GDPR goes into enforcement, has broad global impact; non-compliance fines to date could be in the billions



The General Data Protection Regulation (GDPR) went into effect in May of 2018. Designed to protect and enhance the personal digital privacy rights of EU citizens and extraterritorial in enforcement reach, it applies to all organizations that collect and process the personal data of those in the EU regardless of where that organization is located globally. Under GDPR, companies must obtain authorization from individuals for the use of their personal data, notify them if their data was compromised, inform of how personal data is to be used and, if requested, provide a record of personal data collected and/or data erasure. Fines for failure to meet the GDPR standards can range up to four percent of an organization’s annual gross revenues, and while no fines have yet been assessed to date under GDPR, its implementation has made a broad impact.

FORCED CONSENT

The first official complaints of non GDPR compliance were filed against Google, Facebook, Instagram and WhatsApp by European consumer rights organization Noyb, which argues that the companies have forced users into agreeing to new terms of service, in breach of the GDPR requirement that such consent should be freely given. Under GDPR, access to services can no longer, in most instances, depend on whether a user provides consent to the use of personal data. This consent is typically pursued via a pop-up requesting the user agree to terms of service in exchange for access to content. GDPR fines, if applied, could rise to nearly $4 billion for each organization cited in the complaint.

GOOGLE AND FACEBOOK DUOPOLY BENEFITING FROM GDPR

Both industry bulwarks have proved more successful at garnering GDPR compliant user approval for digital privacy rights to the disadvantage of smaller firms possessed of far less leverage and reach. “One of the unintentional consequences of GDPR is the strengthening of the duopoly,” Gil Elbaz, a former Google executive and current CEO of the online marketing company Factual, told Bloomberg. “If Google continues to go unchecked, their dominance will be extreme.”

U.S. NEWS MEDIA WEB SITES GO DARK IN THE EU

More than a thousand U.S. news media web sites eliminated service to the EU citing concerns that they had not yet met the GDPR standards and risked fines. According to the New York Times, among those blocking EU access were The Chicago Tribune, Los Angeles Times, The New York Daily News, The Orlando Sentinel, The Baltimore Sun and The St. Louis Post Dispatch.

TICKET MASTER CANDIDATE FOR FIRST MAJOR GDPR FINE

Ticket Master UK suffered an unidentified ongoing data breach that spanned a period prior to and post GDPR enforcement affecting nearly forty thousand customers. Informed by banking officials of the suspected breach, Ticketmaster could initially find no evidence of the intrusion but eventually determined it was achieved through a malware infected chatbot provided by third party vendor, Inbenta Technologies. The compromised data included names, addresses, and email addresses, as well as telephone numbers, payment details, and log-in details for Ticketmaster.com. Under GDPR, the fine could be $22 million or more.

EU INTERNET RUNNING FASTER

Digital monitoring company Catchpoint discovered that many of the EU site versions of US-based news organizations that continued to be available in the EU post GDPR were loading and running faster than their US based non GDPR compliant version. Catchpoint Chief Executive Mehdi Daoudi noted that “This is a direct result of the fact that many external third-party elements previously integrated into these pages (tags which could impact user experience and performance) have been stripped away, including ad servers, Google services/analytics, social media plug-ins and more.” The difference? The average EU load time was .57 seconds, stateside, 10.22 seconds.

THINKING ABOUT YOUR ORGANIZATION’S GDPR LIABILITIES?

360 Advanced has significant in-house GDPR experience and knowledge capital, developed by working with clients to implement the GDPR requirements and assess the security and privacy aspects of GDPR. Our GDPR services are tailored to the needs of each client, and may include GDPR readiness assessment, compliance assessment, advisory, consulting and Data Privacy Officer (DPO) outsourcing.