Last week I attended a GDPR event organized by one of the top Irish law firms (and our data protection counsel) McCann FitzGerald and hosted by Twitter in their New York offices.
The main draw was the speech by Helen Dixon, Irish Data Protection Commissioner, who is without a doubt one of Europe’s most influential data protection commissioners. Ms. Dixon’s speech was followed by an interesting and practical presentation by Paul Lavery, McCann FitzGerald’s partner and knowledgeable GDPR expert.
As I have written previously on the FCPA Blog, GDPR has a significant impact on FCPA compliance programs such as third-party due diligence. So, I was eager to hear what Ms. Dixon and Mr. Lavery could share five months after GDPR went into effect. What follows are the most interesting takeaways from the event, paraphrased:
Media’s impatience with the claimed lack of GDPR enforcement actions and comparisons to the Y2K are absolutely unwarranted. There is a lot of activity underway. Over the first four months since GDPR went into effect, the Irish Data Protection Commission (DPC) received more than 2,000 complaints and inquiries from data subjects and NGOs. This is a significant increase over the number of complaints that the DPC had received prior to GDPR. It is hoped that most of the complaints will be resolved in an amicable way between the controllers, processors and data subjects with some facilitation from the DPC.
The DPC has about 80 cases in various stages. About half of them concern social media, while the rest cover various industries from aviation, to engineering, to legal, etc. These cases arise from complaints brought by data subject and NGOs. The DPC may also initiate so-called “own volition inquiries.” There are no “secret investigations” so the subjects of pending investigations would know if they are being investigated.
A long life cycle for enforcement actions is due to several factors. The DPC is careful to apply its supervisory and enforcement powers with impartiality, fairness, transparency and in accordance with due process and fair procedures as required by the Irish Data Protection Act 2018. On a practical level, the DPC strives to make sure that any of its enforcement actions are unimpeachable in court.
Adjudication of a case is the last step in the process. Although the DPC may speak publicly about a case even before the adjudication, it will do so rarely and very judiciously as happened recently with the Facebook breach. The DPC may choose from a number of enforcement tools: a warning, reprimand, temporary or permanent prohibition on processing or data transfer, and ultimately an administrative fine. Although not discussed during the event, we note that the Data Protection Act 2018 also provides for jail time for especially egregious violations.
It is currently unclear how Brexit will impact personal data flows to the United Kingdom. There is a possibility that if there is a no-deal Brexit, the UK would immediately become a “third country” under GDPR requiring some transfer mechanism for data flows between the EU and the UK because any adequacy decision by the EU would take time and is not guaranteed. Any companies that relied on the UK as a “one-stop shop” for GDPR purposes would need to find a new EU jurisdiction for their main establishment. One overall takeaway from the event is that Ireland is eager to be the destination of choice for companies looking for a new EU home. This was highlighted by the fact that the event was co-sponsored by IDA Ireland, an Irish government agency responsible for attracting and retaining foreign direct investments.
Among several practical topics and tongue-in-cheek memes discussed by Mr. Lavery, were several examples of unintended consequences that were apparently overlooked by GDPR. These include Article 10’s prohibition on processing personal criminal background information, which TRACE has flagged as potentially hindering anti-bribery due diligence. He struck an optimistic note that the Irish law provided for a solution to this issue. However, he acknowledged that this solution still requires the Irish Department of Justice and Equality to promulgate the necessary regulations.
In conclusion, the speakers emphasized that GDPR is here to stay and that companies would be well advised to treat May 2018 not as the finish, but as the starting line for their GDPR compliance efforts.
Illya Antonenko is Data Protection Officer and Counsel for TRACE International. He has advised clients regarding cross-border transactions, general corporate issues and FCPA compliance matters and investigations for fifteen years. He has leveraged his experience in international matters by developing expertise in the European data protection legislation, in particular the General Data Protection Regulation.