FREE CHAPTER from ‘A Practical Guide to GDPR for Property Professionals – 2nd Edition’ by David Smith

CHAPTER ONE – INTRODUCTION AND OVERVIEW

The GDPR or the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), to give it its full title, should be seen as part of a general drive to increase the controls applicable to individuals personal data.

While aspects of the GDPR have been met with howls of protest from business and it has been called impractical and an unreasonable control on business this is probably unfair. Some of the criticisms stem from misunderstandings and hysterical reporting of the restrictions. In fact, the GDPR should be seen as part of a historic and global movement to increase the control over the way business makes use of personal data.

The GDPR should be seen as part of a series of data protection measures which have a clear trajectory over time and develop in response to changes technology and the prevailing uses of data. This goes back to the early 1980s and the creation of Convention 108.1This convention was the first international agreement intended to control the flow of data between countries and is still in effect 40 years later with a programme underway to modernise it to deal with new technologies.2 The development of data protection in Europe continued with the Data Protection Directive,3 which was implemented in the UK by the Data Protection Act 1998. This enhanced personal protections while building on the work of Convention 108 around data transfers. The GDPR updated these mechanisms to deal with new technologies and to deal with the much increased level of data transfer inherent in the use of international cloud-based technology systems. As such it took the strongest elements of Convention 108 and the Directive and updated them while seeking to add a greater degree of consistency and an element of future-proofing so that further technological developments would be covered by the legislation.

The GDPR is not some form of European aberration. Its provisions are being mirrored in locations around the world. California has implemented the California Consumer Privacy Act (CCPA)4which has elements of the GDPR within it and will further implement the California Privacy Rights Act after a popular referendum which will tighten the regime further. California is not alone in the USA with Virginia and Washington States creating similar legislation. Elsewhere, Dubai has recently implemented data protection legislation which draws on elements of the GDPR and CCPA5 while Singapore has implemented the Personal Data Protection Act (PDPA).6 India is also working on similar legislation in the Personal Data Protection Bill. These are but a snapshot of the 145 countries that now have some form of data protection and privacy laws in place.7 In summary, data protection laws are very much in vogue around the world and all of these laws have provisions that echo aspects of the GDPR.

The core aims of the GDPR are:

  • to ensure that individuals have a very clear idea of what is being done with their data and by whom;

  • to ensure that individuals have effective powers to exercise control over their data;

  • to prevent evasion of legislation by moving data out of the jurisdiction;

  • to ensure that data is processed only to the extent that is necessary and with a clear eye to the risks of that processing;

  • to allow easy processing of data where that is beneficial to individuals;

  • to create an enforcement regime which provides for effective penalties where the rules are breached.

The GDPR works primarily by creating a new concept of the Data Subject who is then provided with specific and detailed rights. A Data Subject can only be an individual, a natural person, and never a company or other legal entity. This is in fact a form of compromise by which the GDPR creates a new series of rights for individuals over their own Personal Data but without impinging on the existing system of property rights, intellectual and otherwise, of those organisations who have collected data and analysed it. Therefore it is still possible for companies to trade in and own data but individuals can also maintain their control over it. This compromise between property rights and Data Subject rights is imperfect but was almost inevitable given the very large and powerful organisations that now control so much of the world’s data. In fact, the balance created by the GDPR is one that is being followed elsewhere and ultimately is likely to become the model for data protection everywhere in the end.

It is a particular choice that some object to. It is the aspiration of those who believe in blockchain (the technology that underlies Bitcoin and other crypto-currencies) that every individual would in fact control their own personal data fully and would sell it on a case by case basis to companies for them to use in exchange for a tiny payment (like a commission) for each such use. Currently this is not a model which has attracted regulators.


The GDPR- An Overview in the UK

The GDPR, like all EU regulations, had direct effect within the UK, at least up until the point at which the UK left the EU on 31 January 2021. However, the GDPR did not stop at that point, rather it split into two versions. The EU continued to use the original GDPR (referred to as the EU GDPR throughout this book) while the UK is using its own, slightly altered, version of the GDPR8 (called the UK GDPR in this book). The two versions are largely the same, at least initially, but will slowly diverge over time as decisions of the EU and UK courts differ and the UK authorities implement their own guidance.

