On 25 May 2020, the European Union (EU) General Data Protection Regulation (GDPR) entered its so-called “terrible…
twos” and, in principle, you might say the regulation has been a wild success.
Established as a core principle of the Digital Single Market, and with widespread recognition among EU citizens, it allows individuals to take back control of their personal data and simplifies the regulatory environment for businesses working within the EU.
Or does it? Tim Hickman, a partner at London law firm White & Case LLP and one of the UK and Ireland’s foremost experts on data protection law, says that as the regulation reaches its second birthday, there are still a lot of kinks to iron out.
“European commissioner [Vivianne] Reding, as she then was, was very keen on this idea that if you provide Digital Single Market services in Europe, you should face one consistent set of data protection regulations in all member states, and businesses broadly welcomed that idea,” says Hickman. “They weren’t super keen on some of the concepts in the GDPR, but they were very keen on this idea that we would have one law rather than 28.
“But that hasn’t really happened and there are three reasons why. The first is that it was unrealistic to begin with. The GDPR, like any EU law, can only govern the things that are within the EU’s legislative competence. With things like national security, freedom of expression and national employment law, the EU can’t make rules, but data protection touches all those things.
“Secondly, even in the areas that are within the EU’s legislative competence, you have certain carve-outs for things that are reserved for member states.
“Then the core of this – where the EU does have the power to make rules, you still have a problem that not everything can be politically agreed. What always happens is that there is a lot of horse-trading and the last resort option is always to say, ‘We’ll have this general principle, but the question of how each member state is going to implement that will be left to national parliaments’.
“Nearly half of the substantive provisions of the GDPR are based on that principle, which is problematic because it means that, in many instances, member states have decided how the provisions work. For example, what is a child under GDPR? Is it someone under 13? 16? What defines consent given by a child? Germany has a double opt-in standard, but in France, both parent and child must give consent, and if the parent says yes but the child says no, then you don’t have consent.”
Hickman adds: “I query how that works when I speak to my three-year-old about what we’re having for dessert. So there are lots of national gaps and that’s how we ended up in the situation where businesses are concerned that they were sold the idea of this new law that came with massive fines, but in exchange, they were getting one rule that would allow them to operate uniformly across the EU. It’s now becoming abundantly clear that that’s not actually what’s happening.”
Vagaries and oddities
Hickman says there is much discontent among large businesses as to how GDPR compliance works, and to this end, White & Case has produced its own implementation guide.
“The uptake has been great,” he says. “Huge businesses are very interested in something that can package together for them the answer to the question of what they need to do in Germany, and why that’s different to France or Spain, and so on.”
The problem businesses have is that they face different GDPR compliance requirements in each member state – and that gets expensive.
Hickman believes the problem is the vagaries and oddities of national laws that may have gone unnoticed before, but can no longer be ignored.
“For example, do I need to appoint a data protection officer [DPO]?” he says. “The DPO was an offshoot of German law, originally. Prior to harmonisation, German law had this concept of a DPO that’s now been exported. But when the Germans saw the EU text on this, they decided it wasn’t strict enough and so they implemented their own law.
“Now, if you are operating in Germany and you have more than 20 employees processing data with computers, you must have a DPO. But in the rest of the EU, you don’t need one unless you fall within the tests set out in the GDPR, which are much more high-level than the German tests and don’t relate to the number of individuals, per se.”
This is a challenge for several reasons. For example, a DPO is a protected class of employee – because they exist to challenge their employer on cyber security and this may rub people up the wrong way, you can’t fire them if you don’t like what they say. So far, so logical, but this condition of employment law may make the role attractive to someone who is temperamentally unfit to be a DPO.
“You can outsource it, but if you do, again you can’t get rid of that person just because you don’t like their advice and, of course, the problem is: how do you prove that you’re getting rid of them for gross negligence or for something they did that was wrong?” says Hickman.
“Were they to commit theft, you could get rid of them fairly easily, but anything short of a criminal offence, you’re going to get into an argument about whether or not you’re firing them just because you don’t like what they did.”
Tim Hickman, White & Case LLP
Outsourcing brings up other problems. Because there was no market outside of Germany for DPOs up until recently, there are few outsourcers with appropriate experience, or the time or motivation to discharge the role adequately on behalf of multiple clients.
The DPO problem is just one example of where the GDPR becomes vague the minute you cross one of the EU’s internal borders – and there are others.
Take dead people, for example. The GDPR explicitly states that it relates to the personal data of the living, but because member states were able to make their own rules here, some have conditions that state, for example, that if someone granted in their will that their executor could exercise their data protection rights, a data processor must allow that.
“So you can have a post-mortem right-to-be-forgotten request and in some member states, you have to honour that and in some you don’t,” says Hickman. “As you can imagine, that can be quite complicated. It depends on whose law applies and in which member state the request was made, and so on. For a lot of businesses, there is a huge compliance cost-base baked into this in trying to answer questions that nobody has a firm grip on.”
Unfortunately, this won’t change much in the short term. A law firm can guide on how to manage your exposure to GDPR, but this is complex because there are 28 regulators taking divergent positions on the issues, infighting, and producing guidance that isn’t legally binding and can change at the drop of a hat – something Hickman has learned the hard way in court.
There are also cultural problems. Eastern Europeans with lived experience under one-party dictatorships take privacy much more seriously, whereas the British take a more cavalier attitude.
