GDPR: Here’s What’s Happened So Far

After four years of preparations and numerous revisions, the General Data Protection Regulation (GDPR), the most-lobbied piece of legislation in the history of the European Union, was finally approved by the EU Parliament in April 2016. Following a two-year transitional period, GDPR became enforceable on May 25, 2018.

Within hours of the regulation taking affect, popular U.S. news sites were blocked for European readers. Those owned by Tronc, Inc. (including the Chicago Tribune, the Los Angeles Times, the Baltimore Sun and others) and Lee Enterprises (which operates in 21 states and owns 46 newspapers) appeared unavailable to most European site visitors.

Meanwhile, Twitter even blocked users who were underage when they had signed up for the service even though they are well over 18 now. The company suspended multiple accounts of users whose declared date of birth reflected that they were underage when they had signed up for the account.


Max Schrems, an Austrian privacy campaigner, filed multibillion-dollar lawsuits against Facebook (and its subsidiaries) and Google. Three separate complaints worth 3.9 billion euros in all were filed against Facebook, Instagram and WhatsApp on May 25 in Austria, Germany and Belgium. A lawsuit seeking 3.7 billion euros in damages was separately filed against Google’s Android platform with CNIL, the French privacy regulator. The basis of the complaints is that these companies are forcing the users to agree to their policies using a take-it-or-leave-it approach.

The companies have disputed the charges, claiming that they have taken appropriate measures to comply with the regulation. Google said, “We build privacy and security into our products from the very earliest stages and are committed to complying with the EU GDPR.” Facebook responded to the complaints in a similar vein, saying the company had prepared for the past 18 months to ensure that it meets the requirements of GDPR.

The series of lawsuits against tech companies didn’t stop there. On May 28, La Quadrature du Net, a French digital rights group, filed seven lawsuits with CNIL against Google, Facebook, Apple, Amazon and LinkedIn. La Quad had begun its complaint-collection efforts around six weeks before the GDPR enforcement date. In that short amount of time, they were able to get over 12,000 people to join the collective complaints biased on the general concept of forced consent.

Other Developments

  • Marc Benioff, CEO of Salesforce, called for a law similar to GDPR in the United States. “What we need is a national privacy law, and that will really not just protect the tech industry; it’s going to protect all the consumers,” he said. “Ultimately, it’s going to protect our kids, which is really what this is all about, because we know that all these companies are looking to bring kids into their social networks as well.” On the other hand, IBM has been vocal about lighter regulation on privacy. Christopher Padilla, IBM’s vice president of government and regulatory affairs, recently said in an interview that “GDPR may work for Europe, but that doesn’t mean it should become a global standard.”
  • While GDPR was settling in, California’s “mini-GDPR” was enacted in June – proclaiming itself a “game-changer for the United States.” Meanwhile, Vermont passed a new law that, although very limited by comparison to California’s law, requires data brokers to register with the state to ensure that security measures are updated and to inform relevant authorities in the event of a data breach.
  • Adding to the avalanche of events, members of the European Parliament’s civil liberties committee questioned the EU-U.S. Privacy Shield (the framework that controls the exchange of privacy data between the two entities for commercial purposes), urging full compliance with GDPR by September 1, 2018. Apparently for these committee members, that Facebook-Cambridge Analytica data breach was the last drop. Whether the resolution, which is legally nonbinding, will affect the regulation is unclear, but it adds pressure to EU regulators dealing with the U.S. and certainly does not take away from the GDPR drama unfolding around the globe.
  • Finally, the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which was enacted into law in the U.S. on March 23, 2018, allows U.S. law enforcement orders issued under the Stored Communications Act (SCA) to reach certain cloud data located in other countries under certain circumstances, such as when foreign governments enter into bilateral agreements with the U.S. (within limits and restrictions). How such agreements will be structured in the context of GDPR is unclear.

It’s difficult to say at this time how the flurry of GDPR-inspired privacy regulations will sort itself out. However, one thing we can state with confidence is that the time for privacy and security to make a grand entrance from the back room to the board room has arrived. The various legislation that is being considered or passed or is underway is likely to impact the known data protection landscape for decades to come. The exposure to fines and penalties for noncompliance is too severe to ignore. Accordingly, organizations should be following developments closely with an eye toward anticipating and preparing for a lot more scrutiny of their data-security practices than many are used to.

We have covered, and will continue to cover, data-privacy issues on our blog. Also check out the GDPR resources page on our website. Your questions and comments are welcome.

Diana Candela

Associate Director
Technology Consulting – Security and Privacy

Subscribe to Topics

As businesses compete for #quantum compute time, things can get complicated. @Strangeworks provides shorter queue times and cost and access control for customers. Join @KonstantHacker as he chats on this with Cesar Rodriguez from @Strangeworks.

Read this #SAP Blog to learn five considerations that have improved #ROI for our clients, highlight new ways of working and the art of the possible in the organization’s future #S4HANA system compared to ECC 6.x systems.

#ProtivitiTech #analytics #cloud

The intersection of #5G and #edgecomputing technologies will reinvent industries, change the way #security is implemented and revolutionize business operations. Learn in #Technology Insights why 5G and edge computing impacts approaches to security:

Digitally transforming business with #Dynamics365 CE provides organizations with easy configuration and #integration with other #Microsoft products, fewer post-deployment issues and can be accessed anywhere. Read more in the #Technology Insights blog:

In Protiviti's #cybersecurity #webinar series, learn insights from the effectiveness of crisis management response in #ransomware attacks to articulating core concepts of #zerotrust and the toolsets needed to architect zero trust. Explore sessions here:

Load More...