In a written statement made on 3 February 2020 the Prime Minister indicated that the UK would look to develop its own separate policies for data protection, among other things.9 More recently, the Minister for State for Media and Data said in an article that the UK would be looking to use its new independence from the EU to enhance its ability to move data safely between different countries.10 How much divergence actually occurs is open to doubt. The EU has agreed to allow the UK an adequacy arrangement which allows for the free flow of data between the EEA and UK but this arrangement is based on the UK maintaining a data protection regime which is closely allied to the GDPR. The EU-UK Trade Agreement states in its preamble that both sides recognised the autonomy of the other and their right to regulate a range of things for themselves, including privacy and data protection. This right was “reaffirmed” in a number of other parts of the Trade Agreement. Undoubtedly the UK government had a hand in inserting this to make clear that it had the right to do its own thing if it wanted to. However, the same preamble also states that the parties recognise the value in free flow of data while respecting data protection rules and so there is an in-built warning that excessive divergence could undermine that free flow. Therefore, in practice, UK divergence is likely to be more related to developing guidance which seeks to ensure that the GDPR operates in a light touch manner and also ensuring that it enters into trade arrangements which allow for safe data transfer to new trade partners as opposed to more radical alteration to the core parts of the UK GDPR.

The GDPR is very much a risk-based system. Processors of data are encouraged to carry out risk assessments as to their activity and the potential risks to both security and the rights of individuals. This places a heavy obligation on business to ensure that they are complying with the GDPR. This is because the GDPR operates by making general statements of what needs to be achieved but exactly how business does so is something that is for them to decide.

When looking at the UK GDPR it is important to give some consideration to its nature when reading it. Both its original nature as something which emerged from the EU as well as its altered nature as a post-Brexit EU-UK hybrid. Like all legislation which emanates from the European Union it needs to be considered as a whole as well as in parts. The recitals that act as an introduction and form a pre-amble to the GDPR need to be read with some care as they provide a great deal of additional information that both modify the understanding of the main articles and add a great deal of important detail. These recitals still exist in the UK GDPR and are still a key element of that interpretation. Frustratingly, they have not been modified in the same way as the main part of the UK GDPR and so parts of them no longer entirely make sense in terms of the UK GDPR as it now applies. For example, the recitals still make reference to the European Commission and these have not been altered. When considering the GDPR in a UK context such references will presumably need to be ignored. The actual provisions of the GDPR have also been modified for the UK.11 However, these changes are not fully up to date at the time of writing in the main publicly-accessible legislative resources. Fortunately, there is a consolidated document showing all the changes in a tracked format (known as a Keeling Schedule).12 For each section it is also necessary to consider the DPA 18 which then modifies parts of the GDPR by providing various derogations and limits on its scope of operation. Finally, because the GDPR aims at general statements it is then useful to review the appropriate guidance on the topic. Any guidance provided by the European Data Protection Board (EDPB) as well as guidance produced by its precursor body the Article 29 Working Party (Art 29 WP) which was issued prior to 31 January 2021 is applicable to the UK GDPR (obviously with edits to remove reference to EU institutions) unless it has been replaced by UK specific guidance. It is likely that the UK ICO will adopt some of these guidance documents explicitly and will also produce its own. If the guidance was produced after 31 January it is not binding in the UK and far less likely to be relevant but may still be useful as a guide to practical implementation of parts of the UK GDPR. It may also be useful to consider guidance produced by other data protection regulators in the EU in terms of practical matters. The Irish DPC often produces useful guidance relevant to the property sector, for example. The guidance of the Information Commissioner’s Office (ICO) will however now be the primary source of guidance on the UK GDPR. All of this is quite an involved process and in practice most people will short-circuit this by heading straight for the guidance on the ICO’s website. However, it is worth bearing in mind that the ICO’s views as expressed on their website are just their views and ultimately it is the courts that will have the final say as to how the UK GDPR should be interpreted. The ICO’s guidance is also quite summary and generic in nature although that is now starting to change as it takes over primary responsibility for the management of the UK GDPR. Finally, it is important to understand that the ICO guidance will be an increasingly weak guide to the operation of the EU GDPR as the UK view diverges from that of the rest of Europe and in those cases it will be necessary to consider the guidance produced by the EDPB in more detail. Naturally, my aim is to allow readers to avoid all of this by providing most of what is needed in one place!

