Category: GDPR

60minutes says that the GDPR is the law that lets Europeans take back their data from big tech companies




From the report embedded above (with added links):

Tech companies’ reign over users’ personal data has run largely unchecked in the age of the internet. Europe is seeking to end that with a new law

… the European Union enacted the world’s most ambitious internet privacy law [the General Data Protection Regulation (the GDPR)], even winning support from the CEO of the biggest tech company in America, Apple’s Tim Cook. …

Max Schrems: The default under the European system is you’re not allowed to use someone else’s data unless you have a justification. …

Jeffrey Chester: Americans have no control today about the information that’s collected about them every second of their lives. …

Today, if one of the big tech companies chooses to ignore Europe’s new data protection law it could cost them 4 percent of their global revenues, which for the biggest companies would mean billions of dollars. Those decisions will likely be made here in Dublin, … Ireland’s data protection commissioner Helen Dixon says it’s not going to be business as usual.

Helen Dixon: U.S. internet companies have no doubt that this law is serious, it has serious bite. And all of them are eager to avoid any engagement with that.

Dixon says tech companies are spending tens of millions of dollars hiring lawyers, compliance officers and engineers to make sure they are operating within the law. …

Steve Kroft: You think the big tech companies, the people in Silicon Valley are taking this seriously?

Eoin O’Dell: I think they have to.

Eoin O’Dell is a law professor at Trinity College in Dublin and a leading expert on European privacy law. He says Europe has now established an international standard for internet privacy, and companies like Facebook, Google and Amazon are not about to retreat from a $17 trillion market.

Eoin O’Dell: We have safety standards in cars, but that hasn’t stopped us driving cars. We have emissions standards for – for the gas in the cars but that hasn’t stopped us using the gas in the cars . The data companies are – going to comply in the same way as the – car companies have complied

Steve Kroft: To stay in business.

Eoin O’Dell: To stay in business.

Since the European privacy law was passed, at least ten other countries have adopted similar rules. So has the state of California. Perhaps sensing the inevitable, Facebook, Twitter, Google and Amazon are now saying they could support a U.S. privacy law if they were given considerable input. The Internet Association, which lobbies for big tech, and its president Michael Beckerman say they would support giving Americans reasonable access to their information and some privacy rights now enjoyed by the Europeans. …

Produced by Maria Gavrilovic. Associate producer, Alex Ortiz.

We’ve reached peak GDPR when Ross O’Carroll Kelly gets fired for a data breach

In today’s Irish Times, this week’s instalment (audio here) in the ongoing mis-adventures of Ross O’Carroll Kelly intersected with this blog. Ross is a hapless dad and clueless (if ruthless) estate-agent, who has been described as “Ireland’s most eligible married man” and “the greatest Irish [rugby] player never to actually make it in the game”, and the scene opens with our hero being summoned by the boss:

It’s, like, just before midday when Lauren tells me she wants to talk to me in her office. … She goes, “What do you know about GDPR, Ross?”

I’m like, “Quite a lot, actually.”

Oh, that shocks her – such is my reputation for being as stupid as a goose.

She’s like, “Okay, tell me what you know about GDPR.”

“First,” I go, “you make sure the patient is comfortable by putting some kind of cushion under their head and loosening any tight clothing. Then, you place the heel of your hand on the patient’s breastbone, with your other hand on top of it, interlocking your fingers …”

“That’s CPR, Ross.”

And so it goes on for a while, until Dave – “from Human Resources (formerly Payroll)” – arrives, and asks Ross where his laptop is. Poor Ross. We know from last week’s column (audio here) that he had left his car unlocked at a filling station, from which someone stole his “laptop bag, a briefcase and three Donnybrook Fair shopping bags out of the boot”. So, Ross eventually comes clean to Lauren:

I’m there, “Okay, I’m going to be finally honest with you. They were stolen from the boot of my cor when I pulled in to get petrol. Was there any sign of the three shopping bags from Donnybrook Fair that were also taken? There was six tins of individually, line-caught, white tuna fillets in there that cost 11 yoyos per pop.”

“Why didn’t you tell me about this?”

“Er, why would I tell you about it? It was my laptop. They were my client files.”

“I’m the Managing Director of this estate agency, Ross. It’s my responsibility to report breaches to the Data Protection Commissioner as soon as they’re discovered. Do you know what the penalties for this could be?”

“Chill out, Lauren. There’s no real damage done.”

And that’s when she says it. She fixes me with a look and goes, “You’re fired, Ross.”

