10 things that happened whilst I was on maternity leave (and two that didn’t)
Number 1: The GDPR had its first birthday

What happened in the legal world whilst I was on maternity leave? That’s what I’ve been catching up on. Whilst I was cuddling and playing over the past 10 months, some exciting legal stuff went on. In a series of 12 articles, I will discuss my top 10 things that happened, and my top two things that didn’t happen.

Up first: The GDPR had its first birthday.

On 25th May 2019, the General Data Protection Regulation (GDPR) had applied for a full year. According to the European Data Protection Board, EU-wide there have been over 144,000 queries and complaints, and over 89,000 personal data breaches logged by the national supervisory authorities.

Enforcement action has included the following:

• Google was issued with the largest fine of Euro 50 million by CNIL, the French supervisory authority (reported in January 2019). CNIL ruled that Google had failed both to provide adequate information and to obtain valid consent for personalisation of advertisements.
• AggregateIQ Data Services Ltd (AIQ) in Canada was issued with an enforcement notice by the UK supervisory authority, the Information Commissioner’s Office (ICO), requiring it to delete personal data held about UK citizens (relating to political campaigning). The original notice was issued in July 2018 but this was replaced by another notice in October 2018.

  Of particular interest was the application of the extra-territorial scope of the GDPR. AIQ is not established within the European Union, and originally claimed that it was not subject to the jurisdiction of the ICO. However, the original enforcement notice indicates that Article 3(2)(b) of the GDPR (and section 207(3) of the Data Protection 2018) applied. Organisations outside the EU are subject to the GDPR if they monitor the behaviour of individuals within the EU (in this case, in the context of political campaigning). Note that non-EU organisations which offer goods or services to individuals within the EU are also subject to the rules.

The ICO has published a report "GDPR: One year on". This outlines its ongoing work in supporting the public, DPOs and organisations, taking action and enforcing the GDPR, enabling innovation, and growing the ICO. Of particular note in the first year of the GDPR:

• the ICO has not yet reported any monetary penalties under the GDPR, as those issued in the last year have been under previous law – see article number 2 in my series;
• the ICO has issued 15 assessment notices and 11 information notices which enable it to investigate concerns within organisations;
• the ICO has issued one enforcement notice, as referred to above;
• the ICO received 14,000 data breach reports, compared with 3,300 the year before the GDPR applied. Under the GDPR, it is compulsory to report personal data security breaches (unless they are unlikely to result in a risk to individuals), whereas under previous law it was voluntary.

The Irish supervisory authority (the Data Protection Commission) has recently launched statutory enquiries into a number of big technology and online advertising companies, including Facebook, Twitter, Quantcast and Google Ireland Limited.

Olivia Whitcroft, principal of OBEP, 6 June 2019

This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details