GDPR in full force days after deadline

Facebook co-founder Mark Zuckerberg poses a question during the CEO Summit. (Official White House Photo by Pete Souza)

The GDPR is, at the time of writing, exactly 6 days old and some of the online giants, namely Google and Facebook, are already facing their first GDPR lawsuits. Facebook, for example, has been hit by three complaints in Austria, Belgium and Germany. The social media giant, including its subsidiaries WhatsApp and Instagram, is being sued for €3.9 billion under the accusation that it forced its users into giving consent to access certain services. Consent must be freely given so there must be a clear choice under the GDPR. If you compel consent by linking it to the receipt of a benefit such as a research piece this is likely not valid.

However, the premise for Facebook & Co is simple: Their online services have their terms of use; if you don’t agree with them, you can’t use them. The complaints from Austria, Belgium and Germany state that this is not a free choice as intended under the GDPR, as people who do not agree with the terms of service just get blocked. The privacy complainer and main man behind these lawsuits is Austrian privacy advocate Max Schrems. Allegedly, Schrems also filed a separate complaint against Google with the same arguments.

Schrems has been fighting Facebook over data protection for almost a decade. His earlier lawsuit successfully challenged Facebook’s ability to transfer data from the European Union to the United States.

From Friday 25 May 2018, European data regulators can impose fines of up to 4% of global annual revenue each time the companies run afoul of the new law.

“There is no grace period,” says James Dipple-Johnstone, the deputy commissioner of the UK’s data protection authority. “We will be looking at the algorithms they use to profit off data to make sure they are fair,” he added.

Internet companies that track users online, regardless of whether it is for shopping, banking or other reasons, are set to face significant scrutiny. The new rules require that they have specific justification, such as consent, for using personal information. Microsoft said this week it would apply European data rights to all its clients worldwide. CEO of Microsoft, Satya Nadella, said on Thursday that “with GDPR, we will now have to operate recognizing that privacy is a human right”. 

In addition to the first lawsuits, many US websites, especially news websites, such as The LA Times, The New York Daily News and Chicago Times, were taken offline in most European countries in response to the GDPR coming into effect. The reason for that being that their publishers did not want to tussle with the GDPR and potential lawsuits and fines for non-compliance. The question of whether being denied access to information because of a bureaucratic regulation is fair has yet to be answered. However, these cases show that the admirable objective of protecting people’s data can have the unforeseen consequence of cutting access to foreign media. As a result, it seems like the EU – through the enforcement of the GDPR – is cutting itself off from the US.

America also fears the new European data laws could significantly disrupt trade between the EU and the US and threaten the international fight against terror. Wilbur Ross, US Commerce Secretary, hit back at the EU’s new data protection laws, saying they could majorly interrupt transatlantic co-operation and create unnecessary barriers to trade, not only for the US, but for anyone outside the EU. In his interview with the Financial Times, Ross explained that complying with the GDPR exacts a significant cost, especially for small and medium-sized companies and consumers who rely on digital services. The GDPR also significantly threatens the fight against terror as the new data rules make it a lot more challenging for anyone to discover who is responsible for websites promoting terrorism. Furthermore, the new data laws also raise a concern for law enforcement and intellectual property rights by restricting access to publicly available internet domain name registration data.

However, it is also important to look at what the real aim of the GDPR is. According to Bart McDonough, CEO of Agio, and Tim Armstrong, CEO of Oath, it is crucial to remember that the positive outcome of the enforcement of the new data rules should be that the data lands in the hands of the consumer so that consumers essentially have full access and control over the data that companies hold about them. The ultimate goal of the GDPR has always been to put the consumer in power.

Although 25 May 2018 was only the starting point of the GDPR, with all the regulation, all the governance and all the oversight coming into effect, it cannot be forgotten that the fines are pretty significant and the regulatory bodies in all EU Member States, like the ICO in the UK, can and will enforce the new rules upon us without any delay.

The GDPR is much bigger than a lot of people realise, its scope covers almost everything you do. If you haven’t yet made sure that your Firm’s policies and procedures are compliant with the GDPR, the time to do so is now. If you do need assistance with the GDPR, we’ve created a practical, all-encompassing Impact Assessment tool to help you evaluate your GDPR compliance and recognise areas that represent a higher risk of non-compliance. We’ve also created Template Policies, which you can customise independently to make sure your Firm’s policies are aligned with the GDPR requirements. These policies can be stored and any changes audit trailed within Laven’s Digital Compliance Assistant (DCA) software.

To purchase our Template Policies and Impact Assessment tool, click here.

For further information about the GDPR and our services, click here.

Regulatory Hosting

Laven offers a UK regulatory hosting platform which provides clients with the opportunity to conduct regulated activities as an Appointed Representative (AR).


Follow us on LinkedIn for company updates and the latest news.

Recent articles