As he will no doubt quickly learn, GDPR stands for the EU’s General Data Protection Regulation. It, and its incorporating Irish legislation, came into effect on Friday 25 May 2018. And the theft of the laptop and files (and, let’s not forget, tuna fillets and other overpriced groceries) came to light in the column published on Saturday 26 May. If the Saturday column is real-time reportage, or if it is reporting something that happened on Friday, then the data breach happened after the GDPR and Irish legislation came into force, and Lauren does indeed have to report it to the Data Protection Commission. However, if the column is reporting something that happened earlier in the week, then the GDPR was not in force, and the Rossmeister might just get away with it – again.

New politics and the digital age of consent

An Interesting Game

An Interesting Game (1881)
Frederick Arthur Bridgman (1847-1928)
via Brooklyn Museum
New politics certainly make for interesting times. Minority governments are no strangers to defeats, even to two defeats in one day, but yesterday marked another milestone, when the government lost not merely two votes, but votes on two successive legislative amendments. They both related to the protection of children in the Data Protection Bill, 2018. The first will make it an offence to process the personal data of a child for the purposes of direct marketing, profiling or micro-targeting; the second will set the digital age of consent at 16. In fact, seeing the writing on the wall, rather than suffer the indignity – surely unique, even in this era of new politics – of four defeats in one evening, the Minister accepted a third amendment and declined to press a fourth of his own. The third amendment that he accepted will permit not-for-profit bodies to seek damages on behalf of data subjects; and the amendment that he withdrew would have undercut the effect of the third successful amendment. (The three successful amendments are amendments 14, 15 and 115 here (pdf), amending this version (pdf) of the Bill, and debated here). Earlier versions of all three successful amendments had been defeated by the government at every previous stage of the Bill. Time will tell if any of them proves significant, but the one that has generated the most coverage so far is the amendment to the digital age of consent.

The aim of the Bill is to incorporate the General Data Protection Regulation (Regulation (EU) 2016/679) into Irish law. Article 6(1) GDPR sets out six bases for lawful processing of personal data, the first of which, specified in Article 6(1)(a), is that “the data subject has given consent to the processing of his or her personal data for one or more specific purposes” [on consent, see ICO | WP29]. A child can, in principle, provide such consent; but a minimum age at which children as data subjects can consent to having their personal data processed is not specified in the GDPR. Article 7 GDPR provides that the controller must be able to demonstrate this consent, and the younger the child is, the more difficult it will be for the controller to do so. To these flexible general rules relating to the consent of children, Article 8 GDPR provides a bright-line exception, which has become known as the digital age of consent. (more…)

The UK’s Data Protection Bill 2017: repeals and compensation – updated

UK Data Protection image, via UK gov websiteIn the UK, the Department of Digital, Culture, Media and Sport (DCMS) has today published the Data Protection Bill 2017, to incorporate the General Data Protection Regulation (GDPR) and to implement the Police and Criminal Justice Authorities Directive (PCJAD) (respectively: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC; and Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA; aka the Law Enforcement Directive). The progress of the Bill through Parliament can be tracked here.

In Ireland, when the Department of Justice published the the General Scheme of the Data Protection Bill 2017 (scheme (pdf)), I expressed two concerns, both of which are equally applicable to the UK Bill. (more…)

Compensation for breach of the General Data Protection Regulation

I have just posted a paper on SSRN entitled “Compensation for breach of the General Data Protection Regulation”; this is the abstract:

Article 82(1) of the General Data Protection Regulation (GDPR) provides that any “person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”. As a consequence, compliance with the GDPR is ensured through a mutually reinforcing combination of public and private enforcement that blends public fines with private damages.

After the introduction, the second part of this article compares and contrasts Article 82(1) GDPR with compensation provisions in other EU Regulations and Directives and with the caselaw of the CJEU on those provisions, and compares and contrasts the English version of Article 82(1) GDPR with the versions of that Article in the other official languages of the EU, and concludes that at least 5 of the versions of Article 82(1) GDPR are unnecessarily ambiguous, though the CJEU (eventually, if and when it is asked) is likely to afford it a consistent broad interpretation. However, the safest course of action at this stage is to provide expressly for a claim for compensation in national law. The third part of this article compares and contrasts the compensation provisions in the Irish government’s General Scheme of the Data Protection Bill 2017 with existing legislation and case-law in Ireland and the UK, and with incorporating legislation and Bills in other EU Member States, and concludes that the Heads of the Scheme do not give full effect to Article 82(1) GDPR. Amendments to the Scheme are therefore proposed.

To ensure that any person who has suffered such damage has an effective remedy pursuant to Article 47 CFR, Member States will have to provide, pursuant to Article 19 TEU, remedies sufficient to ensure effective legal protection in the fields of privacy and data protection. In particular, they will have to provide expressly for a claim for compensation, incorporating Article 82(1) GDPR into national law. Claims for compensation are an important part of the enforcement architecture of the GDPR. Private enforcement will help to discourage infringements of the rights of data subjects; it will make a significant contribution to the protection of privacy and data protection rights in the European Union; and it will help to ensure that the great promise of the GDPR is fully realised.

