“Chaotic, Opaque” GDPR Rollout Has Tech Companies Holding Their Breath

It’s the most sweeping and aggressive set of data-privacy rules to ever come out of the European Union—but no one’s quite sure how it’s supposed to work.

European Parliament President Antonio Tajani walks with Facebook CEO Mark Zuckerberg upon his arrival at the EU Parliament in Brussels on Tuesday. European Union lawmakers plan to press Zuckerberg on Tuesday about data-protection standards at the internet giant at a hearing focused on a scandal over the alleged misuse of the personal information of millions of people.
AP Photo/Geert Vanden Wijngaert
May 23, 2018, 8 p.m.

When the European Union’s General Data Protection Regulation finally goes into effect on Friday, it will represent a sea change for digital privacy and one of the most vigorous attempts ever made by regulators to rein in the data practices of global tech platforms.

But that’s about all anyone knows for sure about the implementation of the sprawling new data-privacy framework. Though just hours remain until companies are expected to comply with the new rules or face crippling financial penalties, experts on both sides of the Atlantic say a morass of vague instructions and open-ended orders means organizations trafficking in consumer data have almost no way of knowing whether they’ll be targeted.

“I’ve been practicing 20 years, and this is the most chaotic and opaque—and potentially draconian—law that I can recall,” said Philip Yannella, the head lawyer at Ballard Spahr’s privacy and data-security group. “It’s so sweeping, there are so many unanswered questions, the potential consequences are so high—I haven’t seen anything like this before.”

In what’s seen as a sharp rebuke to the cavalier privacy practices of American firms—particularly Silicon Valley giants like Facebook and Google—the GDPR is designed to wrest control of personal data away from corporations and put it into the hands of the consumers themselves.

Among a slew of other provisions, organizations that collect personal data—a term that’s defined much more expansively under EU law—will now be required to promptly erase, correct, or deliver that data to an individual at his or her request. Any company with customers in the EU will be obligated to comply, and mistakes or delays could draw penalties as high as 4 percent of annual revenue or 20 million euros—whichever is higher.

But experts advising vulnerable companies say there’s still widespread confusion on some key aspects of the GDPR and how organizations are expected to comply. That includes the extraterritorial reach of the law, how far the so-called “right of erasure” goes, the types of incidental data-tracking that may be covered, the rules when advertising in a language used by Europeans, and the extent to which firms will need to have dedicated representatives for when EU regulators come knocking.

There are also dozens of requirements that have yet to be solidified and remain up to the discretion of individual EU member states. And countries like Italy, Hungary, and Slovenia have yet to shoehorn the rules into their own legal frameworks, making it harder to anticipate how the rules will be enforced in those regions.

“It’s creating a lot of anxiety and fear,” said Alison Cool, an assistant professor of anthropology and information science at the University of Colorado, Boulder. “There’s no way to really know if what you’re doing is 100 percent in compliance.”

But though it remains difficult to predict exactly what GDPR enforcement will look like, there is an expectation that one or two obvious American targets will quickly find themselves in the crosshairs.

Come Friday, experts predict, privacy and digital activists will hit Facebook and Google with a deluge of personal-data requests. EU regulators have tangled with both companies before. And if they, or other high-profile American firms, are slow to comply with the requests, there’s a belief that regulators won’t hesitate to make an early example out of them.

“I think it could be argued that certain companies have played a rather fast-and-loose game with personal data, and as such have earned the enmity of some of the data-protection officials,” said Richard Purcell, a data-privacy consultant and a former chief privacy officer at Microsoft. “And they might find themselves being scrutinized pretty carefully.”

The sense that American tech companies are uniquely at risk under the GDPR is widely shared by data-privacy experts. It’s not just that they often dominate the European marketplace; to many EU regulators, there’s a sense that U.S. companies have thumbed their nose at Europe’s privacy culture for too long.

