“Chaotic, Opaque” GDPR Rollout Has Tech Companies Holding Their Breath

It’s the most sweeping and aggressive set of data-privacy rules to ever come out of the European Union—but no one’s quite sure how it’s supposed to work.

European Parliament President Antonio Tajani walks with Facebook CEO Mark Zuckerberg upon his arrival at the EU Parliament in Brussels on Tuesday. European Union lawmakers plan to press Zuckerberg on Tuesday about data-protection standards at the internet giant at a hearing focused on a scandal over the alleged misuse of the personal information of millions of people.
AP Photo/Geert Vanden Wijngaert
May 23, 2018, 8 p.m.

When the European Union’s General Data Protection Regulation finally goes into effect on Friday, it will represent a sea change for digital privacy and one of the most vigorous attempts ever made by regulators to rein in the data practices of global tech platforms.

But that’s about all anyone knows for sure about the implementation of the sprawling new data-privacy framework. Though just hours remain until companies are expected to comply with the new rules or face crippling financial penalties, experts on both sides of the Atlantic say a morass of vague instructions and open-ended orders means organizations trafficking in consumer data have almost no way of knowing whether they’ll be targeted.

“I’ve been practicing 20 years, and this is the most chaotic and opaque—and potentially draconian—law that I can recall,” said Philip Yannella, the head lawyer at Ballard Spahr’s privacy and data-security group. “It’s so sweeping, there are so many unanswered questions, the potential consequences are so high—I haven’t seen anything like this before.”

In what’s seen as a sharp rebuke to the cavalier privacy practices of American firms—particularly Silicon Valley giants like Facebook and Google—the GDPR is designed to wrest control of personal data away from corporations and put it into the hands of the consumers themselves.

Among a slew of other provisions, organizations that collect personal data—a term that’s defined much more expansively under EU law—will now be required to promptly erase, correct, or deliver that data to an individual at his or her request. Any company with customers in the EU will be obligated to comply, and mistakes or delays could draw penalties as high as 4 percent of annual revenue or 20 million euros—whichever is higher.

But experts advising vulnerable companies say there’s still widespread confusion on some key aspects of the GDPR and how organizations are expected to comply. That includes the extraterritorial reach of the law, how far the so-called “right of erasure” goes, the types of incidental data-tracking that may be covered, the rules when advertising in a language used by Europeans, and the extent to which firms will need to have dedicated representatives for when EU regulators come knocking.

There are also dozens of requirements that have yet to be solidified and remain up to the discretion of individual EU member states. And countries like Italy, Hungary, and Slovenia have yet to shoehorn the rules into their own legal frameworks, making it harder to anticipate how the rules will be enforced in those regions.

“It’s creating a lot of anxiety and fear,” said Alison Cool, an assistant professor of anthropology and information science at the University of Colorado, Boulder. “There’s no way to really know if what you’re doing is 100 percent in compliance.”

But though it remains difficult to predict exactly what GDPR enforcement will look like, there is an expectation that one or two obvious American targets will quickly find themselves in the crosshairs.

Come Friday, experts predict, privacy and digital activists will hit Facebook and Google with a deluge of personal-data requests. EU regulators have tangled with both companies before. And if they, or other high-profile American firms, are slow to comply with the requests, there’s a belief that regulators won’t hesitate to make an early example out of them.

“I think it could be argued that certain companies have played a rather fast-and-loose game with personal data, and as such have earned the enmity of some of the data-protection officials,” said Richard Purcell, a data-privacy consultant and a former chief privacy officer at Microsoft. “And they might find themselves being scrutinized pretty carefully.”

The sense that American tech companies are uniquely at risk under the GDPR is widely shared by data-privacy experts. It’s not just that they often dominate the European marketplace; to many EU regulators, there’s a sense that U.S. companies have thumbed their nose at Europe’s privacy culture for too long.

“The regulators who I’ve heard talk—and I was at several privacy conferences this spring—they all talk as if they’re itching for the chance to help we Americans understand what it means to protect a basic human right,” said Tom Pendergast, the chief strategist at privacy-consulting firm MediaPro. “There does seem to be a chip on the shoulder of some of these folks.”

Daragh O’Brien, the head of Irish data-privacy consultancy Castlebridge, says it’s only natural that American companies will be targeted. Arguing that singling out U.S. firms is unfair, he said, is “like arguing that laws against lead paint was a way of preventing Chinese toys swamping the market in the 1970s and 1980s.”

O’Brien also said the GDPR’s inherent ambiguity is a feature, not a bug. “There is no right answer, and this where lawyers get it wrong,” he said.

In contrast to the “black-or-white” regulations in the United States, O’Brien said, the EU will be looking to see a company’s “homework” on data privacy. “You will get brownie points, and regulators will take into consideration the reasoning an organization applied—even if the answer is wrong,” he said.

But to those companies now sitting on their hands and waiting for more clarity—and experts say there are many of them, particularly in the U.S.—O’Brien sounded a word of warning.

“Organizations that are adopting a wait-and-see approach—that know they have problems and are doing nothing—they’ve failed the attitude test,” he said. O’Brien repeatedly stressed that EU regulators will take into account an organization’s “attitude” while cooperating with regulators when determining whether they’re out of compliance and what penalties to levy against them.

Amar Sarwal, the head of advocacy and legal services at the Association of Corporate Counsel in Washington D.C., said that mind-set worries him: “I suspect that even companies that are trying to do the right thing might be worried about significant sanctions at the end of that rainbow—that they might seem overly defensive or protective at that particular moment of enforcement.

“Regulators need a sense of humility,” Sarwal said.

What We're Following See More »
Poliquin Loses in Maine's 2nd District
9 hours ago

"Democrat Jared Golden has defeated Maine Rep. Bruce Poliquin in the nation’s first use of ranked-choice voting for a congressional race, according to state election officials. The Democrat won just over 50 percent of the vote in round one of ranked-choice voting, meaning he’ll be the next congressman from the 2nd District unless Poliquin’s legal challenges to the voting system prevail. A Golden win in the 2nd District, which President Donald Trump carried in 2016, mean Democrats have picked up 35 seats in the House."

Republicans Could Back Pelosi in Speaker Vote
9 hours ago

"Rep. Tom Reed (R-N.Y.) said he and some other Republicans are committed to backing Nancy Pelosi (D-Calif.) for Speaker if she agrees to enact a package of rule reforms. Reed, co-chair of the bipartisan Problem Solvers Caucus, said the growing frustration with gridlock, polarization and a top-heavy leadership approach in Congress are the reasons why several members in his party are willing to supply Pelosi with some Speaker votes in exchange for extracting an overhaul of the House rules." The caucus wants to fast-track any legislation with support of two-thirds of members, and require a supermajority to pass any legislation brought up under a closed rule.

Administration Sanctions 17 Saudis Over Khashoggi Case
11 hours ago
Trump Lashes Out at Mueller Investigation
12 hours ago
House GOP May Change Method for Committee Assignments
1 days ago

"House Republicans on Thursday will consider changes to their internal conference rules, with several amendments targeting the process for selecting committee leaders. The biggest proposed change comes from Wisconsin Rep. Mike Gallagher, who wants committee members to be able to choose their own chairmen or ranking members," rather than leadership or the steering committee.


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.