The European Union's General Data Protection Regulation, the most onerous and extraterritorial piece of data protection legislation ever passed, is now in force as of today.

The GDPR is one of the biggest data policy changes to come from Europe in the last 20 years. One of the popular questions asked by multinational companies is “can the British Information Commissioner's Office fine companies for offending against the regulation outside the EU?” Many foreign companies wonder if the ICO even has the right to impose fines beyond Britain's borders.

A quick recap

The GDPR applies to the processing of personal data about 'data subjects' who reside in the European Union. This covers controllers or processors who are not established in the EU, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or

(b) the monitoring of their behaviour insofar as their behaviour takes place in the EU.

This is to say that businesses that collect EU data, directly or indirectly, are subject to the GDPR. Enforcement will not be limited to such companies as Google or Facebook.

Germany, for example, started to investigate 500 companies that were operating within its borders in preparation for the advent of the GDPR. These ranged from micro-sized businesses to large businesses.

More rights for people

It is worth noting that from this day forth the GDPR will put customers and employees (who reside in the EU) in control of their personal data, empowering them to choose the ways in which businesses and their 'third parties' (subcontractors) use their information. If they do not treat personal data correctly, those people now have more rights than previously to do something about it. They can claim compensation some instances. Likewise, regulators in the EU have unprecedented power to enforce the legislation by issuing hefty fines, warnings, imposing restrictions on data processing or demanding compliance.

An EU official stressed recently that today's deadline has been public knowledge for more than a year and noted that "if there is a breach discovered the day after, the GDPR will apply," adding: "I hope that every company dealing with our personal data takes the May deadline very, very seriously."

We have also seen renewed zeal from the ICO, which has handed out a record number of fines to companies this January with financial services firms accounting for almost half of them. Some examples are Goody Market UK Ltd and Newday Limited, which suggests that pressure is building.

Enforcement outside the EU

EU member state authorities can, obviously, enforce the terms of the GDPR on companies that are present (i.e. established) in the EU physically.

The regulation requires companies not established in the EU that control or process personal information to appoint representatives. This, along with other things, allows the ICO to ensure that companies that deal with data in the EU comply with the new law.

Examples of regulators pursuing foreign companies

In the past, other regulatory authorities have been able to pursue foreign companies. In October last year the UK's Financial Conduct Authority fined Merrill Lynch, an American bank with a British branch, £34.5 million for failing to report 68.5 million exchange-traded derivative transactions between February 2014 and February 2016 in breach of the European Union's Markets Infrastructure Regulation.

It is also interesting to note that the UK's data protection watchdog fined Sony Computer Entertainment Europe £250,000 because the company had not taken the right steps to prevent the loss of 'vast' amounts of personal data that belonged to millions of British consumers.

The same authority also issued Carphone warehouse with one of its largest fines after one of their computer systems was compromised as a result of a cyber-attack in 2015. The company’s failure to secure the system allowed unauthorised access to the personal data of more than three million customers and 1,000 employees. It included names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, historical payment card details.

Multinational banks in the firing line

As with any new regulation, nobody knows how stringent the ICO's fines and other corrective measures will be as it puts the GDPR into practice. The above examples, however, leave no doubt that the EU's subject nations can and will punish at least some of the multinational financial institutions that defy it.

* Laven Partners are available on +44 (0)20 7838 0010  or at info@lavenpartners.com