Implementation of GDPR results in increased data protection complaints in the UK.

September 2, 2018 |

There is something of a myth propogated by those who would prefer less not more privacy protections, that there is no need for improved privacy protections and the community is not clamouring for more protections.  It is an entirely paternalistic approach to public policy that rarely squares with the evidence.  When surveyed there is a concern about lack of privacy protections and use/sharing of personal information.  For example the Pew Research Center in 2014 found that 91% of Americans agreed or strongly agreed that people have lost control over how personal information is collected.  Last year Pew found that only 9% of social media users were very confident that social media companies would protect their data.  In 2014 Pew found that 61% of Americans said they would like to do more to protect their privacy and that two thirds have said that current laws are not good enough to protect people’s privacy.

It is interesting to note that in the United Kingdom in the three months since the General Data Protection Regulation (“GDPR”) was implemented there has been a nearly doubling of complaints to UK regulators.  There were 3,098 data protection complaints in June and 4,214 in July. That is an increase from 2,165 in April, immediately prior to the GDPR coming into effect.  There has also been an increase in complaints in mainland Europe.

The GDPR is light years ahead of the rickety and poor regulated Australian Privacy Act with the notable features being:

  • The GDPR mandates the reporting of certain data breaches to data protection authorities and affected individuals.
  • Data controllers are required to notify local data protection authorities of personal data breaches they have experienced “without undue delay and, where feasible, not later than 72 hours after having become aware of it … unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”.  Under the Australian Mandatory Data breach notification scheme a 30 time frame is regarded as reasonable.  Further the weighing in the balance test in the legislation makes it reasonable to assume that unless there is proper regulation and enforcement the notifications will be spotty and diminish over time.
  • A personal data breach is s “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

The complaints process in Australia is drawn out and tedious.  The determinations by the Commissioner generally take 2 years to reach conclusion and awards are risible.  Unfortunately the appeal to the Administrative Appeals Tribunal may result in a worse result.  The case law in the AAT gives very little grounds for optimism.  The results have been distinctly privacy unfriendly.

Leave a Reply