May 23, 2018, 8 p.m.
When the European Union’s General Data Protection Regulation finally goes into effect on Friday, it will represent a sea change for digital privacy and one of the most vigorous attempts ever made by regulators to rein in the data practices of global tech platforms.
But that’s about all anyone knows for sure about the implementation of the sprawling new data-privacy framework. Though just hours remain until companies are expected to comply with the new rules or face crippling financial penalties, experts on both sides of the Atlantic say a morass of vague instructions and open-ended orders means organizations trafficking in consumer data have almost no way of knowing whether they’ll be targeted.
“I’ve been practicing 20 years, and this is the most chaotic and opaque—and potentially draconian—law that I can recall,” said Philip Yannella, the head lawyer at Ballard Spahr’s privacy and data-security group. “It’s so sweeping, there are so many unanswered questions, the potential consequences are so high—I haven’t seen anything like this before.”
In what’s seen as a sharp rebuke to the cavalier privacy practices of American firms—particularly Silicon Valley giants like Facebook and Google—the GDPR is designed to wrest control of personal data away from corporations and put it into the hands of the consumers themselves.
Among a slew of other provisions, organizations that collect personal data—a term that’s defined much more expansively under EU law—will now be required to promptly erase, correct, or deliver that data to an individual at his or her request. Any company with customers in the EU will be obligated to comply, and mistakes or delays could draw penalties as high as 4 percent of annual revenue or 20 million euros—whichever is higher.
But experts advising vulnerable companies say there’s still widespread confusion on some key aspects of the GDPR and how organizations are expected to comply. That includes the extraterritorial reach of the law, how far the so-called “right of erasure” goes, the types of incidental data-tracking that may be covered, the rules when advertising in a language used by Europeans, and the extent to which firms will need to have dedicated representatives for when EU regulators come knocking.
There are also dozens of requirements that have yet to be solidified and remain up to the discretion of individual EU member states. And countries like Italy, Hungary, and Slovenia have yet to shoehorn the rules into their own legal frameworks, making it harder to anticipate how the rules will be enforced in those regions.
“It’s creating a lot of anxiety and fear,” said Alison Cool, an assistant professor of anthropology and information science at the University of Colorado, Boulder. “There’s no way to really know if what you’re doing is 100 percent in compliance.”
But though it remains difficult to predict exactly what GDPR enforcement will look like, there is an expectation that one or two obvious American targets will quickly find themselves in the crosshairs.
Come Friday, experts predict, privacy and digital activists will hit Facebook and Google with a deluge of personal-data requests. EU regulators have tangled with both companies before. And if they, or other high-profile American firms, are slow to comply with the requests, there’s a belief that regulators won’t hesitate to make an early example out of them.
“I think it could be argued that certain companies have played a rather fast-and-loose game with personal data, and as such have earned the enmity of some of the data-protection officials,” said Richard Purcell, a data-privacy consultant and a former chief privacy officer at Microsoft. “And they might find themselves being scrutinized pretty carefully.”
The sense that American tech companies are uniquely at risk under the GDPR is widely shared by data-privacy experts. It’s not just that they often dominate the European marketplace; to many EU regulators, there’s a sense that U.S. companies have thumbed their nose at Europe’s privacy culture for too long.
“The regulators who I’ve heard talk—and I was at several privacy conferences this spring—they all talk as if they’re itching for the chance to help we Americans understand what it means to protect a basic human right,” said Tom Pendergast, the chief strategist at privacy-consulting firm MediaPro. “There does seem to be a chip on the shoulder of some of these folks.”
Daragh O’Brien, the head of Irish data-privacy consultancy Castlebridge, says it’s only natural that American companies will be targeted. Arguing that singling out U.S. firms is unfair, he said, is “like arguing that laws against lead paint was a way of preventing Chinese toys swamping the market in the 1970s and 1980s.”
O’Brien also said the GDPR’s inherent ambiguity is a feature, not a bug. “There is no right answer, and this where lawyers get it wrong,” he said.
In contrast to the “black-or-white” regulations in the United States, O’Brien said, the EU will be looking to see a company’s “homework” on data privacy. “You will get brownie points, and regulators will take into consideration the reasoning an organization applied—even if the answer is wrong,” he said.
But to those companies now sitting on their hands and waiting for more clarity—and experts say there are many of them, particularly in the U.S.—O’Brien sounded a word of warning.
“Organizations that are adopting a wait-and-see approach—that know they have problems and are doing nothing—they’ve failed the attitude test,” he said. O’Brien repeatedly stressed that EU regulators will take into account an organization’s “attitude” while cooperating with regulators when determining whether they’re out of compliance and what penalties to levy against them.
Amar Sarwal, the head of advocacy and legal services at the Association of Corporate Counsel in Washington D.C., said that mind-set worries him: “I suspect that even companies that are trying to do the right thing might be worried about significant sanctions at the end of that rainbow—that they might seem overly defensive or protective at that particular moment of enforcement.
“Regulators need a sense of humility,” Sarwal said.
