Norton Rose Fulbright - Data Protection Report blog

Websites go dark, complaints are filed within an hour, European Commission suffers an embarrassing data leak, and the US Commerce Secretary warns about the unintended trade impact of the law – all in the first week of the GDPR

The European Union’s far-reaching General Data Protection Regulation (GDPR) went into effect on 25 May amid much anticipation.  Although the date itself was seen as a watershed moment, what comes after will reveal the full impact of the law.  Even for those businesses that have declared that their GDPR compliance efforts have completed, the work of maintaining and updating their privacy and data protection framework will need to continue well after 25 May.  We have also yet to see how 28 EU member states and the Court of Justice of the European Union will interpret the law.

In the days leading up to 25 May, millions of inboxes were filled with updated privacy notices and requests for marketing consent and pop-up notices for cookies were added to websites across the globe, as many businesses contemplated if and how the new law applies to them.  Just in the first week, we are seeing glimpses of what lays ahead.  Certain American news publications decided to shut themselves off to European users on their websites, a first series of complaints were filed against US tech giants and their subsidiaries, and the European Commission, in an embarrassing turn of events, was found to have had a data leak on one of its websites,  Just five days after the law has gone into effect, Wilbur Ross, the US Commerce Secretary, published an opinion piece in the Financial Times, that warns: “EU data privacy laws are likely to create barriers to trade.” 

We take a look at the initial reactions and events that occurred in the first week following the implementation of the  GDPR, provide some insight into the GDPR’s impact on the digital economy and trade and provide, as we always do, some practical tips for how to manage privacy and cybersecurity risks in this ‘new era’.

First complaints received within 48 minutes

Within forty-eight minutes of the GDPR coming into force, Max Schrems, who has previously campaigned against US social media platform and tech companies for alleged privacy violations, launched the first challenges under the GDPR.

Schrems’ non-profit organisation, NOYB, challenged some of the largest players in the market– on the basis that they operate upon users’ “forced consent”.  Schrems argues that under the GDPR, when users are asked to consent, they should be given a free choice – which means that consent should not be a condition of using the service.  Schrems’ complaints state that those companies do not offer true “consent”, as users are banned from using the services if they do not consent.

Complaints have been filed in France, Austria, Belgium and Germany and request that regulators impose fines of up to $4.3 billion – roughly 4 percent of each company’s revenue for 2017, the maximum penalty allowed under the GDPR.

In statements, both companies defended their data collection practices, saying they fully complied with the new European regulations.

Other activists follow suit – complaints filed against Tech Companies

Following Schrems’ complaints, other privacy activists quickly followed suit.  French digital rights group La Quadrature du Net filed complaints against a number of US-based tech companies on Monday (28 May 2018).  Organisations such as La Quadrature du Net and NOYB are taking advantage of the fact that the GDPR allows them to make complaints on behalf of individuals who might be affected by GDPR non-compliance.  La Quadrature du Net, Center for Digital Democracy and Privacy International have also made public statements about other potential targets.

The new chairwoman of the European Data Protection Board, Andrea Jelinek, told The Financial Times she expected cases to be filed “imminently”. “If the complainants come, we will be ready,” she said.

Ireland’s data regulator Helen Dixon also spoke to the newspaper, saying the country was ready to use “the full toolkit” against non-compliant companies.

European Commission’s data leak

While European data protection authorities are preparing to bring claims against global companies, it was reported this past week that the European Commission inadvertently leaked the personal details of hundreds of European citizens, including their names, addresses and professions.  It also included the postcodes and addresses of some British citizens.  This would have been in breach of GDPR had it been made by another organisation, however the EU Regulation that applies to the EU institutions has yet to be updated to apply similar data breach notification provisions to the European Commission. A spokesperson for the European Commission stated that this would come into effect in the autumn.

The records, some of which featured the private information of British citizens, were collected during EU meetings and conferences and stored on data spreadsheets.  Tech website Indivigital found the documents are among thousands hosted by the website that are freely accessible online.  Many of them could be found by simply searching for the document on Google.  Given the timing, this raised questions about how ready the European Commission is to act as the global privacy watchdog.

US news outlets deny access to European readers rather than comply with GDPR

In anticipation of the GDPR going into effect and to avoid having their products and services fall under GDPR’s scope, certain US news outlets blocked access to their websites from European users on 25 May.  High-profile sites under Tronc media publishing group had instead the following message for anyone trying to access their news websites from Europe: “Unfortunately, our website is currently unavailable in most European countries.  We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market.”

Lee Enterprises, which publishes 46 daily newspapers across 21 states in the US, had an even more direct statement as to why their websites are no longer available to European users.  Its statement said: “We’re sorry. This site is temporarily unavailable.  We recognise you are attempting to access this website from a country belonging to the European Economic Area (EEA) including the EU which enforces the General Data Protection Regulation (GDPR) and therefore cannot grant you access at this time.”

CNN and the New York Times remained available to Europe while The Washington Post required EU users to agree to new terms before accessing its website and offered tiered subscription packages, including an ad- and tracking-free “EU premium subscription” that charges 50 percent more than a regular subscription.

