to be combined? I think we are going to see a lot of that discussion over the next year or so.
Adam Rose
And I guess because as lawyers we can’t have a session where no one mentions the word ‘Brexit’ and we’ve done pretty well to not get there until now. The impact of Brexit on the way the UK’s data law might develop is again, and one uses the word carefully, is going to be interesting, at the moment the UK is effectively saying and sort of there’s no reason at the moment really to see this changing, effectively saying GDPR which is already part of UK law will be further UK-ised so that it instead of pointing at European institutions it will point at UK institutions and effectively that will be the main change in what will happen when the transition period ends but there’s a sort of a slight undercurrent of noise at the moment that maybe we won’t go down that route at all and maybe we’ll have a British sort of a more sovereign solution to this which is perhaps slightly odd given that a lot of data protection law comes out of British UK jurisprudence and thinking at European level but at the moment there’s a risk I guess with Brexit that data, data flows from the EU 27 to the UK might be disrupted because the EU 27 will stick with GDPR and its understanding of GDPR and the UK whether we have our version of GDPR or some other law will start drifting off maybe very quickly in some other direction and that will be a challenge for business, it was certainly one of, I think Theresa May had sort of five key areas and data was one of those five key areas that she wanted to get resolved. I think as I say it’s going to be interesting to see how that pans out which given we are the end of May, we have a pandemic and a Brexit date scheduled for seven months’ time, it will be of concern I imagine to some businesses that are operating across Europe as to how this may play out.
Jon Baines
I think it must be of concern for you and me, it’s tremendously difficult even for people who are immersed in this subject to have a clear view past all the posturing and the politics that go on in this lead up to us finally slipping the bonds of Europe but the question is going to be, as you articulated, just how easy is it going to be to move data from one country to another and by that particularly what we’re saying is from Europe to a post-Brexit UK. I think businesses need to start thinking about this and they need to countenance the possibility, maybe even the likelihood that it won’t be straightforward and the position that we’ve had for, again, more than twenty years where effectively there are no real constraints on movement of data, the position may change fundamentally and I’m not saying there won’t be ways to effect those transfers of data but it may have to be done differently and that may require work, it may require remediation of contracts, it may just require closer analysis of data flows but it may require anonymisation, pseudonymisation of detail, a new focus on security. As I say, it’s very difficult to know for certain how things are going to play out because the political stakes are so high and the negotiation, and I’ll use the word again ‘posturing’ is at such a fevered state that we really struggle to get clarity on it but I think one thing is for certain that there will have to be some very detailed policy decisions to be taken and that’s both by the rest of Europe and by the UK about what sort of arrangement we actually want with our European friends and then how can we best effect this and I think there’s, what’s the phrase, many a twixt between cup and lip, so there may be an intention to get this right and sorted by the end of December but it’s a very short time and we’re living through such a peculiar period where all of these negotiations are going to take place, or lots of them, largely how you and I are talking now, you know across the airwaves, it’s just a very tricky time.
Adam Rose
So, I just want to pick up, Jon, on a couple of things you mentioned there, one of those being that effectively we’ve understood how this all works and how business has understood how it works for about the past twenty years and if you think of most people’s careers, a twenty year period from the age at which they have responsibility for these sorts of things might last about twenty years so there’s a whole generation of business people who have only ever understood data flows to operate the way we understand them now so, transferring data from Birmingham to London or London to Leeds or Berlin to London or Paris to London has all been the same and to face a change in how you do things particularly in the current context and particularly also where data is so fundamental to the way businesses operate, where in fact data is, and I know it’s sort of the hackneyed phrase of it’s the new oil and I sort of always hate myself for using that but nonetheless the fact that data has been so important and is so important in the way businesses are valued and the way businesses operate, in fact the way we just have lived our lives and this pandemic has sort of highlighted it even more, all the home delivery of goods, all the orders over Amazon, all the Netflix subscriptions, whatever it is that the broadband connections, all of these things are data flows ultimately, it’s going to be very interesting to see how that does pan out.
Well, that feels like an excellent place for us to stop. I’d like to say thank you so much to Jon Baines for joining me for this Mishcon Academy Digital Session podcast. I am Adam Rose. Do look out for the next podcast in the series and indeed you can find all previous episodes on iTunes or your favourite podcast platform.
The Digital Sessions are a new series of online events, videos and podcasts, all available at Mishcon.com and if you have any questions you’d like answered or suggestions of what you’d like us to cover do let us know at coronavirus@mishcon.com. Until next time, take care.
The Mishcon Academy Digital Academy Digital Sessions. To access advice for businesses that is regularly updated please visit Mishcon.com.