Uncertainty Looms on GDPR Compliance
Ambiguities abound about violations and penalties.
New privacy rules that fall under the European Union’s General Data Protection Regulation, which takes effect May 25, could have a global impact both financially and socially. Effects could range from consumer demands for privacy rights trumping private-sector business practices to billions of dollars in lawsuits against commercial data collectors. The consequences are uncertain because the rules themselves are not specific enough to determine parameters for violations and penalties, information officials say.
The General Data Protection Regulation, known as the GDPR, is designed to affect any company that collects data from EU citizens. It provides for harsh penalties—up to 4 percent of a company’s annual income—for a host of violations. Yet the regulation neither spells out specific practices that would trigger actions nor defines responses that would mitigate all claims against companies, according to information experts.
The GDPR replaces the EU’s 1995 Data Protection Directive. The GDPR was designed to harmonize data privacy laws across Europe and to give EU citizens the ability to enforce privacy laws among companies and organizations.
According to the EU, the biggest regulatory change is extended jurisdiction. The GDPR applies to all companies processing the personal data of people living within the EU. Data handled by any controllers or processors in the EU is covered by the regulation, whether or not the parent company is located in the European Union. Offshore data processing also is covered if it involves EU residents. Organizations outside the European Union are subject to the GDPR just by offering goods or services to EU residents. Non-EU firms processing data about EU citizens must appoint a representative to the EU.
While these rules are a step forward from the previous ones, the GDPR creates legal ambiguities that could lead to problems. Some firms may overreach to adjust to the new regulation, while others may gird for a fight with the EU in court. Still others may just proceed, hoping they won’t face legal recourse, some information managers offer.
A Washington, D.C.-area chief information officer (CIO) and consultant says the determining factor will be whether consumers really care about their privacy rights. In the United States, individuals largely have ceded those rights to the private sector, allowing search engines and online retailers to use personal information in return for more targeted marketing and lower prices for goods and services. This largely stems from a lack of understanding, the CIO offers. “Most consumers have no clue what Amazon, Google, Microsoft and others like that do with their data,” the official states. “The United States is behind what Europe is doing by a large margin. It is much more business-friendly and much less consumer protection-friendly than the European Union.”
In Europe, at least at the policy level, people have a greater understanding that data exploitation could pose a major problem, the CIO continues. Also, more consumers there are starting to push back and reclaim their privacy rights. “The GDPR is raising awareness not just in Europe but also globally. And if the consumers pick up on what’s happening, a lot of this could raise alarm bells and lead to other privacy concerns in other countries,” the officer states.
The GDPR specifically addresses multinational firms that have any kind of presence in Europe. As soon as they collect a single bit of data from a single European Community citizen, these companies fall under the regulation. The CIO notes that the regulation highlights the cultural difference between the cavalier approach of U.S. companies and Europe’s tighter privacy laws and consumer protection expectations.
The first major effect of the GDPR may be a raft of legal action aimed at determining the feasibility of this new approach, the CIO says. “This is going to be a lawyers’ boon. There is going to be a massive amount of lawsuits against companies that are thought to be violating the law, and potentially by companies that think they are being charged or fined incorrectly based on what the law says,” predicts the official, adding that the astronomical fines probably are designed to scare companies into compliance. Initial EU actions likely will focus on large multinational firms, the CIO suggests.
The EU does not want to be the first point of contact for complaints. The process begins with an EU citizen filing a charge against a firm he or she believes is operating in a manner that violates the GDPR. The company then would attempt to confirm and address the issue. If the citizen is not satisfied, then the complaint would move up the chain within the company to its CIO.
When all attempts to remedy the dispute with the company fail, the EU citizen would escalate the complaint to an EU Data Protection Authority (DPA), which would pursue the complaint through the government of the company’s home country. In the United States, the Department of Commerce, through the EU-U.S. Privacy Shield Framework, is set up to address the GDPR via the Federal Trade Commission (FTC). The Privacy Shield allows companies to self-certify their compliance with the GDPR, and the FTC can help negotiate on a company’s behalf.
While the GDPR lets companies resolve complaints without penalty, the 88-page law does not address all the potential scenarios that could arise, the CIO charges. For example, if a multinational corporation has a server in the European Union that does not hold data on EU citizens, the rules are not clear whether the company would fall under the GDPR and need to adhere to the regulation. This issue has not been settled internationally, the CIO adds.
The GDPR also is vague about how to decide if a company has crossed the line. “There is a lot of generalized content … and they don’t really get into enough detail to make people say, ‘I am 100 percent compliant, I can see that I’m doing what you tell me in the document,’ because [the rules] are much more general than that,” the information officer continues.
Even some widely used opt-in mechanisms come into question. For example, if a webpage has an opt-in box for marketing that has a checkmark in it by default, one interpretation might call it an opt-out because the user must turn off the checkmark. That issue is not addressed in the regulation.
Enforcement also is rife with uncertainties. Although maximum fines have been established—the greater of $22 million, or 4 percent of the previous year’s revenue for a core violation by a company, and the greater of $11 million, or 2 percent of revenue for a technical violation—much about the violations and penalties remains murky. Companies do not know with certainty what constitutes a violation and do not know how much fines are for varying levels of violations, the CIO expresses.
Most U.S. companies that know they have an exposure to the regulation are taking it seriously, the executive offers. Large firms doing massive amounts of international data transition have appointed an officer whose only role is to ensure GDPR compliancy. In general, companies of all sizes are examining how they store, move and share their data. Privacy officers may be exerting more authority over their companies to pay heed to their data processes, the CIO offers.
Yet for many companies, it could be a Y2K-type event in which the fears are greater than the reality. A lot of consulting dollars already are changing hands, the CIO says, and companies ultimately may find that their apocalyptic worries were unfounded.