For businesses in the art sector and beyond, legal compliance is becoming increasingly crucial, as infringements have the potential to undermine the very survival of the business.
It used to be the case that only competition law was seen to be exceptional in terms of the eye-watering fines imposed by the regulators. More recently, however, non-compliance in other areas has been tightened and businesses really need to “up” their game. Data protection is an example. The upcoming reform of data protection brings with it significant risks for non-compliant businesses in the UK and international art markets. Businesses should guard against those risks now or face potentially crippling consequences.
- Why will infringements of the new rules be so dangerous for businesses in the art market?
Currently, fines under national law vary and are relatively low. For instance, the UK maximum fine is £500,000. Under the new rules, businesses will face dramatically increased penalties. The national supervisory authorities will be able to impose fines on so-called “data controllers” and “data processors” on a two-tier basis:
- Up to 4% of annual worldwide turnover of the preceding financial year or 20 million euros (whichever is the greater) for violations relating to breaches of the data protection principles, conditions for consent, data subject rights and international data transfers.
- Up to 2% of annual worldwide turnover of the preceding financial year or 10 million euros (whichever is the greater) for violations relating to internal record keeping, data processor contracts, data security and breach notification, data protection officers, and data protection by design and default.
By way of comparison, administrative fines for EU cartel infringements have traditionally been among the highest so-called “administrative fines” anywhere in the world. The European Commission can impose fines of up to 10% of annual worldwide turnover on cartelists. These fines are capped, so a smaller company with annual turnover of, say £10 million, would never have to pay a fine in excess of £1 million.
The above changes to the data protection rules will allow the national authorities to impose fines capped at 4% or £20 million, whichever is the greater. That means that, in theory, a small or medium-sized art business could be fined way in excess of the maximum fine it would face under competition rules. This is because, in the brave new world of data protection, companies with smaller annual turnovers could face fines disproportionate to their size.
- What data protection reforms are we talking about?
Data protection rules are based on a system devised by the European Union. The UK government has confirmed that these rules will continue to apply in post-Brexit Britain.
In January 2012, the European Commission proposed a comprehensive reform of the 1995 Data Protection Directive (“1995 Directive”), due to a dramatic increase in the scale of data sharing and collecting since the 1995 Directive was adopted. The objective of the reform was to respond to new technological challenges and to put in place a harmonised framework for the protection of personal data across the European Union.
The new EU data protection framework consists of two main instruments:
- The General Data Protection Regulation (“GDPR”); and
- The Data Protection Law Enforcement Directive (“DLEP”), which deals with data transfers for policing and judicial purposes and aims to protect the personal data of victims, witnesses, and suspects of crimes.
The most important changes for the international art market are introduced by the GDPR, which will apply in all Member States from 25 May 2018. The UK Government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. In the Queen’s Speech of 21 June 2017, the UK government announced that a Bill would be introduced to “ensure that the United Kingdom retains its world-class regime protecting personal data” post-Brexit. The Bill would establish a new data protection regime and replace the UK Data Protection Act 1998 (“DPA”), the main piece of legislation that governs the protection of personal data in the UK today. The UK’s commitment to the reformed data protection rules has also been confirmed by way of a Statement of Intent published by the UK government on 7 August 2017.
Art businesses, like all other businesses, are subject to data protection laws and must comply with the new GDRP from 25 May 2018.
- What are some of the key changes (art) businesses ought to be planning for?
Firstly, the new data protection regime will expand the territorial scope of the rules. In the future, even non-EU data controllers and data processors will be subject to the GDPR if they either:
- offer goods or services to data subjects in the EU irrespective of whether payment is received; or
- monitor data subjects’ behaviour insofar as their behaviour takes place within the EU.
In practice, this means that many non-EU art businesses that were not required to comply with the 1995 Data Protection Directive will be required to comply with the GDPR. For instance, if you have an online auction business established in the U.S. but targeting EU customers, you will be subject to the GDRP.
Secondly, the new regime will require an exceptionally high standard of consent to be obtained from data subjects. Consent will have to be given by a clear affirmative action establishing a freely given, specific, informed and unambiguous indication of the individual’s agreement to their personal data being processed, such as by a written (including electronic or oral) statement. Businesses must be able to demonstrate that the data subject gave their consent to the processing and they will bear the burden of proof that consent was validly obtained.
Thirdly, the GDRP imposes significant accountability obligations on businesses including to:
- implement appropriate technical and organisational measures that ensure and demonstrate compliance. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies;
- maintain relevant documentation on processing activities;
- appoint a data protection officer (where appropriate); and
- implement measures that meet the principles of data protection by design and data protection by default (such measures could include: data minimisation; pseudonymisation; transparency; allowing individuals to monitor processing; creating and improving security features on an ongoing basis; and using data protection impact assessments where appropriate).
Finally, businesses should also bear in mind that the GDPR requires them to notify data breaches to their supervisory authority without undue delay and where feasible within 72 hours. Businesses must justify any delay in reporting data breaches by way of a reasoned justification.
- What are the new rights of data subjects?
First, the GDPR will expand the rights of data subjects by allowing them to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where it is being processed and for what purpose. This change is a dramatic shift towards data transparency and represents an empowerment of data subjects. As a result, it could lead to an increase in the administrative burden faced by businesses generally.
Secondly, so-called Data Erasure, also known as the “right to be forgotten”, entitles the data subject to force the data controller to erase his/her personal data, cease any further dissemination of the data, and potentially halt third parties processing the data.
Thirdly, the GDPR introduces data portability, the right for a data subject to transmit its data from one data controller to another.
- Will the new regime only make businesses’ life more difficult?
Thankfully, there are also a couple of changes that should make compliance with the applicable data protection rules easier and more efficient for art businesses.
Under the GDPR, a business will, in certain circumstances, be able to deal with only one single supervisory authority as its “lead supervisory authority” across the EU. Art businesses that operate in more than one EU member state will be able to use this one-stop shop, which should allow them to interact with a single supervisory authority rather than multiple supervisory authorities in different member states. For example, a London-based gallery with operations in Italy and France will be able to deal primarily with the UK data protection regulator. However, data protection matters which concern more than one EU country will be dealt with by the various data protection regulators concerned in collaboration.
National supervisory authorities, however, remain competent to investigate and enforce data protection law if a complaint is directed to them, or if there is an infringement within their member state or which substantially affects only data subjects located within it.
Further, controllers are currently required to notify their data processing activities to local data protection authorities. A welcome change for businesses is the removal of this general notification requirement. Instead, under the GDRP, businesses will be required to maintain detailed documentation recording their processing activities.
Compliance with data protection rules is crucially important for businesses, including those in the art market. The new principles introduced by the GDRP may require substantial changes to existing compliance strategies. The Information Commissioner’s Office (“ICO”), the UK’s independent body dealing with data protection, has published a helpful 12-step guide to assist businesses and is in process of finalising its practical guidance on the GDRP. Art businesses should review their existing data protection policies and put in place a plan for making any necessary changes to comply with the GDRP.
Till Vere-Hodge & Yulia Tosheva
Published 6 October 2017