“The regulators who I’ve heard talk—and I was at several privacy conferences this spring—they all talk as if they’re itching for the chance to help we Americans understand what it means to protect a basic human right,” said Tom Pendergast, the chief strategist at privacy-consulting firm MediaPro. “There does seem to be a chip on the shoulder of some of these folks.”

Daragh O’Brien, the head of Irish data-privacy consultancy Castlebridge, says it’s only natural that American companies will be targeted. Arguing that singling out U.S. firms is unfair, he said, is “like arguing that laws against lead paint was a way of preventing Chinese toys swamping the market in the 1970s and 1980s.”

O’Brien also said the GDPR’s inherent ambiguity is a feature, not a bug. “There is no right answer, and this where lawyers get it wrong,” he said.

In contrast to the “black-or-white” regulations in the United States, O’Brien said, the EU will be looking to see a company’s “homework” on data privacy. “You will get brownie points, and regulators will take into consideration the reasoning an organization applied—even if the answer is wrong,” he said.

But to those companies now sitting on their hands and waiting for more clarity—and experts say there are many of them, particularly in the U.S.—O’Brien sounded a word of warning.

“Organizations that are adopting a wait-and-see approach—that know they have problems and are doing nothing—they’ve failed the attitude test,” he said. O’Brien repeatedly stressed that EU regulators will take into account an organization’s “attitude” while cooperating with regulators when determining whether they’re out of compliance and what penalties to levy against them.

Amar Sarwal, the head of advocacy and legal services at the Association of Corporate Counsel in Washington D.C., said that mind-set worries him: “I suspect that even companies that are trying to do the right thing might be worried about significant sanctions at the end of that rainbow—that they might seem overly defensive or protective at that particular moment of enforcement.

“Regulators need a sense of humility,” Sarwal said.

What We're Following See More »
Federal Judges Nix Proposed Atlantic Pipeline
56 minutes ago

In a rare rebuke to energy companies in the Trump era, "a panel of federal judges has rejected permits for the Atlantic Coast natural gas pipeline to cross two national forests and the Appalachian trail in Virginia, finding that the national Forest Service 'abdicated its responsibility' and kowtowed to private industry in approving the project. The harshly worded, 60-page decision issued Thursday by three judges from the U.S. Court of Appeals for the Fourth Circuit is part of a string of legal setbacks for the 600-mile pipeline. The $7 billion project, being built by a consortium of companies led by Dominion Energy, is planned to carry natural gas from West Virginia, through Virginia and into North Carolina."

Senate Moves to End Support for Saudi War
1 hours ago
Federal Judge Upholds Ranked-Choice Voting in Maine
3 hours ago

"A federal judge on Thursday rejected Republican U.S. Rep. Bruce Poliquin’s constitutional claims against ranked-choice voting and denied the incumbent’s request for a new election against Democratic Congressman-elect Jared Golden. U.S. District Court Judge Lance Walker ruled that, contrary to the arguments of Poliquin’s legal team, the U.S. Constitution does not require that whichever congressional candidates receives the most votes—or 'a plurality'—be declared the winner. Instead, Walker ruled the Constitution grants states broad discretion to run elections."

Mueller Probing Middle East Countries' Influence Campaigns
4 hours ago

Officials working under Special Counsel Robert Mueller are investigating Middle Eastern countries' attempts to influence American politics, and are set to release the findings in early 2019. "Various witnesses affiliated with the Trump campaign have been questioned about their conversations with deeply connected individuals from the United Arab Emirates, Saudi Arabia, and Israel ... Topics in those meetings ranged from the use of social-media manipulation to help install Trump in the White House to the overthrow of the regime in Iran." Investigators are also probing meetings organized by Lebanese-American businessman George Nader, and Joel Zamel, "a self-styled Mark Zuckerberg of the national-security world with deep ties to Israeli intelligence."

Congress Passes Sexual Harassment Reforms
4 hours ago

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.