Law Lessons: Facebook’s Spanish Fine Highlights Importance Of GDPR Readiness

Many pages of Silicon have been devoted to the security implications of GDPR, but what about the privacy obligations? Here, Christopher Coughlan, Head of Data Protection and Privacy at Ashfords LLP.

Whilst the fine issued by the Spanish regulator against Facebook is extremely high it is only a fraction of the potential fine that they could issue under the General Data Protection Regulation (GDPR) from 25 May 2018.

Under GDPR organisations will be exposed to potential fines of up to the greater of €20 million or 4% of group global turnover.  In the UK the Information Commissioner’s Office (ICO) is currently able to issue fines of up to a maximum of £500k per data protection breach, so the consequences of breaching the GDPR will be phenomenal by comparison to the existing regime.

In addition to these increased fines, the data protection regulators have new wide-ranging powers which include an ability to order organisations to delete personal data.  If an organisation is particularly reliant on its personal data, an order to delete such databases would have more detrimental implications than a fine may have.

GDPR and privacy

It is also worth mentioning that the GDPR has an extremely broad reach.  As well as applying to organisations located in the EEA, it will also apply to those organisations that have no physical presence within the EEA which monitor the behaviour of European residents or offers goods or services to European residents.

The GDPR is the greatest reform in data protection legislation for a generation.  In addition to the increased fines and territorial scope mentioned above, the GDPR also introduces significant changes to “consent”, “breach notification” and for the first time it places statutory obligations on data processors. The current legislation only applies to data controllers, i.e the organisation that determines the purpose for which the data is processed.

Looking at the Facebook case it was found that Facebook used generic and unclear terms in its privacy policy and that the consent Facebook was relying on to collect, store and use data for marketing purposes was not adequate.  It also found that they were not deleting data once finished using it.

Facebook obviously disagrees with the Spanish regulators decision and will be appealing it, however any argument that its practices are compliant with the existing data protection laws would not be arguable under the GDPR.

Facebook Spain fine

The GDPR makes it clear that consent must be a “freely given, specific, informed and unambiguous indication” of an individual’s wishes in relation to their personal data and that such consent must be a “clear affirmative action” which “signifies agreement to the processing of personal data”.

What this means from a practical perspective is that organisations can no longer rely on consent that is buried in a privacy policy or set of terms and conditions nor can they rely on pre-ticked boxes. Consent must be standalone and clear, in addition to this, it must be as easy for an individual to withdraw their consent as it is to give their consent in the first place.

Under the GDPR organisations must notify individuals of the purpose for which their data is being collected and what legal basis the organisation is relying to process the data for that purpose.  If relying on consent as the legal basis, consent must be given for each intended purpose.  This is designed to prevent organisations from warehousing data for some future purpose that they are not yet aware of.  Once the purpose has been completed the personal data must be deleted.

The GDPR will introduce, through its accountability obligations, a requirement for organisations to demonstrate ongoing compliance with data protection.  Organisations must be able to “demonstrate that good data protection is a cornerstone of [their] business policy and practices” otherwise they will suffer significant financial and reputational consequences.

GDPR Checklist

• Conduct an audit of any data currently processed by the organisation and ensure that any unnecessary or outdated personal data is deleted.
• Review all data protection policies and codes of conduct.
• Become clear about the grounds for lawful processing being relied on.
• Ensure that consent for lawful processing is compliant with the new requirements.
• Keep paper trails of decisions relating to data processing to demonstrate compliance.
• Review and update existing information notices.
• Review and update internal breach procedures.
• Train all members of staff on the new rules.
• Review existing supply chains, contracts and templates.

Quiz: What do you know about Facebook?