Legal & Government Affairs Update Issue 3 - 2018
GDPR is here, but is Europe ready?
25 May 2018: the day the General Data Protection Regulation (GDPR) comes into force across Europe. After months of work updating policies and procedures in preparation, businesses can finally breathe a sigh of relief as the deadline passes smoothly. Or can they? Research and advisory firm Gartner has predicted “more than 50 percent of companies affected by GDPR will not be in full compliance with its requirements.” Forrester places the number as high as 80 percent. This is worrying news for businesses, particularly given the increased fines to punish non-compliance available to the Information Commissioner’s Office (ICO), the UK authority responsible for regulating GDPR compliance.
As many readers will be aware, GDPR brings into force the new European rules for data protection. It replaces the previous regime implemented by the 1995 Data Protection Directive, bringing about key changes to how personal data is used and accessed. The Regulation applies across the EU, as well as to companies based elsewhere who handle the personal data of EU citizens. The changes are too numerous to discuss in specific detail here, but implementing GDPR is a huge task for businesses and regulators.
Advocates of the new framework say it will greatly improve the treatment of our personal data. Even initial opposition, which came particularly from the large tech companies, seems to have subsided in the wake of the Cambridge Analytica scandal (covered in the February edition of this newsletter).
But if compliance is as low as some figures suggest, questions need to be asked about how the ICO should tackle companies failing to meet their GDPR obligations. Yes, these rules are important and companies have had two years since they were published to prepare but will instituting a raft of fines across the country really help, particularly where smaller businesses are concerned? A sensible distinction could be drawn between companies failing to engage with GDPR and those making genuine, if yet unsuccessful, attempts to comply with the complex changes. Giving individuals more control over their personal data is an important step in our increasingly digital society, but employing too punitive measures against businesses may well prove counterproductive.
Even regulators have been reported to be struggling to get ready for the implementation of GDPR. In a post on European Data Protection Supervisor’s website, Giovanni Buttarelli, the European data protection officer, suggested that there were too few people currently working for data protection authorities in the EU to supervise GDPR. Speaking to the Financial Times in September 2017, Elizabeth Denham, the head of the ICO, said the organization needed more staff to effectively enforce GDPR. The UK Government has overhauled the ICO’s funding to enable it to be fully equipped to investigate businesses’ compliance.
It’s also notable how non-EU entities are responding, particularly the social media sites whose business model relies on collecting the personal data of users. Mark Zuckerberg, the founder and CEO of Facebook, ruled out changes to the way in which the company collects users’ personal data during a Congressional hearing to investigate the Cambridge Analytica scandal back in April. While Facebook has instituted measures to comply with GDPR in Europe, it has changed its terms of service for non-Europeans to take 1.5 billion users outside of the reach of GDPR. While this suggests that the new rules will have some impact on the business models of social media companies, GDPR is unlikely to spell the end of the industry.
The vast number of users of social media clearly gain benefits from these services and allowing the use of their personal data in targeted, consented to ways is an understandable trade-off for many. It is even possible for this to build trust in the platform and cause users to see advertising as more acceptable and more specific to them, increasing engagement.
In Europe, all businesses must now make the ways in which they collect and use personal data more transparent. But this is not necessarily all bad for them. Individuals who perceive their data has been collected dishonestly will likely not respond positively to how it is used. Being open about data collection may make individuals more attentive to the ways their data is used, perhaps leading to upsides for businesses that want more attention to be paid to the end product for which personal data is needed.
GDPR is not the end of the discussion on how to regulate the collection, retention and use of personal data. It will almost inevitably face teething problems. It is nevertheless important to look critically at the ways in which businesses use valuable data. The right balance will recognise the trade-off between accessing benefits to which many have become accustomed in exchange for giving out personal information. It should also look to protect the existence of valuable businesses and encourage individuals to take an active role in managing how their data is used. How GDPR in practice strikes that balance will be answered in the next few years.
