One month ago today the EU General Data Protection Regulation (the “GDPR”) became effective. So what’s happened since then? Did the regulation usher in a massive upheaval to organizations around the world? To find out, we thought we’d take a look at some of the significant news headlines over the last month.
Lawsuits Against the Big Guys
The first—and probably the most expected—development was the almost-immediate filing of lawsuits against Google and Facebook, along with two Facebook subsidiaries WhatsApp and Instagram. The lawsuits were filed in four countries—France, Belgium, Germany, and Austria—by privacy rights activist Max Schrems and his nonprofit organization NOYB (“None of Your Business”). The complaints allege that the companies have not given users enough control over the collection and use of their personal data, in violation of the GDPR. NOYB asks regulators to impose fines of as much as $4.3 billion on Google’s parent company, Alphabet, and $1.5 billion each on Facebook, Instagram, and WhatsApp—roughly 4 percent of each company’s 2017 revenue, the maximum penalty allowed under the GDPR. Here’s the New York Times coverage of the lawsuits.
What About Everyone Else?
The first four lawsuits were not surprising, because these massive organizations have been in the crosshairs of European privacy regulators for some time—their core business model depends on the wholesale collection of users’ data, making them a prime target. But what about smaller players? Should most organizations be prepared for imminent lawsuits and enforcement actions? Some commentators think not, in part because the data privacy regulators are simply overwhelmed by the new regulation, and may not have the resources to pursue every potential violation. As reported by the Irish Examiner, in the first week after the GDPR went into effect, more than 1,300 “concerns or complaints” came into Ireland’s Data Protection Commission. It remains to be seen how this regulatory agency, and the other data protection agencies across Europe, can keep up with the volume of new complaints.
Organizations “Opting Out” Rather than Complying
As reported by the online tech publication the Register, some companies have decided to stop serving the European market rather than do all the work necessary to comply with GDPR. For example, Pottery Barn no longer accepts orders from European customers. And websites for news outlets including the LA Times, the Chicago Tribune and the New York Daily News are currently blocked for users in Europe. Stay tuned to see if this corporate opt-out trend continues.
Personal Data Transfers Under Privacy Shield at Risk?
Max Schrems, whose nonprofit organization NOYB filed the first GDPR lawsuits, is the Austrian lawyer who successfully challenged the former “Safe Harbor” data transfer program. That program had provided a mechanism for moving personal data from Europe to the U.S. in compliance with applicable European data privacy regulations. Following the invalidation of Safe Harbor, the EU and the U.S. negotiated its replacement program, called “Privacy Shield.” But now Privacy Shield is potentially in danger as well. According to the Irish Times, the Civil Liberties Committee of the European Parliament has asked the European Commission to suspend the Privacy Shield framework, saying it fails to provide enough data protection for EU citizens. Although not technically news about the GDPR, if Privacy Shield is repealed, it would eliminate a key mechanism for making lawful data transfers to the U.S. under Article 46 of the GDPR.
“Sorry I Haven’t Gotten Back to You, I’m Still Reading Updated Privacy Policies”