GDPR: Here’s What’s Happened So Far

After four years of preparations and numerous revisions, the General Data Protection Regulation (GDPR), the most-lobbied piece of legislation in the history of the European Union, was finally approved by the EU Parliament in April 2016. Following a two-year transitional period, GDPR became enforceable on May 25, 2018.

Within hours of the regulation taking affect, popular U.S. news sites were blocked for European readers. Those owned by Tronc, Inc. (including the Chicago Tribune, the Los Angeles Times, the Baltimore Sun and others) and Lee Enterprises (which operates in 21 states and owns 46 newspapers) appeared unavailable to most European site visitors.

Meanwhile, Twitter even blocked users who were underage when they had signed up for the service even though they are well over 18 now. The company suspended multiple accounts of users whose declared date of birth reflected that they were underage when they had signed up for the account.


Max Schrems, an Austrian privacy campaigner, filed multibillion-dollar lawsuits against Facebook (and its subsidiaries) and Google. Three separate complaints worth 3.9 billion euros in all were filed against Facebook, Instagram and WhatsApp on May 25 in Austria, Germany and Belgium. A lawsuit seeking 3.7 billion euros in damages was separately filed against Google’s Android platform with CNIL, the French privacy regulator. The basis of the complaints is that these companies are forcing the users to agree to their policies using a take-it-or-leave-it approach.

The companies have disputed the charges, claiming that they have taken appropriate measures to comply with the regulation. Google said, “We build privacy and security into our products from the very earliest stages and are committed to complying with the EU GDPR.” Facebook responded to the complaints in a similar vein, saying the company had prepared for the past 18 months to ensure that it meets the requirements of GDPR.

The series of lawsuits against tech companies didn’t stop there. On May 28, La Quadrature du Net, a French digital rights group, filed seven lawsuits with CNIL against Google, Facebook, Apple, Amazon and LinkedIn. La Quad had begun its complaint-collection efforts around six weeks before the GDPR enforcement date. In that short amount of time, they were able to get over 12,000 people to join the collective complaints biased on the general concept of forced consent.

Other Developments

  • Marc Benioff, CEO of Salesforce, called for a law similar to GDPR in the United States. “What we need is a national privacy law, and that will really not just protect the tech industry; it’s going to protect all the consumers,” he said. “Ultimately, it’s going to protect our kids, which is really what this is all about, because we know that all these companies are looking to bring kids into their social networks as well.” On the other hand, IBM has been vocal about lighter regulation on privacy. Christopher Padilla, IBM’s vice president of government and regulatory affairs, recently said in an interview that “GDPR may work for Europe, but that doesn’t mean it should become a global standard.”
  • While GDPR was settling in, California’s “mini-GDPR” was enacted in June – proclaiming itself a “game-changer for the United States.” Meanwhile, Vermont passed a new law that, although very limited by comparison to California’s law, requires data brokers to register with the state to ensure that security measures are updated and to inform relevant authorities in the event of a data breach.
  • Adding to the avalanche of events, members of the European Parliament’s civil liberties committee questioned the EU-U.S. Privacy Shield (the framework that controls the exchange of privacy data between the two entities for commercial purposes), urging full compliance with GDPR by September 1, 2018. Apparently for these committee members, that Facebook-Cambridge Analytica data breach was the last drop. Whether the resolution, which is legally nonbinding, will affect the regulation is unclear, but it adds pressure to EU regulators dealing with the U.S. and certainly does not take away from the GDPR drama unfolding around the globe.
  • Finally, the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which was enacted into law in the U.S. on March 23, 2018, allows U.S. law enforcement orders issued under the Stored Communications Act (SCA) to reach certain cloud data located in other countries under certain circumstances, such as when foreign governments enter into bilateral agreements with the U.S. (within limits and restrictions). How such agreements will be structured in the context of GDPR is unclear.

It’s difficult to say at this time how the flurry of GDPR-inspired privacy regulations will sort itself out. However, one thing we can state with confidence is that the time for privacy and security to make a grand entrance from the back room to the board room has arrived. The various legislation that is being considered or passed or is underway is likely to impact the known data protection landscape for decades to come. The exposure to fines and penalties for noncompliance is too severe to ignore. Accordingly, organizations should be following developments closely with an eye toward anticipating and preparing for a lot more scrutiny of their data-security practices than many are used to.

We have covered, and will continue to cover, data-privacy issues on our blog. Also check out the GDPR resources page on our website. Your questions and comments are welcome.

Diana Candela

Associate Director
Technology Consulting – Security and Privacy

Subscribe to Topics

Protiviti is happy to announce that Wendy Luebbe has joined as a Managing Director for the Technology Consulting Solution. Based in Orlando and with over 20 years of experience, Wendy will focus on the Enterprise Data & Analytics segment, specializing in financial services.

Join Protiviti's Scott Laliberte and Andrew Struthers-Kennedy for thoughts on how organizations should discuss and evaluate risks and include emerging technologies as part of risk and audit reviews.

#ITaudit #ProtivitiTech #emergingtechrisks #prowebinars

Consumer #privacy is key. Protiviti recommends focusing on three buckets and eleven requirements that cover what an organization must consider when developing personal #data privacy protections and have a relationship with #digital #identitymanagement.

Protiviti’s Scott Laliberte hosted a panel with three Chief Information Security Officers on July 11th. While all faced their own distinct pandemic-related issues, many common themes emerged during the discussion. Learn more:

#CISO #ProtivitiTech

Reporting and #analytics are critical for #CIOs because they structure #data to guide businesses in strategic decision making. Learn why companies must harness and use information that propels business goals.

#TechTransformation #enterprisetransformation

Load More...