Legislation & Case Law Update
Facebook sued by MoneySavingExpert founder over fake adverts
Martin Lewis, the founder of British consumer finance website MoneySavingExpert.com, has issued High Court proceedings against Facebook, suing the company for defamation. Mr Lewis has issued the claim in his personal capacity but is no stranger to taking on large corporations, having been at the helm of MoneySavingExpert during campaigns to help consumers claim back PPI, credit card fees and mortgage exit fees from major banks and businesses.
Mr Lewis has accused Facebook of repeatedly failing to stop the publication of scam adverts featuring his name and face. In his blog on the MoneySavingExpert website, Mr Lewis has stated: "the scammers have run a systemic, near continuous, year-long attack on my reputation and attempt to defraud. Facebook is being paid to publish these scam ads, not me. It takes the cash so should take the responsibility – it needs to proactively stop these ads."
Numerous fake Martin Lewis ads have apparently appeared on Facebook in the last year. Examples include adverts for "get-rich-quick" schemes, bitcoin investments, and fake news articles, all using Martin Lewis' name and image. Mr Lewis has claimed that in one such investment an individual "had over £100,000 taken from her".
Facebook currently operates a system by which users are able to report content which infringes on their rights; the content is then assessed by Facebook and potentially removed. In response, Facebook has said: "we do not allow adverts which are misleading or false on Facebook and have explained to Martin Lewis that he should report any adverts that infringe his rights and they will be removed."
However this system appears to not go far enough for Mr Lewis, who wants to see Facebook do more to stop the spread of fake ads on their website: "this is about stopping Facebook being paid to promote scam ads. If Facebook comes up with a solution that will proactively stop itself from publishing fake ads – not just for me, but for others like Deborah Meaden, Peter Jones, Alan Sugar, Richard Branson, Elon Musk and others – then I would be delighted to settle the case. (Costs and some damages to those who’ve been scammed would be good too.)"
This is a particularly interesting and potentially landmark case for UK law. The notable hurdle Mr Lewis' case must overcome to succeed is establishing that Facebook is either the "publisher" of the ads for the purposes of defamation law, or an "intermediary" which failed to take reasonable care in relation to publication of these ads. While the law has established that a social media user who posts defamatory content is a "publisher" and liable for defamation (Stocker v Stocker  EWCA Civ 170), the websites themselves have generally relied on being exempt from defamation claims. As an "intermediary" they merely offer a platform on which users post content.
If this case goes to trial Facebook could lose its intermediary status and be held directly responsible for all the content on its site. While such an outcome is unlikely, this would represent a huge change to the liabilities of social media platforms. A less onerous ruling could force Facebook to take a significantly more hands-on approach to policing the content appearing on its site.
Facebook is reportedly engaging with Mr Lewis and his legal team to resolve this matter. However, should no agreement be reached, this case could prove key in defining the responsibilities of social media platforms to regulate content on their sites.
Public consultation on measures to further improve the effectiveness of the fight against illegal content online
On 30 April 2018, the European Commission announced a public consultation aimed at gathering information from the public to improve the effectiveness of the fight against illegal content online.
The Commission notes that "the availability and proliferation of illegal content online remains an important public policy and security concern in the EU. In particular, there are still concerns regarding the dissemination of terrorist content online, as well as of that of illegal hate speech, child sexual abuse material, or illegal commercial practices and infringements of intellectual property rights, selling of illicit drugs, counterfeits or other illicit goods."
The Commission is looking for evidence on the effectiveness of current measures and the scale of the problem. Policing illegal content online is a very difficult task. The vast amount of data to sift through and the myriad of ways criminals can hide their movements give some indication of the challenges law enforcement face. The Commission will be looking at ways to improve the effectiveness of tackling illegal online content by the end of 2018.
Feedback is sought from a range of stakeholders, such as: academics, non-profit organisations, law enforcement, online hosting providers and individuals. The consultation looks at the current use of the internet and stakeholder involvement in combatting illegal content online, as well as canvassing opinions on who should be responsible for tackling illegal content online, the current state of the internet and if further measures are needed.
The consultation closes on 25 June 2018. Readers wishing to give feedback can do so here: