25 October will mark five months since the entry into force of the General Data Protection Regulation[1]. There was much confusion before that. Companies wondered whether employees’ birthdays could be printed out and tacked to the wall in the break room. Maybe Christmas presents could no longer be given to employees’ children because that, too, would require the children’s personal data to be “processed”. 

It is true that the entry into force of the GDPR did mean a number of new obligations for companies and the need to review their organisational procedures to ensure that they were in line with the general regulation.

The purpose of data protection reform was to effectively protect the fundamental rights and freedoms, in particular, people’s right to protection of their personal data, which is clearly set forth in various legal acts as an inalienable fundamental right.

As said, there was much confusion before the application of the GDPR. Companies were not sure how to act. Was it obligatory to appoint a data protection specialist? Could marketing e-mails no longer be sent? Would the Data Protection Inspectorate come knocking tomorrow with a notice of a multimillion fine assessment whose statement of reasons cited the conclusion that everything was wrong? Now three months have passed – were the fears justified?

Too few data protection specialists

Based on Article 37, certain companies have the duty to appoint a data protection specialist. Public sector institutions or bodies must appoint a data protection specialist in any case, no matter how much personal data is processed. For companies in private law, it depends on the amount processed and the type of personal data (the Data Protection Inspectorate has published a very informative guide on the obligation of appointing a data protection specialist[2]).

According to the Data Protection Inspectorate,[3] close to 1,600 companies had appointed a specialist as of 25 July. The number has probably increased somewhat since then. According to information from Statistics Estonia[4], Estonia has 157,757 economically active companies, of which 2,370 companies are part of a local government unit; these must definitely appoint a data protection specialist. Going by the Statistics Estonia data on economically active companies and companies that have already appointed a data protection specialist, we conclude by arithmetic that 1% of all companies (the author realises that not all companies have the express obligation to appoint a specialist) have appointed a data protection specialist and declared the name of the specialist to the Commercial Register. From the above, we can conclude that there are still a number of companies (both public-law and private-law entities) that are obliged to appoint a data protection specialist and have not yet done so. Still, we do not yet know of the Data Protection Inspectorate having issued precepts in this matter to companies that were obliged to appoint a data protection specialist and have as yet failed to do so. The obligation to appoint a data protection specialist has not changed but enforcement is still lax. There is no reason to panic.

Number of complaints rises                                                     

The GDPR sets forth expressis verbis that data subjects have the right to file a complaint with the Data Protection Inspectorate. The International Association of Privacy Professionals (IAPP) has published an article on the dramatic rise in the number of complaints[5]. According to the information sent by the Estonian Data Protection Inspectorate to IAPP, in just the first 14 days after the GDPR entered into force, seven complaints were filed. According to Krediidiinfo data, the Data Protection Inspectorate has 18 employees as of 30 June 2018. There is no information on whether the Data Protection Inspectorate has processed these complaints and assessed a fine or other monetary enforcement measure. In comparison, the UK supervision authority received 1,124 complaints (!) in the first 26 days after the GDPR came into force. Then again, the UK’s supervisory authority has significantly more resources to process complaints – it had 393 employees as of 2017. The Latvian supervisory authority, which has 25 employees, received 19 complaints in those first 26 days.

The need to go to court to pursue justice

The Data Protection Inspectorate conducts proceedings only on incidents arising from relationships in the private law that require rapid intervention or if the proceedings on a matter are in the public interests[6]. The dispute concerns only the participants, the county courts should be recurred to for protection of one’s rights. Due to valid legal acts and settled practice, the Data Protection Inspectorate may elect not to deal with complaints stemming from a relationship in private law and say that they will not conduct proceeding on the complaint (lack of public interest) and the person should turn to county court, which would involve a significantly more formal, expensive and complicated civil court proceedings.

Companies probably will breathe a sigh of relief over such an approach, yet data subjects less so. Can it be said in such a situation that people can effectively protect their fundamental rights in the field of protection of personal data? It is possible that at some point someone's challenge of a Data Protection Inspectorate action appearing to contravene the GDPR or its intent will reach administrative court. According to the GDPR, the function of the regulation is, among other things, to deal with complaints filed by the data subject, institution, organisation or association, investigate the content of the complaints to the appropriate degree and notify the person lodging the complaint within a reasonable term of the course and results of the investigation.

