Why complying with GDPR should matter to you…
By Angela Polania
The Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27th, 2016, commonly known as General Data Protection Regulation (GDPR), aims to protect the privacy of European Union (EU) citizens by giving them control over their personal data. Protecting privacy helps individuals maintain their autonomy and individuality, and for Europeans, it is considered a basic human right.
The law became effective in May 25th, 2018, providing organizations ample time to plan and progressively adhere to the 99 articles of the law yet, In the United States many companies were uncertain of its worldwide applicability and enforcement, and those with no European presence decided to wait and see how it will unfold, and some having no presence but active business with Europeans decided for a minimum efforts providing the appearance of compliance, but ultimately waiting to see what would happen.
As far as what can we expect, we can glimpse into the future by reviewing the previous directive, the 1998 Data Protection Act (DPA) which have seen this year the remaining data loss cases concluded. Some DPA examples in the UK are the Heathrow Airport penalized with a £120,000 fine for failing to secure -traveler’s personal data on its network, which was caused by the loss of a USB stick, or the UK branch of Equifax fined with £500,000 for its part in the massive US breach last year, and Facebook penalties of £500,000 due to the Cambridge Analytica breach. All of them had a presence in Europe, particularly in this case in the UK, however the attention to detail (Heathrow Airport) and holistic approach and responsibility (Equifax, Facebook) can be seen.
The global reach of GDPR have just started, with European and international organizations starting to face cases against them under GDPR, as the different European’s Supervisory Authorities (SA) have assumed their job responsibilities diligently, to the effect that shortly after GFDPR becoming effective, a regional court in Germany filed a case against ICANN for “WHOIS domain data” that contains personal identifying information (name, email address, physical address, phone number, etc.) of companies and or individuals that have registered a given domain.
Another more recent example, fines were issued to a Portuguese Hospital that was fined € 400,000, though it claimed in its defense, that it uses the IT system provided to public hospitals by the Portuguese Health Ministry. The National Commission for Data Protection (Commission Nationale pour la Protection des Données – CNPD), an independent authority created by the Act of August 2nd, 2002 on the protection of individuals regarding the processing of personal data, decided that it was the hospital’s responsibility to ensure that the IT system it uses complies with the GDPR. These examples show that no excuses will be accepted; companies (controllers as well as processors) are solely responsible for their actions.
The regulation also started extending its reach to businesses worldwide, including those with no presence in the EU. The UK Information Commissioner’s Office (ICO) issued the first case against a company with no presence in the EU, when in July filed an enforcement notice against AggregateIQ Data Services Ltd, a Canadian political consultancy and technology company, based in Victoria, British Columbia, for GDPR non-compliance (In reference to ICO investigations into the use of data analytics in political campaigns).
Furthermore, privacy advocate organizations are taking an active role in denouncing companies that are not in compliance with GDPR; Max Schrems, Austrian activist and author, filed the first cases under GDPR against Facebook and Google, and more recently Privacy International which, in November, has filed complaints against seven data brokers (Acxiom, Oracle), ad-tech companies (Criteo, Quantcast, Tapad), and credit referencing agencies (Equifax, Experian) with data protection authorities in France, Ireland, and the UK.
Since the United States does not have a generally applicable privacy regulations, with notable exemptions in the health care and banking industries, and consumers have, for the most part, chosen or forced to provide sensitive data to companies for free or for a reduced cost in the services provided by these companies, these factors, have create for companies the sense that it is acceptable since everyone does it and consumers have accepted these practices because they are using the services, and they think that GDPR does not apply to them here in the United States.
A word of caution, if a US company holds European’s personal information, that company is subject to GDPR. If a company thinks that because they do not have offices in Europe, the European Court of Justice (ECJ) will not be able to enforce fines, the GDPR Article 27 requires companies without operations in the EU to appoint an EU representative. If that doesn’t happen, most likely the ECJ will seek local enforcement action through mutual legal assistance treaties (MLAT).
Even if the US decides not to cooperate with EU judgments, which may have a reciprocal lack of cooperation from EU, still the ECJ may issue a court order naming the officers of the company as being personally responsible, and if in failing to comply with the court order, there is a possibility for those named individuals (the company officers) that they may be arrested for contempt to court.
Furthermore, and depending on the relationships and cooperation received, the European Parliament may order European companies to stop doing business with GDPR non-compliant organizations.
A necessary mindset change is needed in the US, when it comes to enforcing personal information protection, particularly in terms of privacy. Business, as well as government agencies, have experienced the, sometimes, negative effect of too much regulation, however, the cost of not creating a more regulated data privacy environment could prove even costlier.
In summary, it behooves US companies to comply with GDPR not only because of the potential penalties and legal consequences the companies and its officers may face, and because of the massive amount of private data stored in US companies and government agencies, so adhering to comply with it would be also a sound strategic move, but also because the GDPR core intentions is the protection of personal information to avoid the criminal abuse, discrimination, and coercion of individual freedom and the personal and social cost it can have on them, because of that, complying with GDPR, is also the right thing to do, to protect your customer’s freedom.