December 10, 2018
GDPR Today and Tomorrow: A conversation with Simon McGarr, a data privacy lawyer.
As with all legislation, there is a certain amount of discomfort, misconceptions, and rumors that start to sound like sage advice as they become repeated, shared, and incorporated into the daily practices of those searching for a guiding light to lead them to compliance. But like a moth drawn to a flame, well-intending practitioners can do more harm than good by following bad advice.
To help clear up confusion, we reached out to Simon McGarr, Director at Data Compliance Europe, to get his thoughts on some of the burning questions we see every day and to get predictions for the EU and the UK after Brexit. Data Compliance Europe works closely with their clients to develop long-term data compliance framework to minimise the ongoing risk of potential fines for data protection breaches.
Now, off to our Q&A:
1) In your opinion, what is the biggest impact on digital marketers since GDPR came into force?
There has been uncertainty about the legitimacy of legacy mailing lists and contacts. However, in many ways, the first six months of the GDPR are not really going to be the relevant period to assess the GDPR. We’re all still in the gap between dinosaurs spotting a huge ball of light in the sky, and having it hit.
2) How has this impacted their email marketing efforts?
In my experience, email marketers have been proceeding with increased anxiety, but with an unwillingness to abandon data and procedures which have been profitable up to now.
3) Right before GDPR, there were a number of businesses that sent GDPR consent request emails.
a) Did these need to be sent by most of these organizations?
Consent is the gold standard of legitimacy under the GDPR, and like gold, it’s a lot harder to amass than most people would like. For consent to be valid—for it provide the legal basis for processing that all of those consent emails were intended to collect—it needs to meet a set of criteria. It needs to be:
Freely given doesn’t just mean you weren’t at gunpoint when you clicked “Agree to a set of Terms and Conditions.” It means it was also granular consent—that you had the opportunity to agree to processing X while still saying no to processing Z. Similarly, consent must meet five criteria to be considered Informed: (i) the controller’s identity, (ii) the purpose of each of the processing operations for which consent is sought, (iii) what (type of) data will be collected and used, (iv) the existence of the right to withdraw consent, (v) information about the use of the data for automated decision-making on risks and (vi) safeguards of data transfers in the absence of an adequacy decision.
If the consents collected weren’t valid because they didn’t meet one or more of these requirements, sending out those consent request emails was worse than useless; they will lead a company to process data in the belief they have consent and no other legal basis, triggering potential liabilities they could have avoided.
b) What was the impact to businesses where a subscriber simply did nothing with the request?
In theory, if the company decided it needed to look for consent for the processing it wanted those subscriber details for, then we should see every failure to obtain consent result in a deletion of all data that was being stored for that processing. I’m currently unconvinced those mass deletions have been happening.
4) With the Brexit deadline looming ever closer, what’s next for data protection officers (DPOs) in Britain and the EU?
The primary concern for DPOs in the context of Brexit is the question of the continued status of personal data transfers between the two bodies. Without any agreement, the UK will become a Third Country, without any adequacy decision in March 2019. This could cause a very significant disruption of the huge data flows between the UK and EU. Organisations should be examining their Data Registers to identify EU to UK data transfers, and preparing contingency arrangements to allow for continued flow after March 2019. The most common legal basis for this safety net would be to complete Data Transfer Agreements using the EU’s standard contract clauses mechanism.
Even if the Withdrawal Agreement is approved by both parties, Article 73 of the Agreement says that UK data which is transferred to the EU shall be treated as though it were the data of a Member State. It carefully does not say the converse is also true.
Article 127.3 simply requires that in the Transition period, up to December 2020, EU law shall have the same “legal effect” with respect to the UK as it does in the Member States. This is not the same as saying the UK shall be classed as a Member state during the transition period. Having a contingency plan in place to allow for a continued legal basis for data transfers should be an urgent focus.
5) How do you anticipate Brexit will affect GDPR enforcement?
The UK will continue to enforce the principles of GDPR, but without recourse to the Court of Justice of the European Union (CJEU). The EU regulators will continue to apply GDPR, but without the perspective of the UK’s ICO as part of its decision-making processes.
6) What’s the biggest shift you’ve seen when it comes to data collection practices under GDPR?
The question of why data is being collected, and the uses it is being put to, is being seriously considered before it is done. That ought to have been happening before the GDPR (the same requirement pertained under the previous directive), but the combination of the GDPR’s territorial scope and regulatory strength has really brought that principle to the fore.
7) What do you see in the next 6-12 months for enforcement?
The focus on enforcement is going to move away from Regulators and towards direct mass action taken by data subjects using the NGO mandate mechanism under Article 80, seeking compensation in the courts. We have already seen the first of such actions threatened in France against Facebook.
As you can see, there are a lot of moving pieces in regard to GDPR, Brexit, and enforcement actions to come. Stay tuned for updates, and future Q&As with experts and practitioners. Thank you to Simon McGarr for taking the time to respond to our questions.
About Simon McGarr:
Simon McGarr, Director, Data Compliance Europe and M3AAWG Sr. Technical Advisor, is an experienced Solicitor with a demonstrated history of working in the law practice industry, specialising in Data Privacy, Privacy Law, Torts, and European Law. He offers consultancy help and legal advice to international organisations adjusting to the post-GDPR world.
The information contained in this article is provided for general informational purposes only and should not be construed as legal advice from 250ok, the individual author or article participants.
You may also like...
It’s hard to believe we are nearing the end of yet another exciting year in email, and 2019 proved to be one of the most momentous and active years to date. Over the past year, the number of new technologies, mergers and acquisitions, mailbox provider (MBP) announcements, news, and highlights is evidence of the versatility […]
I recently gave a presentation on global privacy regulations to a post-graduate marketing class and one of the things I noticed while preparing was that even within a single country, privacy is complicated. On a global scale, it is really complicated. For example, Canada has one federal private sector privacy law, three similar provincial laws, […]
*Update: This article was featured on email influencer Jordie van Rijn’s emailmonday blog! To see it in action, plus a great round-up of other articles and thought leadership looking forward to the future of email, click here.* The Black Friday emails are deleted, marketers’ email lists are checked twice, we pretty much know which senders […]