As I was working on this paper, I published several posts on this blog (here | here | here) including discussions of the literal meaning of Article 82(1) GDPR in each of the EU’s 24 official languages and the current status of GDPR incorporation in the EU’s 28 Member States. Thanks to everyone who has engaged with these posts – the analysis in my paper has improved immeasurably. All comments on the current version gratefully received.

What is the current status of GDPR incorporation in the EU’s 28 Member States? [Ongoing updates]

Last updated: 7 May 2018

GDPR incorporationHaving looked, in my previous post, at what Article 82(1) of the General Data Protection Regulation says and means in each of the EU’s 24 official languages, I’m interested in this post in the related question of the current status of incorporation* of the GDPR in each of the EU’s 28 Member States. I am interested in particular in whether provision has been made in any incorporating* legislation or draft for an express claim for compensation or damages to give effect to Article 82 GDPR. The list below is the current state of play so far as I have been able to find out. I would be grateful if you correct any errors and help me fill in the blanks – via the comments below, via email, or via the contact page on this blog – I would very grateful indeed.

Complete incorporation: Legislation to incorporate* the GDPR has been enacted in Austria, Belgium (though a further Bill is pending), Germany, Poland, Slovakia and Slovenia (a French Act anticipated some of its requirements, though a full incorporation Bill is pending). About half of the Member States are likely to complete the process before 25 May 2018.

No information: Drafts have not been published in Bulgaria, Cyprus, Italy, and Malta.

Compensation: Incorporations in various jurisdictions are taking differing positions on Article 82 GDPR. On the one hand, such express claims are included in legislation in Austria, Poland and Slovakia, in Bills in Denmark, Greece, Hungary, Ireland, Romania, Spain, Sweden and the UK. On the other hand, no such express claims appear in legislation in Belgium, France and Germany, in Bills in Belgium (again), Estonia, France (again), Latvia, Lithuania, Luxembourg, the Netherlands, Portugal and Slovenia. Croatia, Finland and Portugal take the view that Article 82 is directly effective; while the Czech Republic considers that the existing compensation provisions cover Article 82 GDPR.

As Katie Nolan points out, this matters a great deal, because – unlike Article 4 of the Data Protection Directive (Directive 95/46/EC) – the GDPR contains no choice of law mechanism to determine which national data protection legislation applies in cross-border cases. In the context of Article 82 GDPR, differences in national incorporations are likely to encourage plaintiffs to shop for the fora with the most generous compensation claims.

(more…)

What is the literal meaning of Article 82(1) GDPR in each of the EU’s 24 official languages?

GDPRI’m trying to work out what Article 82(1) of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) says and means in each of the 24 official languages of the EU institutions, and I’d be very grateful for your help. In English, Article 82(1) GDPR provides

Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

As I have said before on this blog (here, here, here), I think that this formulation is rather odd. It does not provide, in the present tense, that a person whose rights have been infringed “has” the right to receive compensation. Instead, it provides, in a much more congtingent fashion, that a plaintiff “shall have” such a right, which seems to imply that there is something more to be done in national law before plaintiffs actually have the claim. Although the language seems contingent, it does not replicate any of the usual strictures in a Directive, that Member States shall “provide” or “ensure” or “introduce” or “lay down” measures to achieve an outcome, such as a claim for compensation. Even so, the formulation in Article 82(1) GDPR still seems to envisage some national law mechanism in ensuring that a plaintiff “shall” have a claim to compensation. I’m interested in whether the text of Article 82(1) GDPR in other official languages uses a version of the present tense, or whether the formulation is as contingent as it seems to be in English. I have, therefore, set out below the text of that Article in each of the 24 official languages; I have highlighted the words that seem to me to be most relevant to that question; and I have provided a first attempt at a translation of those words. What I need now is a literal translation of these provisions by a native speakers, irrespective of what the EU Commission’s official translation or Google Translate might say. In particular, I need confirmation whether I have identified the relevant words, and translated them accurately. I’m not particularly interested in the various synonyms for damages (compensation, indemnification, reparation, and so on) so much as in the accompanying verbs, and in particular in whether those verbs are clearly in the present tense or whether they are more contingent. I know what Google Translate’s crowd-sourced machine-translation says, indeed it was one of the sources I used to zero in on what seem to me to be the relevant words in the various languages, but that is as far as I am prepared to go with it, as its translations will be very heavily influenced by the EU’s official translations. Instead, as I say, I am in need of human judgment as to the appropriate literal translations of the various texts of Article 82(1) GDPR.

