GDPR AND THE INTERNET: COOKIES AND SOCIAL MEDIA

WHAT IS GDPR?

The General Data Protection Regulation (GDPR) is a European Union law passed in 2018 that is the most significant change to data privacy regulation in decades.  It not only regulates how companies use individual’s data across the EU but also extends to any company worldwide who interacts with EU residents.  The United Kingdom implemented the GDPR through the Data Protection Act 2018 (DPA).  The GDPR not only applies to information such as someone’s name, birthdate, address, and other personal data, but also data such as browsing history, medical information, personal interests, and shopping habits.  These other categories are especially important to be aware of if your company interacts with customers through social media or a website.

REQUIREMENTS FOR PROCESSING PERSONAL DATA

When a company holds personal data about any individual they are considered a ‘data controller’ under the GDPR.  To collect and hold personal data as a data controller, Article 6 of the GDPR sets out six ‘lawful bases’ under which data may be collected.  If a company cannot show that one of the following bases apply, they are not entitled to collect any personal data:

• The individual provides specific consent to data being collected
• The individual agrees to a contract that contains provisions for data to be collected
• There is a legal obligation for the company to collect data
• It is vital to collect an individual’s data in a life-threatening emergency and they are not able to provide consent
• To perform a specific task that is in the public interest and set out in law
• The company can demonstrate there is a legitimate interest for them to process an individual’s data, balanced with that individual’s reasonable expectations for the data to be collected.

HOW DO WEBSITES AND SOCIAL MEDIA FACTOR INTO GDPR?

The GDPR contains several rules for companies to follow regarding the personal data they retain for any individual.  Regarding social media and internet browsing, some of the important requirements are:

• You must obtain consent from an individual in order to store any of their personal information, per the first lawful basis above.
• You must provide any individual a free, easy to understand electronic copy of all personal data you hold about them upon their request and must tell them the purpose you are holding the data for, called the “Right of Access”.
• You must delete certain types of data you hold about an individual upon their request, called the “Right to Erasure”.
• You must keep any data you hold on a customer protected by keeping it anonymous.

CAN I STILL USE COOKES TO COLLECT DATA ON VISITORS TO MY WEBSITE?

Cookies, which are text files with small pieces of data used to identify unique visitors to a website, are a ubiquitous part of browsing the internet and one of the most common ways to collect and share personal data.  While cookies are only mentioned once in the GDPR legislation, it is an easy way for website owner to commit a breach.  To comply with the rules, a website must ensure that each visitor is given the opportunity to consent to which cookies they will allow the website to collect, or to opt out of them completely.  This is usually accomplished by a pop-up banner that appears the first time an individual visits your website.  According to guidelines released by the European Data Protection Board in May 2020, the banner may not have pre-ticked checkboxes and users must freely give a clear and affirmative consent if they agree to allow cookies.  Consent must also be easy to withdraw if an individual wishes to do so and their consent must be renewed at least every year.  Failure to follow these protocols could result in your company breaching the GDPR resulting in fines of up to €10 Million or 2% of its global turnover.

WHAT RULES NEED TO BE FOLLOWED FOR SOCIAL MEDIA?

Individuals using social media must agree to the data privacy notices that each social medial company provides as well as their terms of use.  If a company has a social media presence, most of its activity will take place within the third party social media platform under those agreed terms.  However, when a company takes personal data from one of those social media platforms for its own use, then that company also becomes responsible for GDPR in respect of that data.  At that point the same lawful bases apply as they would for any other personal data collection.

HOW DO I RESPOND TO A RIGHT OF ACCESS REQUEST?

Article 15 of the GDPR gives an individual the right to request a copy of certain types of information that a company holds on them by making a Subject Access Request (SAR).  This can be made verbally or in writing, which includes messaging through social media.  A response must be provided without undue delay and within one month of the request at the latest, although the deadline may be extended by up to two months if the request is complex or involves a large amount of data.  It is best practice to verify the ID of the requester and if a request is made the response period doesn’t start until it is received.  A fee cannot be charged for responding to a SAR except for reasonable administrative costs, such as photocopying.  An SAR may be refused if the request is vexatious, if it is a repeat request from the same person, or if the costs to staff required to respond are too high, however the individual must be advised of the reason for it, and that they have a right to make a complaint to the ICO or that they may seek to enforce their right through the courts.

HOW DOES THE RIGHT TO ERASURE WORK?

Article 17 of the GDPR gives an individual the right to instruct a data controller to erase their personal data without undue delay.  Some of the most common circumstances for this are:

• The personal data is no longer necessary for the purposes for which it was collected
• The individual withdraws their consent for collecting their data and there is no other legal ground to retain the data
• The individual’s data was unlawfully collected, including data collected from a child under 16 without a parent or guardian’s consent

There are however certain exceptions where a company can decline the right to erasure, including when:

• The data is necessary for freedom of expression and information, including journalistic, academic, and literary purposes;
• The data is legally required to be held to comply with statues and regulations;
• The data is necessary for establishing, exercising or defending legal claims;
• Erasing the data would prejudice scientific or historical research; or
• The data is necessary for public health purposes or for preventative or occupational medicine.

When one of these exemptions applies, the company can either fully or partly refuse to comply with the request.  If a request is made that is ‘manifestly unfounded or excessive’ a company can also either refuse to take action or charge a reasonable fee to deal with it.  The definition of manifestly unfounded or excessive is not clear, however, and whether it applies needs to be considered on a case by case basis.

GDPR AND BREXIT

While the GDPR is an EU regulation and no longer applies to the UK following the end of the Brexit transition period on 31 December 2020, the Data Protection Act 2018 is still in effect and mirrors the terms of the GDPR.  At present, the UK Government has not announced plans to amend the DPA so the existing data protection laws are currently unchanged.  Any data collected prior to 1 January 2021 must comply with the GDPR, but from 1 January 2021 onward, only the terms of the DPA will apply to data collected in the UK.  With regard to data exchange and collection with the EU, there is currently a transition period that expires on 30 June 2021 that allows the free flow of data to the UK from the EU.  Negotiations are ongoing as to whether the UK regulations will be granted adequacy with the EU regulations, meaning the EU considers them to be essentially equivalent to their own rules and data exchange can continue uninterrupted.

If you have questions or need support with GDPR related issues, please contact DJM’s Corporate and Commercial department on 01792 650000.