Steven Roberts is head of marketing at Griffith College. He is a certified data protection officer and vice-chair of the ACOI’s data protection and information security working group.
The General Data Protection Regulation (GDPR) recently marked its third anniversary. Since its introduction on 25th May 2018, data protection has been high on the agenda for education institutions across Ireland. A number of factors have contributed to this scenario.
Media interest in the potential for very significant fines, up to 4% of turnover or Ä20 million, has undoubtedly played a part. High profile data breaches at firms such as Marriott and British Airways have also ensured that the general public is more conscious of how organisations obtain and process their personal data.
Amongst EU member states, Ireland recorded the third highest number of data breaches per 100,000 population during the period from 25th May 2018 to 27th January 2021. Ireland’s Data Protection Commission (DPC), meanwhile, issued its first fines under GDPR last year, including penalties for Twitter, UCD, Tusla and the HSE. Against this backdrop, it is timely to consider some of the current and upcoming data protection challenges facing Irish institutions.
Lack of clarity regarding fines
A key challenge is the continued lack of clarity regarding the levying of fines. At present, there does not appear to be a consistent approach across EU member states. This makes it difficult for education institutions, their boards and executive teams to accurately assess the potential impact of a data breach, from the perspective of enterprise risk management.
The DPC’s largest fine thus far was a Ä450,000 penalty imposed on Twitter in December 2020. In comparison, the Data Protection Authority of Hamburg fined clothing retailer H&M Ä35m, for GDPR violations involving the monitoring of employees. The French and Swedish supervisory authorities issued Google with GDPR fines of Ä50m and Ä7m respectively.
It is to be hoped that more consistency emerges in the coming two to three years. Institutions should regularly review their risk registers in light of ongoing developments in this area, keeping a particular eye on the profile of fines issued by the DPC.
Delays introducing a new ePrivacy Regulation
Data protection and privacy are separate rights under the EU Charter of Fundamental Rights. Whilst GDPR focuses on protecting the personal data rights of EU citizens, the privacy and confidentiality of electronic communications is covered by another piece of legislation – the ePrivacy Directive.
The EU originally planned to introduce a new ePrivacy Regulation (ePR) alongside the GDPR in May 2018. However, the former has become mired in lobbying and disagreement amongst EU member states. This creates issues for institutions and the broader business community.
Firstly, the current Directive dates back to 2002. It is widely viewed as being no longer fit for purpose given the rapid developments in online communications and technologies over the past two decades.
Secondly, it has led to confusion as to how it and the GDPR can be consistently applied. This is most clearly seen with regard to website cookies, an area covered by the ePrivacy Directive. Lawyers and compliance experts have struggled to identify how best to ensure that cookie consent meets GDPR standards – i.e. that consent is freely given, unambiguous, specific and informed.
To provide clarity, supervisory authorities across the EU have issued their own guidance. Ireland’s Data Protection Commission published guidelines on cookies and other tracking technologies in April 2020 2, providing a six-month grace period in which to achieve compliance.
Whilst this has proven helpful for Irish businesses, those with a footprint in more than one EU country must ensure they comply with local best practice in each jurisdiction. It is a far remove from the harmonized approach promised in May 2018.
Technologies such as artificial intelligence (AI), big data and the internet of things will play a large part in the future of work. Their ability to replace or enhance existing roles, either through full or partial automation, poses both opportunities and challenges for the Irish and global economies. Universities and colleges are at the forefront of this process, both in the research undertaken and in developing programmes that provide relevant skills to meet the current and future needs of industry.
From a data protection perspective, these new technologies use personal data in ever more complex and sophisticated ways. In order to do so in a GDPR compliant manner, organisations providing and utilizing such services must identify in a clear, transparent and straightforward manner how individuals’ data will be processed.
Mechanisms such as data protection impact assessments (DPIAs) and the GDPR’s requirement for data protection by design and default will be crucial in meeting this threshold. Institutions undertaking regular GDPR training for new and existing staff should seek to incorporate both of these processes into their schedule.
International data transfers
Last year saw a number of significant developments with regard to international transfers of personal data outside the EU. The EU-US Privacy Shield, a key mechanism for transferring personal data between both jurisdictions, was ruled invalid by the European Court of Justice in July 2020.
Many firms sought the alternative option of Standard Contractual Clauses (SCCs). These are EU approved clauses that when included in a contract can demonstrate GDPR compliance.
In November 2020, the EU proposed a new set of draft SCCs for public consultation. A final version was published in early June this year and entered into force on the 27th of that month.
The new SCCs include a number of different modular options, depending on the type of transfer taking place. Compliance and legal professionals are currently ascertaining what best practice implementation will look like; however, it is clear that a considerable amount of repapering of contracts will be needed in the coming year. Institutions should commence this process at an early stage, given the level of work this may entail.
Last November also saw the European Data Protection Board (EDPB) propose a range of supplementary organizational, contractual and technological measures a business could take if it ascertained that a country receiving transfers of personal data did not meet GDPR standards.
Industry groups have questioned how these supplementary measures will operate in practice. They have expressed concerns that the measures could be particularly burdensome for small and medium sized organisations seeking to trade internationally.
Data protection will continue to be a priority agenda item for colleges and universities in 2021 and the years ahead. While considerable progress has been made, many uncertainties still remain for institutions and businesses across Europe.
The Data Protection Commission has recognized this. In its draft Regulatory Strategy , the DPC notes that ambiguities still exist in how GDPR is interpreted across EU member states.
In this article, we have considered some examples, including the use of website cookies, a lack of clarity with regard to fines, the impact of new technologies, and ongoing developments in the area of international data transfers.
It is to be hoped that as the GDPR becomes more established it will lead to greater certainty for organisations. For the moment, the goal of a harmonized, EU-wide data protection environment remains an ambition yet to be fully realized.