Oct 03, 2018

Written By Emma Finamore

The future of GDPR

Oct 03, 2018

Written By Emma Finamore

The EU’s General Data Protection Regulation (GDPR) came into effect in May this year, after years of fraught negotiation. But will this landmark law survive our departure from the EU, and what will that mean for data protection in the UK?

The idea that we see advertisements in exchange for accessing a service is a familiar one. Buy any magazine or newspaper, or tune into a private TV channel such as Channel 4, and you expect to see ads for goods or services that would be of interest to the people who choose to access that service. Advertisers buying time with our eyes feels straightforward; but buying time with us individually by finding out what makes us tick specifically—via our online data—is a whole different ball game. Suddenly, we’ve become the product being sold, and many of us are uncomfortable with that. 

The traders in this new data-focused marketplace are data brokers, who collect all kinds of information on internet users, including names, addresses, places of work, hobbies, interests, family and things that we do online. This data-collection trade has existed for decades, but what has changed is the volume and nature of the data being extracted from the Internet. First, via PCs and laptops, and now handheld devices such as smartphones and tablets. 

Companies want this data—and therefore brokers collect it—in order to build up profiles of the individual consumers they want to sell to, which can then be used to push uniquely-targeted products and services. This has become extremely big business, as organisations are willing to pay a lot of money for data that can help them target specific segments of the market. As well as the basics, data brokers can harvest information on details such as marital status, the age of internet users’ children, property ownership, political preferences, income details and educational information.

Brokers gather all this by applying things such as cookies, web beacons, e-tags and a variety of other tools. Cookies, widely used on desktop computers, are small pieces of code that are dropped onto a user’s browser, while a web beacon is a small transparent graphic image that’s placed on a website or in an email and used to monitor the browsing or email-sending behaviour of the user. Brokers then summarise details such as what sites users have visited, what they have shopped for, what time they are likely to shop, and so on.

Social-networking sites such as Facebook and Twitter are fertile ground for data brokers to harvest information on users. These sites collect lots of data—including ages, friends and interests—when users sign up and spend time browsing. Much of the information is collected without you being aware of it. For instance, Facebook’s “Like” and Twitter’s “Tweet” buttons—which many websites embed in order to allow visitors to like or follow their pages—carry a code that allows the social-networking companies to track users’ movements even if they don’t click those buttons.

Google is another prime target for data brokers. It is by far the most-used search engine in the world, and its other free services such as Gmail and Google Maps are each among the most popular of their kind. However, there’s a trade-off in exchange for the free services that Google provides: personal information is collected by the search engine and sold to those who want it. Consumer-data-collection company Datalogix, for example, entered into an agreement with Facebook to track whether users who see ads for certain products actually end up buying them at local stores.

Users’ communication with other websites using Google AdWords and other Google technologies is also collected, while Google also uses Chrome to store information in users’ browsers and learn their preferences.

According to information-age.com, the UK is currently behind the US in terms of investment in this data industry. However, UK companies do intend to increase their average spending on advanced analytics by 26% to £24 billion by 2020, while their US counterparts plan a similar increase of 25% to reach a total investment of £112 billion. 

But as the industry grows so do concerns around it, as well as calls for greater transparency and accountability. The EU’s General Data Protection Regulation (GDPR) came into effect in May this year, a hotly contested law that’s the product of years of intense negotiation and thousands of proposed amendments, despite its building blocks having been present in European law for decades.

Even outside the EU, GDPR will affect a swathe of UK business: the new regime doesn’t just apply to organisations within the EU but also to organisations established outside the EU that offer goods or services in the EU, or which monitor the behaviour of EU residents. Hence global companies everywhere from the US to Asia are sitting up and taking notice.