People don’t know anything about the use of their data

General awareness of protection of personal data is rising in society. Probably everyone has recently noticed how companies have established or updated their privacy policies. Nearly every website now has a nag screen that asks the website visitor to consent to use of cookies (even though it is questionable whether the GDPR should even be given this interpretation). According to a study conducted by CIM[7] (not limited to just Estonian consumers) 48% of the consumers surveyed do not understand how organisations use their personal data and fewer than one-fifth (18%) of people believe that companies use personal data for an honest and transparent purpose. Fewer than half (41%) of respondents were aware of the GDPR. Trust in different social media companies has shrunk significantly and it is especially low in the case of Facebook and Twitter. When it comes to lack of trust in Facebook, the privacy scandals (such as forwarding of data to Cambridge Analytica) fanned the flames.

Court cases and decisions by data protection supervision authorities in Europe give data processors clear guidance and rules for interpretation for implementing several very broadly worded provisions of the GDPR, such as “great threat”, “extensive data processing” and “sufficient technical and organisational measures”. The failure of Estonia to adopt the GDPR in a timely manner did not contribute to clarity. Hopefully, this will still happen – there is overwhelming public interest in passing the legislation, especially considering possible damage to Estonia’s reputation and violation proceedings. Nevertheless, it is important to note that the existence of a Personal Data Protection Act in domestic law does not limit the application and validity of the GDPR. The current Personal Data Protection Act must be read and interpreted in the context of the GDPR and the standards in the Personal Data Protection Act that are in contravention with the GDPR must be cast aside.

So what about Christmas gifts for employees’ children?

Processors of personal data have contacted providers of consultation service to get clear information on what exactly they are required to do to achieve compliance with the GDPR. The questions mainly pertain to processing of personal data in employment relationships. Article 13 of the GDPR imposes on companies the obligation to notify the data subject that its personal data is being processed. The notification obligation applies to both companies’ clients and employees. In other words, to be allowed to post an employee’s birthday in a public space (physical or virtual) the employer must ask for the employees’ permission as publication of birthdays is not something that is required by the Employment Contracts Act, is not related to performance of contracts and is not in the justified interest of the employer. If the employer desires to give Christmas gifts to employees’ children and needs to get the children’s dates of birth of personal identification codes for this purpose, it must notify the employee as to why it is collecting these data or what is the purpose of the activity (note also that this can only be an optional data field). It is important to notify the employee as to how their personal data will be processed. It is best to specify in internal documents – the internal work procedures or the procedure for processing personal data – how personal data will be processed during the employment relationship.

How to carry out e-marketing?

When processing personal data for direct marketing purposes (such as sending of e-mails) the Electronic Communications Act should not be overlooked. Subsection 1031 (3) sets forth that if a person receives the buyer’s electronic contact details in connection with sale of a good or provision of a service, they may  only be used to direct marketing of similar goods and services to the buyer if:

-  the buyer is given, upon the initial collection of electronic contact details, a clear and distinct opportunity to refuse such use of its contact details free of charge and in an easy manner;

-  the buyer is given, upon the initial collection of electronic contact details, a clear and distinct opportunity to refuse such use of its contact details free of charge and in an easy manner (such as an unsubscribe option);

- the buyer is given, upon the initial collection of electronic contact details, a clear and distinct opportunity to refuse such use of its contact details free of charge and in an easy manner.

To sum up, the Estonian proverb of measuring nine times and cutting once applies. Companies would do well to perform actions that enable them to comply with the obligation to notify data subjects that their personal data is being processed, to respond to queries from data subjects and to document the processes used for processing of personal data.

Based on our experience, it is also a good idea to map the personal data being collected, prepare a privacy notice and procedures for processing of personal data. Hopefully in the near future some US companies will be able to overcome the obstacle called the GDPR and it will soon be possible for European readers to browse the L.A. Times once more. Most European readers currently get the following message when they visit the website: “Unfortunately, our website is currently unavailable in most European countries.” The reason: the GDPR and technical incompetence.

Author: Allan Kubu

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Available online at: https://eur-lex.europa.eu/legal-content/ET/TXT/?uri=CELEX%3A32016R0679.

[2] Data Protection Inspectorate. Who has to appoint a data protection specialist? Available online at: http://www.aki.ee/et/andmekaitsespetsialisti-maaramine/kes-peavad-maarama-andmekaitsespetsialisti.

[4] Source available online at: https://www.stat.ee/68777.

[6] Source available online at: http://www.aki.ee/et/inspektsioon/poordu-inspektsiooni-poole. Last paragraph.