Risk and Compliance

GDPR: Here’s What’s Happened So Far

Diana Candela
July 24, 2018
5 min read

After four years of preparations and numerous revisions, the General Data Protection Regulation (GDPR), the most-lobbied piece of legislation in the history of the European Union, was finally approved by the EU Parliament in April 2016. Following a two-year transitional period, GDPR became enforceable on May 25, 2018.

Within hours of the regulation taking affect, popular U.S. news sites were blocked for European readers. Those owned by Tronc, Inc. (including the Chicago Tribune, the Los Angeles Times, the Baltimore Sun and others) and Lee Enterprises (which operates in 21 states and owns 46 newspapers) appeared unavailable to most European site visitors.

Meanwhile, Twitter even blocked users who were underage when they had signed up for the service even though they are well over 18 now. The company suspended multiple accounts of users whose declared date of birth reflected that they were underage when they had signed up for the account.

Lawsuits

Max Schrems, an Austrian privacy campaigner, filed multibillion-dollar lawsuits against Facebook (and its subsidiaries) and Google. Three separate complaints worth 3.9 billion euros in all were filed against Facebook, Instagram and WhatsApp on May 25 in Austria, Germany and Belgium. A lawsuit seeking 3.7 billion euros in damages was separately filed against Google’s Android platform with CNIL, the French privacy regulator. The basis of the complaints is that these companies are forcing the users to agree to their policies using a take-it-or-leave-it approach.

The companies have disputed the charges, claiming that they have taken appropriate measures to comply with the regulation. Google said, “We build privacy and security into our products from the very earliest stages and are committed to complying with the EU GDPR.” Facebook responded to the complaints in a similar vein, saying the company had prepared for the past 18 months to ensure that it meets the requirements of GDPR.

The series of lawsuits against tech companies didn’t stop there. On May 28, La Quadrature du Net, a French digital rights group, filed seven lawsuits with CNIL against Google, Facebook, Apple, Amazon and LinkedIn. La Quad had begun its complaint-collection efforts around six weeks before the GDPR enforcement date. In that short amount of time, they were able to get over 12,000 people to join the collective complaints biased on the general concept of forced consent.

Other Developments

  • Marc Benioff, CEO of Salesforce, called for a law similar to GDPR in the United States. “What we need is a national privacy law, and that will really not just protect the tech industry; it’s going to protect all the consumers,” he said. “Ultimately, it’s going to protect our kids, which is really what this is all about, because we know that all these companies are looking to bring kids into their social networks as well.” On the other hand, IBM has been vocal about lighter regulation on privacy. Christopher Padilla, IBM’s vice president of government and regulatory affairs, recently said in an interview that “GDPR may work for Europe, but that doesn’t mean it should become a global standard.”
  • While GDPR was settling in, California’s “mini-GDPR” was enacted in June – proclaiming itself a “game-changer for the United States.” Meanwhile, Vermont passed a new law that, although very limited by comparison to California’s law, requires data brokers to register with the state to ensure that security measures are updated and to inform relevant authorities in the event of a data breach.
  • Adding to the avalanche of events, members of the European Parliament’s civil liberties committee questioned the EU-U.S. Privacy Shield (the framework that controls the exchange of privacy data between the two entities for commercial purposes), urging full compliance with GDPR by September 1, 2018. Apparently for these committee members, that Facebook-Cambridge Analytica data breach was the last drop. Whether the resolution, which is legally nonbinding, will affect the regulation is unclear, but it adds pressure to EU regulators dealing with the U.S. and certainly does not take away from the GDPR drama unfolding around the globe.
  • Finally, the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which was enacted into law in the U.S. on March 23, 2018, allows U.S. law enforcement orders issued under the Stored Communications Act (SCA) to reach certain cloud data located in other countries under certain circumstances, such as when foreign governments enter into bilateral agreements with the U.S. (within limits and restrictions). How such agreements will be structured in the context of GDPR is unclear.

It’s difficult to say at this time how the flurry of GDPR-inspired privacy regulations will sort itself out. However, one thing we can state with confidence is that the time for privacy and security to make a grand entrance from the back room to the board room has arrived. The various legislation that is being considered or passed or is underway is likely to impact the known data protection landscape for decades to come. The exposure to fines and penalties for noncompliance is too severe to ignore. Accordingly, organizations should be following developments closely with an eye toward anticipating and preparing for a lot more scrutiny of their data-security practices than many are used to.

We have covered, and will continue to cover, data-privacy issues on our blog. Also check out the GDPR resources page on our website. Your questions and comments are welcome.

Diana Candela

Associate Director
Technology Consulting – Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
18 Apr

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More