GDPR’s Impact on the Digital Economy and Trade

Outside of these brief anecdotes, much thought leadership has gone into how the GDPR will broadly impact the global digital economy and trade.  The European Commission is very clear about why it thinks the GDPR is needed: “Stronger rules on data protection mean people have more control over their personal data and businesses benefit from a level playing field.”  On the publication titled, “A new era for data protection in the EU: what changes after May 2018,” the European Commission starts by stating, “The Facebook/Cambridge Analytica revelations show the EU has made the right choice to propose and carry out an ambitious data protection reform through the [GDPR].”  It is clear who the European Commission thinks the law is targeting.

The impact of the GDPR is far-reaching however and anecdotes such as the ones highlighted above, where services are going offline for European users  or being offered higher-priced more privacy-friendly versions of services , are starting to show that it may not be such an easy path and there will be bumps on the road.

In no uncertain terms, the US Commerce Secretary published his concerns about the broader impact of the GDPR in his opinion piece in the Financial Times.   Mr. Ross claimed the GDPR was already costing American companies billions of dollars to comply and could hurt transatlantic trade.  He said guidance about implementing the changes was “too vague” and demanded Brussels reconsider the rules, stating: “As currently envisioned, GDPR’s implementation could significantly interrupt transatlantic co-operation and create unnecessary barriers to trade, not only for the US, but for everyone outside the EU.”  The commerce secretary said, for example, that the GDPR could harm the public interest by disrupting transatlantic co-operation on financial regulation, medical research, emergency management co-ordination and law enforcement coordination because companies and public entities on both sides of the Atlantic ocean do not have a  clear understanding of what is required to comply.

It is also worth noting the impact the law has had on smaller businesses.  Although the GDPR has been touted as a law that would level the playing field and allow small to medium-sized companies to compete, especially against tech giants, the onerous compliance requirements and the prospect of stiff penalties have had the unintended consequences of smaller American companies stopping service to Europe altogether while the large companies are pushing the compliance requirements onto smaller companies and in essence, playing a policing role within the industry.

By design, the GDPR forces data controllers to provide instructions to their data processors as to how they must safeguard the data – this means, the larger companies are now pushing the data protection obligations down to their vendors and suppliers and small companies find themselves competing with their peers for the business of large corporations based on how GDPR compliant they are.  Because the third party risk and the oversight needs are so great, we have heard from many large organizations that they are looking to shorten their list of vendors.  The thought, at least in the short term, is that it is easier to manage a small number of vendor relationships than many and if your company is small and the compliance program is not robust, you may find yourself cut from the list.  Thus, being able to demonstrate GDPR compliance will be a competitive advantage for companies that are seeking to win contracts, especially for EU customers.

What to Look Out For and Some Practical Tips

How this bigger debate about privacy and data protection frameworks translates into consumer choice will be the real test.  In the end, small and large companies will be investing much of their resources to shore up their privacy and cybersecurity controls and the question on everyone’s mind is whether those investments are worth it.  Will consumers choose products and services because their privacy choices are more transparent and easier to understand?  Will customers walk away from products because they do not offer privacy-friendly options or are called out for not living up to the statements in their privacy policies?

There has been a lot of focus on enforcement and how these billion-dollar lawsuits against tech giants may play out. In addition to these high-profile examples, we are aware that a number of data controllers saw a marked increase in requests from employees and customers seeking to exercise their new rights last week. It is not clear if this is pent-up demand (requestors holding back until 25 May when timescales to respond shortened and fees were abolished) or a sign of what is to come – but these requests will swiftly expose whether these organisations are living up to the promises in their new privacy policies (of which the public are now much more aware) and are fertile ground for testing how the rules should be interpreted.

Whether it is to demonstrate compliance in response to EU regulators’ inquiries or lawsuits, or to respond to data subject access requests, it is more important now than ever to get the basics right.  According to a 2018 report from Varonis Systems, nearly one-quarter of all internal work folders are available to everyone within an organization.  Also, almost half of the surveyed companies had at least 1,000 sensitive files open to all employees.  These statistics show that while there has been a lot of debate about very technical and complicated privacy controls, sometimes companies are lacking even the most basic data privacy and security controls.

For companies of all size and different risk footprints, if not already addressed in the run up to 25 May, it is time to look inwards and make sure internal controls can deliver compliance in practice.

Here are a few practical tips for ensuring that critical data is protected and the data misuse risk is minimized:

  • Map personal data processing activities, analyse what is permitted, articulate the concepts and boundaries so the business understands them
  • Identify what types of personal data are considered ‘critical’ to your organization or pose a high risk of harm to the individuals concerned if mishandled
  • Establish a tiered system to treat more sensitive personal data with the appropriate level of care
  • Identify the number of employees, vendors and contractors that need access to the critical data, which would include sensitive personal data, and apply more stringent security controls on their access to the data and systems
  • If certain personal data is no longer needed, delete it and have a system for continually monitoring and removing ‘ghost’ systems, databases and users – those that hold the data or have access to the data even after they are no longer in operation
  • Develop function-specific procedures tailored to each department’s handling risks and duties
  • Train personal data handlers and encourage them to ask questions so that they understand why their practices are changing and apply the concepts in spirit as well as to the letter of the law
  • Support the changes with senior management-led governance
  • Train a team to be able to recognise and respond, within the short prescribed timescales, to personal data breaches and the exercise of data subject rights