“We should have one law that governs the way this operates across the EU,” says Hickman. “It makes sense. But because of these different conditions, we’re in a position where different regulators hold two ideas, and the interpretations shoot off at different angles.
“I can have the same law in my Dublin datacentre as my Frankfurt datacentre, but totally different requirements in terms of what I practically need to do.”
Brexit in name only
The big test for GDPR in the UK this year will, of course, be Brexit. Hickman was speaking to Computer Weekly on 11 February 2020, a mere 11 days after the UK formally left the bloc with a transition agreement in place until 31 December.
The situation around Brexit is fluid – not least because of the Covid-19 pandemic – but in terms of GDPR compliance, nothing changes before 31 December, and probably not beyond that. Businesses still face a degree of uncertainty, says Hickman, but not as much as they did before the December 2019 General Election.
In terms of the UK’s domestic compliance, once the transition period ends, the Data Protection Act (2018) will import the GDPR into UK law, with various keywords changed as needed.
“We will end up in this situation where the default outcome will be that we have EU data protection law in all but name, even after Brexit after the end of the transition period,” says Hickman. “The $64m question is, what are we going to do in the long term? Is the UK going to diverge from the EU or not?
“Now some of the smart money is looking at this and saying that if the EU is serious about keeping the UK in its political orbit, then one of the best ways to do that is to give the UK an adequacy decision. That will force the UK to keep this GDPR standard, because if we depart from it, we lose our ability to trade data with Europe. That would, to my mind, be an easy win for the EU.
“Whether or not the European Commission will do that is unclear. I have some sympathy for them in that if we’ve spent years furiously arguing with them about everything and anything, and then the next day, we come to them cap in hand and say, ‘please, sir, can we have a data adequacy decision?’, I can get a sense of how Michel Barnier might respond to that kind of approach.”
Hickman adds: “There’s no indication that the UK is going to put in place any barriers in terms of sending data to the EU or receiving data from the EU. This is purely a problem of what is the EU going to do about the barrier that it has vis-a-vis all third countries? Will it be just as hard to send data from the EU to the UK as it is to send it to Mexico or India? Or will they come to an arrangement?”
There are vested interests, many in banking, that would love to see the EU tell the UK to get stuffed in terms of data adequacy. This is mainly a question of competition, as EU banks will benefit if they can shut the City of London out of European financial markets.
However, in the UK’s favour, these interests clash with political ones. Take the position of the Information Commissioner’s Office (ICO), which was, until 31 January, a member of the European Data Protection Board (EDPB) and, given its budgetary clout and authority in the development of the GDPR compared to many other EU regulators, it is expected there will be some appetite to keep it involved in some way.
Consider also the UK’s membership of the Five Eyes intelligence alliance. It could be argued from a business perspective that this is reason enough to shut the British out, thanks to how GCHQ collects data and shares it with the US, but it could also be argued that from a foreign policy perspective, the EU benefits from this.
“In practice, the national security agencies of every EU member state want access to GCHQ’s data, so in reality, they will probably want some kind of under-the-table access,” says Hickman.
Compliance, non-compliance, and something in between
So, what are the compliance options? These depend on what type of business you are running, the risks you face, and the areas of national divergence that worry you. So, to start, work these things out.
Broadly speaking, Hickman defines three basic strategies – and mixing and matching from them is fine, too.
The first is a high watermark strategy. This reflects the fact that 100% compliance is unrealistic and that even if you have done everything right, you can’t guarantee against accidents. In this approach, you identify the areas where you see most risk, which country has the strictest law in that regard, and then stick to that across the EU. For many, this is the only realistic option – otherwise, you may need 28 different websites. It comes with downsides, though – in states with lower standards, your competitors may gain an advantage.
The second, more flexible option, is one of targeted compliance. In this approach, you set out to achieve minimum compliance in every EU country where you do business, which means you miss fewer business opportunities, but pay more.
The third option is what Hickman calls targeted non-compliance. “This is where you say: ‘This law is simply antithetical to my business model; if I were to try to achieve anything that was compliant here, the net effect would be utter destruction of whatever it is that I’m doing’,” he says.
Tim Hickman, White & Case LLP
A lot of organisations are taking the third approach to some degree, but it is very risky because it demands that your cyber security practices be unimpeachable, and when they are found wanting, you are at the mercy of whoever interprets the law.
“The best strategy at the moment is to stay off the radar,” says Hickman. “And how you do that will depend on three things. The first is luck – to the extent you can control that, obviously it would be advisable to put in place good cyber security, but there is just an element of risk there that is irreducible.
“Then, if you’re going to suffer a data breach, try not to have credit card data or any kind of payment card data involved. Obviously, the two biggest enforcement actions by the ICO both involved the loss of credit card data, insofar as you can extrapolate a theme from two enforcement actions.
“The third thing is, if you’re going to suffer a data breach, in addition to not losing card data, don’t lose anything that’s politically sensitive.”
Hickman concludes: “The takeaway theme for businesses at the moment is to look at what you can do to reduce your risk profile. Total, 100% compliance is not achievable, but there are quite a lot of things you could do to reduce risk, both in terms of better cyber security and also in terms of having the right structures, policies and procedures in place to make sure that when you suffer a data breach, you know what you’re doing.”