In today’s busy world, data protection issues may, at times, be treated as secondary, be forgotten or left by the wayside. Not a good idea. It was such slackness that had led to the Cambridge Analytica crisis in which information about 87 million Facebook users was harvested in order to be marshalled to the cause of the Ted Cruz and Donald Trump 2016 presidential campaigns.
The European Union’s implementation of GDPR in 2018 sought to be a game changer. It set out to inform EU citizens on their right to privacy, as well as impose limitations on how those in possession of required personal data (data controllers) could process it.
GDPR’s widespread impact on businesses is unquestionable. It imposes rules and regulations not only on mammoth multinational corporations like Apple, Google and Facebook, but also on start-ups and SMEs. Indeed, it also impacts public authorities.
In Malta, this was exemplified around two years ago by the imposition of an administrative fine of €5,000 by the Office of the Information and Data Protection Commissioner on the Lands Authority. The authority’s data protection breach was due to the online application platform available on its portal and which lacked the necessary technical and organisational measures to ensure the security of personal data processing.
Dr John Caruana is a legal adviser at KSi MaltaThe current and relentless technological innovation in the EU has to move hand in hand with GDPR principles. At the forefront of this tense tandem is the use of Big Data Analytics which typically involve a complex process whereby information − such as customer preferences and market trends − that can aid businesses make informed decisions is exposed. Given the nature of the operations involved, it is hardly surprising that Big Data Analytics regularly run foul of GDPR principles.
One may here refer to the social credit system which was recently introduced by China to assess the economic and social reputation of its citizens and businesses. Through the use of Big Data Analytics and facial recognition software, a huge amount of information is being collected by Chinese government agencies on citizens’ finances, social media activities, credit history and health records. Such a system would, of course, never be allowed in the EU, as it goes completely contrary to the principles which the GDPR seeks to protect.
There are eight ‘privacy’ rights which all businesses must seek to protect in order to be compliant with GDPR: right to be informed, right of access, right to rectification, right to erasure/to be forgotten, right to restrict processing, right to data portability, right to object and rights in relation to automated decision-making and profiling.
Given that the infrastructure of every business is different, there isn’t a single blueprint for being GDPR compliant. This is where the need for experts in data privacy forcefully arises. Just like a business needs an auditor and a tax professional, it also needs advisers to ascertain compliance with GDPR principles.
Some of the biggest GDPR fines which have been handed to date are the following:
• €50 million fine imposed upon Google in 2019 by France’s data protection regulator – this was not the end of Google’s nightmare. In 2020, Google was fined an additional €7 million by the Swedish data protection authority.
• €35 million fee imposed by the Hamburg data protection authority on H&M in 2020.
• €27.8 million fine imposed by Italy’s data protection authority on the Italian telecommunications operator TIM (or Telecom Italia); and
• €22 million fine imposed by Britain’s data protection authority on British Airways.
Gradually, but steadily, data protection principles and their effects will increasingly become more widespread in Malta, and non-compliant businesses shall be punished for their laxness. GDPR fines for data protection breaches can shoot up to €20 million, or in the case of an undertaking, up to four per cent of the total global turnover of the preceding fiscal year, whichever is higher. Clearly, in today’s world and more so tomorrow’s, GDPR principles are not to be taken lightly. Literally, your business depends on them.
Dr John Caruana is a legal adviser at KSi Malta