The EU Has Put GDPR in Place, Now What?
On 25 May 2018, the European Commission’s much anticipated General Data Protection Regulation (GDPR) came into force, bringing with it a host of changes to the way personal data is regulated in the EU. Heralded by many as the biggest data privacy shake up since the invention of the Internet, global awareness of the new rules hit an all-time high (and eclipsed Beyoncé in Google searches) in the weeks leading up to the deadline, as many companies scrambled to gather consent from users across the globe in an effort to be compliant.
While some consider that the jury is still out as to whether many of these emails were necessary, social media appears to have already made its judgement, reacting swiftly with a collection of memes mocking the consent requests. Aside from record levels of awareness of what was once an obscure European regulation, many are wondering: what comes next? While considering this question it is worth noting that in addition to giving individuals greater control over their data, from their right to know what data exists, to how it is used, to requesting that it be erased, to asking for it to be moved, the new rules also establish new powers for Europe’s 28 national Data Protection Authorities (DPAs).
These new powers mean that any actor found to be in breach of the GDPR could face fines of €20 million or up to 4% of their annual worldwide turnover. These powers have come still mere weeks following the Facebook/Cambridge Analytica scandal and have had digital rights and consumer protection organisations eagerly awaiting the reinforced teeth given to national regulators. True to promises made by the organisation founded by Austrian lawyer and privacy activist Max Schrems, NOYB (None of Your Business) filed multiple GDPR complaints against large U.S. tech operators across DPAs in France, Belgium, Germany and Austria at 7am on 25 May. Further to these actions, around which some press activity was launched, a number of other organisations are expected to follow suit. What will come of these actions is hard for the moment to judge, when the vast majority of EU Member States has still not managed to fully implement the new rules and some DPAs continue to voice concerns about a lack of human resources to help enforce the new rules. Indeed, in September last year the International Association of Privacy Professionals (IAPP) has called some DPAs “desperate for GDPR resourcing” and many have not seen their finances improve in 2018.
Meanwhile, the EU is expected to continue communicating about the new rules and what they’ve been able to deliver to EU citizens ahead of the European elections scheduled to take place in May 2019. EU officials will be keen to demonstrate the power of this tool and any opportunity that presents itself to prove that it’s about more than just SPAM will be eagerly embraced. EU policy experts and self-proclaimed data protection geeks are keeping a close eye on the news — the next large scale data breach involving EU citizens will certainly show us how strong the arm of the law really is.
For new business inquiries, please contact Christy Schmidt, christy.schmidt@webershandwick.com.
