Retrospectivity and the GDPR

September 27, 2017

I was intrigued by Tim Turner’s set of GDPR predictions,
which focus on fines and can be found here. It was
a fun idea but I thought that he was being very conservative by setting May
2019 as his cut-off (his chosen charity won’t get much) because we have seen how
the process that leads to monetary penalties under the current regime being a
slow one. There seems no reason to suppose that the new GDPR-regime will be
quicker even if there is an argument that penalties will be larger.

But reading his predictions made me wonder about a basic
question that I have not seen addressed. It may be my oversight. I hope SCL
members can enlighten me.

Assuming that behaviour amounting to a breach of the GDPR is
such that it warrants a large fine, it seems to me to be likely that it will
have been ongoing for a period. Alternatively, where a breach is discovered,
for example because of a hack into an inadequately secured system, it might not
be discovered for some time (see, for example, the recent Deloitte security ‘issues’).
In each of these circumstances, the failure that merits punishment under the
GDPR predates its implementation. Surely, in such circumstances, the penalty
applicable is that under the current Data Protection Directive as implemented in
the UK by the DPA 1998 not the GDPR. The alternative is a breach of a basic
human right (encapsulated in the ECHR, Article 7) and a common-law rule preventing
retroactive penalties.

I appreciate that Article 7 applies only to criminal
penalties but, as Paul Motion and Laura Irvine convincingly argue here,
monetary penalty notices probably were criminal in Strasbourg terms and, since penalties
under the GDPR can be extremely punitive, the fines under the new regime are
even more likely to be criminal penalties.

If that is right, it might be well into 2020 before we see
many GDPR fines. That probably does not fit well with the orchestrated panic
that some advisers are aiming for but, lest I be misunderstood, it is certainly
not a reason to postpone GDPR compliance.

I would greatly appreciate any comments on this short point.