There is something that distinguishes those who have practised data protection law for more than five years and those who have come to it more recently. The former are in possession of a secret. It is this: GDPR did not change the fundamentals of data protection.
Look at the keystones of the law – the data protection principles in Schedule One of the Data Protection Act of 1998 (the prior law) and in Article 5 UK GDPR (the current). They are effectively identical. And in fact, they have barely changed from the principles in the 1984 Data Protection Act, and those in the Council of Europe Data Protection Convention 108 of 1981.
Yet even in the courts one still sees from time to time the misconception that the GDPR rights and obligations were something fundamentally new.
An example is a recent case in the Employment Appeal Tribunal. The details of the case are not important for this post, but what is relevant is that the claimant employee argued that information about his previous employment history at the respondent employer (from 2008-2011) should not have been allowed in evidence. One argument in support of this was that the lengthy retention of this information was in breach of the employer’s data protection obligations (and the claimant had received correspondence from the Information Commissioner’s Office broadly agreeing with this).
But in response to this argument the respondent employer asserted that
Prior to [GDPR coming into effect on 25 May 2018] there was no “right to erase“. Accordingly, the period during which the respondent should arguably have taken steps to delete data was around nine months from this point until 28 February 2019.
This fails to recognise that, even if there was no express right to erasure prior to GDPR (n.b. there was certainly an implied right, as the European Court of Justice found in Google Spain) there was certainly an obligation on a data controller employer not to retain personal data for longer than was necessary (see paragraph 5 Schedule One to the 1998 Act).
The judge, however, accepted the respondent’s argument (although in all fairness to her she does point out that neither party took her to the legislation or the case law):
I accept that the ICO’s reference to retention being likely to breach data protection requirements, was (at its highest) concerned with the nine month period between the GDPR coming into effect and the claimant indicating an intention to commence litigation
That is not what the the quoted correspondence (at paragraph 17) from the ICO said, and it is not a correct statement of the law. If the period of retention of the data was excessive, there is no reason to say it was not in contravention of the prior law, as well as GDPR.
Ultimately, it is doubtful that this would have made much difference. As often in such proceedings, the relevance of the information to the matter was key:
in so far as the Respondent was in breach of data protection law for the nine month period I have referred to, it does not follow from this that the documentation was inadmissible in the [Employment Tribunal] proceedings
But one wonders if the judge might have taken a slightly different view of, instead, she had found that the Respondent was in fact in breach of data protection law for several years (rather than just nine months).
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.