Thursday 25th May 2023 marks five years since the General Data Protection Regulation 2016 (EU GDPR) came into effect for EU member states, including, at the time, the UK.
The data protection landscape has developed since then, with the UK leaving the European Union and introducing the UK GDPR, enforcement action being taken by the Information Commissioner’s Office, the introduction of The Children’s Code and much more.
In this article, we reflect on the past five years and look ahead to what the future may bring.
What did the GDPR intend to do?
The EU GDPR intended to protect the privacy and personal data of individuals within the EU and European Economic Area (EEA). At the time it was implemented, the legislation also covered the UK. The legislation did this by implementing and enforcing strict rules on the way organisations collected, stored or otherwise processed personal data. Individuals were given greater controls over their personal data, including various statutory rights such as the right to be informed, the right of access, the right to erasure and so on.
At its core, the EU GDPR centred around seven key principles which are reflected throughout the legislation. These are:
- Lawfulness, fairness and transparency: data processing must be lawful, fair and transparent for the data subject;
- Purpose limitation: you must only process personal data for the purpose it was collected for;
- Data minimisation: you must only process the personal data that is necessary for the processing activity;
- Accuracy: you must, to the best of your ability, ensure that the data you process is accurate;
- Storage limitation: you must only retain personal data for as long as necessary;
- Integrity and confidentiality: personal data must be afforded appropriate security; and
- Accountability: you are responsible for your data processing and must be able to demonstrate compliance with the legislation.
The UK GDPR
When the UK officially left the EU, it had a vast impact, not least in the legal sector. On 1st January 2021, the UK GDPR was implemented. The UK GDPR largely mirrors the EU GDPR, although there are some variations, such as including greater restrictions on international data transfers or reducing the age of consent from 16 years old to 13 years old. The introduction of the UK GDPR was done so to allow UK businesses to continue to operate internationally while maintaining a high standard from data subjects.
Amongst other things, the UK moving away from the EU has resulted in a new data transfer mechanism being introduced. In the absence of an adequacy decision, binding corporate rules or EU standard contractual clauses (entered into prior to September 2022), any data transferred internationally from the UK must rely on international data transfer agreements (IDTA’s).
Please note that EU standard contractual clauses entered into prior to September 2022 are still valid, but only until March 2024. At which time, IDTA’s will wholly replace EU standard contractual clauses.
ICO: enforcement action
The Information Commissioner’s Office (ICO) is the UK’s regulatory authority for data protection matters. They hold a register of data controllers, promote good practice, settle disputes or advise on ‘grey areas’ within the legislation. The ICO also have various enforcement powers which range from written warnings or requesting information up to issuing substantial fines or, in extreme circumstances, preventing a business from processing any personal data further.
Fines in this context can reach up to £17.5m or 4% of an organisation’s global annual turnover (whichever is higher), which was a great concern before GDPR came in. The reality is that we have seen a range of fines issued depending on how severe the ICO deem the breach of the legislation.
A recent example of the ICO exercising such enforcement powers is their fine of the social media giant, TikTok. At the beginning of April, the ICO announced that they had issued TikTok with a fine of £12.7m for numerous breaches of the legislation but predominantly for the misuse of children’s personal data. The UK GDPR asserts that processing the personal data of children under the age of 13 for information society services (which includes social media platforms) is only lawful when ‘consent is given or authorised by the holder of parental responsibility over the child’. Not only did TikTok fail to implement a requirement of consent for under 13s, but they also failed to identify and remove underage children from the platform.
The Children’s Code
The Children’s Code (or the ‘Age Appropriate Design Code’) was introduced by the ICO in September 2021 to provide clarity on the current legislation in respect of children’s data, as well as provide some standards that online services likely to be accessed by children must meet.
Some of those standards that the Children’s Code introduced include giving children and their parents/carers more controls of their privacy settings, privacy settings being set to the highest standard by default (e.g. location tracking being switched off) and clearer tools being put in place to assist children in exercising their data protection rights (such as privacy notices being understandable for the target audience).
It is thought that these layers will enable children to have a safer, more pleasant experience online, whilst ensuring online services crack down on compliance to prevent any further misuse of children’s data.
What is the future for data protection?
In March 2023, the Data Protection and Digital Information (No. 2) Bill was introduced to Parliament. The bill is still being considered by Parliament but it’s said that it will be a ‘simpler and clearer’ data protection and privacy regime for businesses to navigate.
It remains to be seen how the Bill will look at royal assent, and therefore it is difficult to predict what the future of data protection will be. For some key takeaways of what the Bill looks like so far, see our Data Protection and Digital Information (No. 2) Bill article.
Ultimately, the impact of the GDPR over the past five years has been significant. We have seen businesses drastically improve the way they approach their privacy and data protection practices. Individuals are increasingly aware of their own personal data rights and have greater controls over how their personal data is processed. One thing that we can be sure of for the future is that with technologies advancing future, artificial intelligence (AI) becoming increasing popular and digital innovations increasing, data protection is likely to remain an important topic for individuals, businesses and regulators to consider.
If you have any further enquiries regarding GDPR please feel free to contact our Intellectual Property, Data Protection & Technology team.
This article was co-written by Max Miliffe, Data Protection Specialist, and Joey Medway, Paralegal, in our Intellectual Property, Data Protection & Technology team.