Aftermath of EU’s Data Privacy Law is Far-Reaching, Profound

With the European Union’s General Data Protection Regulation going into effect, technology companies are flooding email inboxes with updates to privacy policies. Though GDPR currently touts the strictest privacy regulations, Brazil, Japan and South Korea plan to enact their own strict laws. The EU is encouraging such regulations by tying them to some trade deals and promoting a global approach. The EU and its 28 member countries are also planning to enact stricter enforcement of antitrust laws and tougher tax policies for giant tech companies.

The New York Times reports that Europe’s “proactive stance is a sharp divergence from the United States, which has taken little action over the years in regulating the tech industry.” Under the new GDPR law, “privacy groups [are] preparing class action-style complaints … [and] may put even more legal pressure on companies.”

European_Commission_Exterior

EU officials are also traveling the world to encourage other countries to adopt similarly strict laws. “If we can export this to the world, I will be happy,” said European commissioner in charge of consumer protection and privacy Vera Jourova, who helped draft the GDPR. Last year, Japan “passed a data protection law creating a new independent online privacy board, and Tokyo and Brussels are finalizing the details of a data transfer deal.” Other countries considering or adopting new privacy rules include South Korea and Israel.

To meet the GDPR requirements, Facebook has about 1,000 people updating how users access their own privacy settings. Google is also deploying company resources to comply with the new law. But Silicon Valley is also lobbying to “influence other European regulations before they spread.” Google and Microsoft are among the top five spenders in this effort, “with budgets of about 4.5 million euros, or $5.3 million, each,” according to LobbyFacts. Facebook doubled its lobbying budget to about €2.5 million.

The Wall Street Journal reports that the GDPR is “forcing hundreds of thousands of companies … to change how they gather and handle information about Europeans, even if the companies have no physical footprint in Europe.” According to a Capgemini survey of 1,000 businesses, in March and April, only half of the businesses said they were “fully compliant.”

Munich-based Allianz spent “millions of euros” to get ready, “mobilizing hundreds of privacy experts from 80 subsidiaries to make changes.” “It has been a mammoth task,” said Allianz chief privacy officer Philipp Raether. London-based Bossa Studios said it spent “dozens of thousands of dollars” to bring its 90-employee videogagme company into compliance, only to learn from consultants that it was already GDPR-compliant.

Mastercard, which joined with IBM to set up Truata, an external trust to hold and anonymize data, may no longer be able to show buying trends due to anonymity requirements.

“Companies are struggling with the concrete deliverables — the record of processing activities, the transfer agreements, the notices, the website — because of the sheer volume,” said Covington & Burling partner and data production expert Henriette Tielemans. “But they’re also struggling with the more conceptual approaches, because this is not how we’ve done business so far.”

Related:
The Birth of GDPR: What Is It and What You Need to Know, Forbes, 5/25/18
Blocking 500 Million Users Is Easier Than Complying With GDPR, Fortune, 5/25/18
App Publishers: Here’s a Way to Minimize Ad Revenue Loss From GDPR, VentureBeat, 5/27/18
How GDPR Is Affecting the Games You Love, Engadget, 5/26/18