Ambit

The UK and EU GDPR have a purposely wide ambit. Unlike previous data protection regimes in the EU which only applied within the EU the UK or EU GDPR both apply to any Data Controller or Processor processing Personal Data inside the UK or EEA but equally to any Controller or Processor processing personal data which belongs to a citizen of the UK or EEA, regardless of where the Controller or Processor is based or where they do the processing. This extra-territorial scope, applying the GDPR to both to any person providing goods or services within the UK or EEA or monitoring the activities of UK or EEA citizens is also found in other recent privacy legislation. The California Consumer Privacy Act also seeks to apply to any organisation doing business with citizens of California, regardless of where they are ultimately based. Naturally, there is some question over how enforceable any of these rules are in practice but the general principle that they are seeking to espouse holds good. The key point is that it is not possible to avoid the GDPR simply by moving data out of the UK or EEA. In addition, for any business that is dealing with citizens of California, as well as several other jurisdictions, they will need to comply with the data protection rules that protect those citizens as well as the relevant GDPR. Therefore, many businesses will need to comply with more than one data protection regime. In practice, for UK and EEA businesses this is not as bad as it might seem, as compliance with the relevant GDPR is likely to create compliance with most other similar regimes.

There is a degree of subtlety in all this but it is a question which is increasingly important as the UK and EU separate and each have their own flavour of the GDPR. Which one does a business need to comply with? The High Court has actually considered this question in relation to the application of the EU GDPR before the UK fully separated but the principles are applicable to both situations.13

The key points to bear in mind are:

  1. A Data Controller or Processor may have some of its activities subject to the relevant GDPR while others will not be.

  2. To be established in a country an organisation must have a stable arrangement which seeks to provide services within that jurisdiction. A generic service that is available to all but happens to be used by persons within a specific jurisdiction without being actively targeted at them will not meet this test.

  3. Just because an organisation is able to and prepared to sell goods or services in a specific country does not mean it is processing the data of people in that country.

  4. Even the placement of cookies or other web trackers on computers of persons in a country that access a website is not enough to engage the GDPR if those cookies are only for generic advertisement tracking as is common across the internet as a whole.

So, a company that offers letting agency services in the UK and mainly deals with UK property applicants would be subject to the UK GDPR for that work. Even if a single applicant contacted them from France that would not change as it would not be a stable arrangement.

However, if the same company specifically targeted Irish landlords, had a website actively seeking those landlords and had Irish based representatives to meet with them all in order to encourage them to invest in rental properties in Liverpool then that would be an activity that would be subject to the EU GDPR. As well as the EU version this activity would also be subject to the UK GDPR as the processing would be taking place in the UK.

The two activities outlined above might well co-exist alongside one another in the same organisation and so parts of the data being processed by that organisation would be subject solely to the UK GDPR and other subject to both UK and EU GDPR.

MORE INFORMATION / PURCHASE THE BOOK ONLINE

1 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.

2 https://www.coe.int/en/web/data-protection/convention108/modernised.

3 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

4 https://oag.ca.gov/privacy/ccpa.

5 Dubai International Financial Centre Data Protection Law No. 5 of 2020.

6 https://www.pdpc.gov.sg/.

7 PL&B International, February 2021, p.1.

8 Created by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419).

9 https://www.gov.uk/government/speeches/pm-speech-in-greenwich-3-february-2020.

10 PL&B UK, March 2021, p.1

11 Principally by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

12 Keeling Schedules showing changes which would be affected by the Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2019 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2020. Available at: www.gov.uk/government/publications/data-protection-law-eu-exit [last accessed: 15 July 2021].

13 Soriano v Forensic News LLC & Ors [2021] EWHC 56.