The literal meaning of the precise wording may very well matter a very great deal in assessing whether Article 82(1) is sufficiently clear, precise and unambiguous to be horizontally directly effective. The contingent nature of the English text may not be, leading to potential problems which I have begun to explore here. Other texts may differ. For example, the French text of Article 82(1) GDPR (a le droit d’obtenir … reparation = has the right to obtain … compensation) is more likely to support a conclusion of horizontal direct effect, and the German text (hat Anspruch auf Schadenersatz = has a claim for compensation is entitled to compensation) is even more likely to do so, because they are both in the present tense (a, hat) rather than in more contingent terms. Indeed, of the 24 official languages of the EU institutions, if the assessments and translations below are correct, the text of the claim for compensation in Article 82(1) GDPR seems to be in the present tense in 19 of them: 12 are like the French text (the plaintiff “has the right to [receive/obtain] compensation”: Czech, Danish, Dutch, French, Finnish, Italian, Latvian, Lithuanian, Polish, Portuguese, Romanian, Slovenian); 4 have a similar formulation 5 are like the German text (the plaintiff “is entitled to compensation”: Bulgarian, Estonian, German, Greek, Hungarian), and 3 are like the German text 2 others have a similar formulation (the plaintiff “has [a claim for/the right to] compensation”: Croatian, German, Slovak). Only 5 seem to have a contingent text like the English (the plaintiff “shall have the right to [receive] compensation”: English, Maltese, Spanish, Swedish; the plaintiff “shall be entitled to compensation”: Irish).

Moreover, of the three EEA countries, Norway has begun the process of incorporating the GDPR. The literal English translation of the Norwegian text is “shall be entitled to receive compensation”, which is a sixth example of a contingent “shall”.

All help in confirming whether this is an accurate assessment or not – via the comments below, or better via the contact page on this blog – will be very gratefully appreciated indeed. [Note: as you can see, this paragraph has been updated to reflect a consensus on the German text which is different from my own initial assessment; this is exactly why I’m grateful for all help].

(more…)

Damages for Breach of the GDPR

Data Summit 2017 LogoTwo weeks ago today I was chatting over coffee with a data protection expert during the second day of the Data Summit 2017. He was annoyed at my blogpost on the Government’s General Scheme of the Data Protection Bill 2017 [the Scheme] to give further effect in Irish law to the EU’s General Data Protection Regulation [the GDPR]. Article 82(1) GDPR provides claim for compensation for anyone whose rights under the GDPR are infringed. In the post that annoyed him so much, I said that I couldn’t find a Head to this effect in the Government’s Scheme. He said: what about Head 91? I said: that’s where it should be, but it isn’t there. He wasn’t convinced. So, I went back and had a closer look at the Scheme and the GDPR. I also had a look at an associated Directive (the Police and Criminal Justice Authorities Directive [the PCJAD]) which is also being transposed by the Scheme. Article 56 PCJAD similarly provides for a claim for compensation for anyone whose rights under the PCJAD are infringed. Heads 91 and 58 (respectively) of the Scheme address these claims, but they do not completely provide for such claims for compensation. So, I’m still of the view that the Scheme does not provide a claim for compensation for breach of the GDPR and the Scheme. It seems to assume one, to be sure; but it never goes so far as expressly to provide one.

Article 79 GDPR provides for a right to an effective judicial remedy against a controller or processor; and Article 82 GDPR provides for a claim for compensation as part of that effective judicial remedy. Head 91 of the Scheme seems to be directed towards these Articles. Head 91(1) provides what it describes as “a data protection action” to data subjects whose rights under the GDPR or its translating legislation are infringed. Head 91(2) provides jurisdiction to the Circuit Court, concurrently with the High Court, to hear such actions. Head 91(3) provides:

In a data protection action under this Head, the Circuit Court shall, without prejudice to its powers to award compensation in respect of material or non-material damage, have the power to grant relief by means of injunction or declaratory orders.

And Head 91(4)(b) requires a plaintiff in a data protection action to specify, inter alia, “any material or non-material damage alleged to have been occasioned by the infringement”.

The reference in Head 91(3) to the provision of other remedies “without prejudice to [the Circuit Court’s] … powers to award compensation” assumes that the Court has such powers. And the reference in Head 91(4)(b) to “any material or non-material damage” further assumes that that the powers to award compensation cover both material and non-material damage. However, Head 91 does not expressly afford a claim compensation for material or non-material damage; nor is it expressly afforded elsewhere in the Scheme. It may be that this Head is predicated on the assumption that Article 82(1) GDPR is directly horizontally effective and thereby provides those “powers to award compensation”.

(more…)