It brought with it two fundamental changes to the preceding legislation, the 1995 Data Protection Directive. The first is universality: a set of rules and practices that apply across the EU and (it’s hoped) the world. The second is enforcement: the capacity for regulators to fine any company in breach of the GDPR as much as 4% of its total worldwide sales. However, critics have said the law leaves a lot of flexibility in terms of implementation and interpretation, and that— although the fines far exceed anything data-protection authorities have wielded before—penalties are likely to be levelled sparingly. PadlockAnd since this is an EU law, what happens to data regulation in the UK when we leave the Union? The Data Protection Network—an organisation dedicated to providing expert opinion, quality resources, and learning materials to both experts and non-experts in the field of data protection and privacy—thinks we will pass similar legislation to the GDPR. “Uncertainties abound, but in most scenarios facing the UK, implementation of GDPR or a very similar data-protection regime is firmly on the cards,” the organisation said in a recent blog post, ‘Brexit, GDPR and the future’. 

"Post-Brexit comments made by Baroness Neville-Rolfe, minister responsible for data protection, led to headlines that GDPR may no longer apply in the UK. While the specific shape of the post-Brexit privacy regime is unclear, GDPR will play a key role.” The post quotes Neville-Rolfe as saying, “We don’t know how closely the UK will be involved with the EU system in the future … On the one hand, if the UK remains within the single market, EU rules on data might continue to apply fully in the UK. On other scenarios, we will need to replace all EU rules with national ones. Currently, it seems unlikely we will know the answer to these questions before the withdrawal negotiations get underway.

“One thing we can say with reasonable confidence is that if any country wishes to share data with EU Member States, or for it to handle EU citizens’ data, they will need to be assessed as providing an adequate level of data protection. This will be a major consideration in the UK’s negotiations going forward.” 

The CEO of the Direct Marketing Association, Chris Combemale, has voiced similar opinions to the minister responsible for data protection: “The UK wants to continue trading with the EU, so our data-protection law will need to be broadly equivalent to existing legislation and strike the right balance between the right to privacy and economic growth.” 

But what are the UK’s options post-Brexit, and how might they affect the current data-protection regime?

If the UK negotiates to leave the EU but remains in the European Economic Area (EEA), it will be required to incorporate EU legislation covering the free movement of goods, services, persons and capital. If this route is taken, it’s almost certain that GDPR will be fully enshrined in UK law. Likewise, if the UK stays in the Single Market, EU legislation is more than likely to apply.

Even if the UK leaves the EEA, it could still decide to incorporate GDPR into national legislation or adopt a very similar-looking regime. Some say this would be the most straightforward approach as it would get rid of the need for clunky, time-consuming data-transfer solutions between the EU and UK.

The UK may however, be tempted by a more ‘business-friendly’ approach to data protection. It has already voiced reservations over burdensome aspects of GDPR. Business Matters reported in June that many organisations were struggling with implementing the new rules. One source told them: “We engaged external solicitors but they themselves saw an increased workload, which reduced their response time for us.”

Another said: “Our issue was mainly one of resource. We started the exercise last summer, but the data mapping took months. By the time we were ready to analyse it with our lawyers, they themselves were inundated and took some time to produce our GDPR readiness report.” A further critic said: “Tech resources have been diverted from business improvements to compliance at a time when a UK company should be focusing on using technology to improve productivity and drive the business forward.”

Something dubbed ‘GDPR-lite’ could appeal to the UK government, as a way of keeping businesses happier: waiving hefty new fines, continuing to charge for notifications, ditching data-protection officers’ requirements and ignoring the right to be forgotten.

This might appear an attractive proposition at first, but it wouldn’t be as simple as it sounds. This route would mean the UK would be unlikely to achieve adequacy status (meet with the standards required of the EU), with any deviations from GDPR facing robust EU scrutiny.

If the UK isn’t deemed to have acceptable, equivalent data-protection laws, alternative solutions would be required to transfer data from the EU to the UK, and this would have a significant impact on business activities. Rather than cutting bureaucracy and saving time, GDPR-lite could actually end up burdening business with time-consuming binding corporate rules (designed to allow multinational companies to transfer personal data from the EEA to affiliates outside of the EEA in compliance with data-protection principles) and model clauses (data-transfer agreements). Negotiations might also be required for a EU-UK Privacy Shield, such as the current EU–US Privacy Shield—a framework for transatlantic exchanges of personal data for commercial purposes between the EU and the US.

While the future—and the world after Brexit—is uncertain, the value of data seems set on an upward path. So too are the number of laws required to ensure that a citizen’s right to privacy maintains its own value.

Advertisement

Advertisement

Commercial Insights