“Chaotic, Opaque” GDPR Rollout Has Tech Companies Holding Their Breath

It’s the most sweeping and aggressive set of data-privacy rules to ever come out of the European Union—but no one’s quite sure how it’s supposed to work.

European Parliament President Antonio Tajani walks with Facebook CEO Mark Zuckerberg upon his arrival at the EU Parliament in Brussels on Tuesday. European Union lawmakers plan to press Zuckerberg on Tuesday about data-protection standards at the internet giant at a hearing focused on a scandal over the alleged misuse of the personal information of millions of people.
AP Photo/Geert Vanden Wijngaert
May 23, 2018, 8 p.m.

When the European Union’s General Data Protection Regulation finally goes into effect on Friday, it will represent a sea change for digital privacy and one of the most vigorous attempts ever made by regulators to rein in the data practices of global tech platforms.

But that’s about all anyone knows for sure about the implementation of the sprawling new data-privacy framework. Though just hours remain until companies are expected to comply with the new rules or face crippling financial penalties, experts on both sides of the Atlantic say a morass of vague instructions and open-ended orders means organizations trafficking in consumer data have almost no way of knowing whether they’ll be targeted.

“I’ve been practicing 20 years, and this is the most chaotic and opaque—and potentially draconian—law that I can recall,” said Philip Yannella, the head lawyer at Ballard Spahr’s privacy and data-security group. “It’s so sweeping, there are so many unanswered questions, the potential consequences are so high—I haven’t seen anything like this before.”

In what’s seen as a sharp rebuke to the cavalier privacy practices of American firms—particularly Silicon Valley giants like Facebook and Google—the GDPR is designed to wrest control of personal data away from corporations and put it into the hands of the consumers themselves.

Among a slew of other provisions, organizations that collect personal data—a term that’s defined much more expansively under EU law—will now be required to promptly erase, correct, or deliver that data to an individual at his or her request. Any company with customers in the EU will be obligated to comply, and mistakes or delays could draw penalties as high as 4 percent of annual revenue or 20 million euros—whichever is higher.

But experts advising vulnerable companies say there’s still widespread confusion on some key aspects of the GDPR and how organizations are expected to comply. That includes the extraterritorial reach of the law, how far the so-called “right of erasure” goes, the types of incidental data-tracking that may be covered, the rules when advertising in a language used by Europeans, and the extent to which firms will need to have dedicated representatives for when EU regulators come knocking.

There are also dozens of requirements that have yet to be solidified and remain up to the discretion of individual EU member states. And countries like Italy, Hungary, and Slovenia have yet to shoehorn the rules into their own legal frameworks, making it harder to anticipate how the rules will be enforced in those regions.

“It’s creating a lot of anxiety and fear,” said Alison Cool, an assistant professor of anthropology and information science at the University of Colorado, Boulder. “There’s no way to really know if what you’re doing is 100 percent in compliance.”

But though it remains difficult to predict exactly what GDPR enforcement will look like, there is an expectation that one or two obvious American targets will quickly find themselves in the crosshairs.

Come Friday, experts predict, privacy and digital activists will hit Facebook and Google with a deluge of personal-data requests. EU regulators have tangled with both companies before. And if they, or other high-profile American firms, are slow to comply with the requests, there’s a belief that regulators won’t hesitate to make an early example out of them.

“I think it could be argued that certain companies have played a rather fast-and-loose game with personal data, and as such have earned the enmity of some of the data-protection officials,” said Richard Purcell, a data-privacy consultant and a former chief privacy officer at Microsoft. “And they might find themselves being scrutinized pretty carefully.”

The sense that American tech companies are uniquely at risk under the GDPR is widely shared by data-privacy experts. It’s not just that they often dominate the European marketplace; to many EU regulators, there’s a sense that U.S. companies have thumbed their nose at Europe’s privacy culture for too long.

“The regulators who I’ve heard talk—and I was at several privacy conferences this spring—they all talk as if they’re itching for the chance to help we Americans understand what it means to protect a basic human right,” said Tom Pendergast, the chief strategist at privacy-consulting firm MediaPro. “There does seem to be a chip on the shoulder of some of these folks.”

Daragh O’Brien, the head of Irish data-privacy consultancy Castlebridge, says it’s only natural that American companies will be targeted. Arguing that singling out U.S. firms is unfair, he said, is “like arguing that laws against lead paint was a way of preventing Chinese toys swamping the market in the 1970s and 1980s.”

O’Brien also said the GDPR’s inherent ambiguity is a feature, not a bug. “There is no right answer, and this where lawyers get it wrong,” he said.

In contrast to the “black-or-white” regulations in the United States, O’Brien said, the EU will be looking to see a company’s “homework” on data privacy. “You will get brownie points, and regulators will take into consideration the reasoning an organization applied—even if the answer is wrong,” he said.

But to those companies now sitting on their hands and waiting for more clarity—and experts say there are many of them, particularly in the U.S.—O’Brien sounded a word of warning.

“Organizations that are adopting a wait-and-see approach—that know they have problems and are doing nothing—they’ve failed the attitude test,” he said. O’Brien repeatedly stressed that EU regulators will take into account an organization’s “attitude” while cooperating with regulators when determining whether they’re out of compliance and what penalties to levy against them.

Amar Sarwal, the head of advocacy and legal services at the Association of Corporate Counsel in Washington D.C., said that mind-set worries him: “I suspect that even companies that are trying to do the right thing might be worried about significant sanctions at the end of that rainbow—that they might seem overly defensive or protective at that particular moment of enforcement.

“Regulators need a sense of humility,” Sarwal said.

What We're Following See More »
Mueller Report Almost Done
1 hours ago

“Attorney General Bill Barr is preparing to announce as early as next week the completion of Robert Mueller's Russia investigation, with plans for Barr to submit to Congress soon after a summary of Mueller's confidential report. ... The preparations are the clearest indication yet that Mueller is nearly done with his almost two-year investigation. The precise timing of the announcement is subject to change. The scope and contours of what Barr will send to Congress remain unclear.”

SCOTUS Limits State and Local Governments' Ability to Levy Fines
3 hours ago

"The U.S. Supreme Court curbed the power of cities and states to levy fines and seize property, siding with a man trying to keep his Land Rover after he pleaded guilty to selling drugs. The unanimous ruling marks the first time the court has said that states and cities are bound by the Constitution’s ban on excessive fines, part of the Eighth Amendment."

Putin Threatens Arms Race
4 hours ago

"Moscow will match any U.S. move to deploy new nuclear missiles closer to Russia by stationing its own missiles closer to the United States or by deploying faster missiles or both, President Vladimir Putin said on Wednesday. Putin said Russia was not seeking confrontation and would not take the first step to deploy missiles in response to Washington’s decision this month to quit a landmark Cold War-era arms control treaty."

MAY 26-28
Trump to Visit Japan
4 hours ago
Trump Signs Border Deal
4 days ago

"President Trump signed a sweeping spending bill Friday afternoon, averting another partial government shutdown. The action came after Trump had declared a national emergency in a move designed to circumvent Congress and build additional barriers at the southern border, where he said the United States faces 'an invasion of our country.'"


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.