Does increasing fines for past breaches run contrary to a basic right?
I was intrigued by Tim Turner’s set of GDPR predictions, which focus on fines and can be found here. It was a fun idea but I thought that he was being very conservative by setting May 2019 as his cut-off (his chosen charity won’t get much) because we have seen how the process that leads to monetary penalties under the current regime being a slow one. There seems no reason to suppose that the new GDPR-regime will be quicker even if there is an argument that penalties will be larger.
But reading his predictions made me wonder about a basic question that I have not seen addressed. It may be my oversight. I hope SCL members can enlighten me.
Assuming that behaviour amounting to a breach of the GDPR is such that it warrants a large fine, it seems to me to be likely that it will have been ongoing for a period. Alternatively, where a breach is discovered, for example because of a hack into an inadequately secured system, it might not be discovered for some time (see, for example, the recent Deloitte security ‘issues’). In each of these circumstances, the failure that merits punishment under the GDPR predates its implementation. Surely, in such circumstances, the penalty applicable is that under the current Data Protection Directive as implemented in the UK by the DPA 1998 not the GDPR. The alternative is a breach of a basic human right (encapsulated in the ECHR, Article 7) and a common-law rule preventing retroactive penalties.
I appreciate that Article 7 applies only to criminal penalties but, as Paul Motion and Laura Irvine convincingly argue here, monetary penalty notices probably were criminal in Strasbourg terms and, since penalties under the GDPR can be extremely punitive, the fines under the new regime are even more likely to be criminal penalties.
If that is right, it might be well into 2020 before we see many GDPR fines. That probably does not fit well with the orchestrated panic that some advisers are aiming for but, lest I be misunderstood, it is certainly not a reason to postpone GDPR compliance.
I would greatly appreciate any comments on this short point.