“Chaotic, Opaque” GDPR Rollout Has Tech Companies Holding Their Breath

It’s the most sweeping and aggressive set of data-privacy rules to ever come out of the European Union—but no one’s quite sure how it’s supposed to work.

European Parliament President Antonio Tajani walks with Facebook CEO Mark Zuckerberg upon his arrival at the EU Parliament in Brussels on Tuesday. European Union lawmakers plan to press Zuckerberg on Tuesday about data-protection standards at the internet giant at a hearing focused on a scandal over the alleged misuse of the personal information of millions of people.
AP Photo/Geert Vanden Wijngaert
Brendan Bordelon
Add to Briefcase
Brendan Bordelon
May 23, 2018, 8 p.m.

When the European Union’s General Data Protection Regulation finally goes into effect on Friday, it will represent a sea change for digital privacy and one of the most vigorous attempts ever made by regulators to rein in the data practices of global tech platforms.

But that’s about all anyone knows for sure about the implementation of the sprawling new data-privacy framework. Though just hours remain until companies are expected to comply with the new rules or face crippling financial penalties, experts on both sides of the Atlantic say a morass of vague instructions and open-ended orders means organizations trafficking in consumer data have almost no way of knowing whether they’ll be targeted.

“I’ve been practicing 20 years, and this is the most chaotic and opaque—and potentially draconian—law that I can recall,” said Philip Yannella, the head lawyer at Ballard Spahr’s privacy and data-security group. “It’s so sweeping, there are so many unanswered questions, the potential consequences are so high—I haven’t seen anything like this before.”

In what’s seen as a sharp rebuke to the cavalier privacy practices of American firms—particularly Silicon Valley giants like Facebook and Google—the GDPR is designed to wrest control of personal data away from corporations and put it into the hands of the consumers themselves.

Among a slew of other provisions, organizations that collect personal data—a term that’s defined much more expansively under EU law—will now be required to promptly erase, correct, or deliver that data to an individual at his or her request. Any company with customers in the EU will be obligated to comply, and mistakes or delays could draw penalties as high as 4 percent of annual revenue or 20 million euros—whichever is higher.

But experts advising vulnerable companies say there’s still widespread confusion on some key aspects of the GDPR and how organizations are expected to comply. That includes the extraterritorial reach of the law, how far the so-called “right of erasure” goes, the types of incidental data-tracking that may be covered, the rules when advertising in a language used by Europeans, and the extent to which firms will need to have dedicated representatives for when EU regulators come knocking.

There are also dozens of requirements that have yet to be solidified and remain up to the discretion of individual EU member states. And countries like Italy, Hungary, and Slovenia have yet to shoehorn the rules into their own legal frameworks, making it harder to anticipate how the rules will be enforced in those regions.

“It’s creating a lot of anxiety and fear,” said Alison Cool, an assistant professor of anthropology and information science at the University of Colorado, Boulder. “There’s no way to really know if what you’re doing is 100 percent in compliance.”

But though it remains difficult to predict exactly what GDPR enforcement will look like, there is an expectation that one or two obvious American targets will quickly find themselves in the crosshairs.

Come Friday, experts predict, privacy and digital activists will hit Facebook and Google with a deluge of personal-data requests. EU regulators have tangled with both companies before. And if they, or other high-profile American firms, are slow to comply with the requests, there’s a belief that regulators won’t hesitate to make an early example out of them.

“I think it could be argued that certain companies have played a rather fast-and-loose game with personal data, and as such have earned the enmity of some of the data-protection officials,” said Richard Purcell, a data-privacy consultant and a former chief privacy officer at Microsoft. “And they might find themselves being scrutinized pretty carefully.”

The sense that American tech companies are uniquely at risk under the GDPR is widely shared by data-privacy experts. It’s not just that they often dominate the European marketplace; to many EU regulators, there’s a sense that U.S. companies have thumbed their nose at Europe’s privacy culture for too long.

“The regulators who I’ve heard talk—and I was at several privacy conferences this spring—they all talk as if they’re itching for the chance to help we Americans understand what it means to protect a basic human right,” said Tom Pendergast, the chief strategist at privacy-consulting firm MediaPro. “There does seem to be a chip on the shoulder of some of these folks.”

Daragh O’Brien, the head of Irish data-privacy consultancy Castlebridge, says it’s only natural that American companies will be targeted. Arguing that singling out U.S. firms is unfair, he said, is “like arguing that laws against lead paint was a way of preventing Chinese toys swamping the market in the 1970s and 1980s.”

O’Brien also said the GDPR’s inherent ambiguity is a feature, not a bug. “There is no right answer, and this where lawyers get it wrong,” he said.

In contrast to the “black-or-white” regulations in the United States, O’Brien said, the EU will be looking to see a company’s “homework” on data privacy. “You will get brownie points, and regulators will take into consideration the reasoning an organization applied—even if the answer is wrong,” he said.

But to those companies now sitting on their hands and waiting for more clarity—and experts say there are many of them, particularly in the U.S.—O’Brien sounded a word of warning.

“Organizations that are adopting a wait-and-see approach—that know they have problems and are doing nothing—they’ve failed the attitude test,” he said. O’Brien repeatedly stressed that EU regulators will take into account an organization’s “attitude” while cooperating with regulators when determining whether they’re out of compliance and what penalties to levy against them.

Amar Sarwal, the head of advocacy and legal services at the Association of Corporate Counsel in Washington D.C., said that mind-set worries him: “I suspect that even companies that are trying to do the right thing might be worried about significant sanctions at the end of that rainbow—that they might seem overly defensive or protective at that particular moment of enforcement.

“Regulators need a sense of humility,” Sarwal said.

What We're Following See More »
House Approves Opioid Package
4 hours ago

"The House on Friday overwhelmingly passed sweeping bipartisan opioid legislation, concluding the chamber’s two-week voteathon on dozens of bills to address the drug abuse epidemic. The measure combines more than 50 bills approved individually by the House focusing on expanding access to treatment, encouraging the development of alternative pain treatments and curbing the flow of illicit drugs into the U.S. It was passed 396-14, with 13 Republicans and one Democrat voting against the package."

Trump Tells Congress North Korea Remains a Threat
4 hours ago

In a letter to Congress on Friday, President Trump wrote that he's continuing the national emergency status with respect to North Korea, citing the country's “provocative, destabilizing, and repressive actions," which "continue to constitute an unusual and extraordinary threat” to the United States. In a series of tweets following his meeting with Kim Jong-un, Trump said Americans could sleep well at night because North Korea no longer poses a nuclear threat.

Navy Document Outlines Plans For Detention Camps
5 hours ago

"The U.S. Navy is preparing plans to construct sprawling detention centers for tens of thousands of immigrants on remote bases in California, Alabama and Arizona, escalating the military’s task in implementing President Donald Trump’s 'zero tolerance' policy for people caught crossing the Southern border." The document outlines plans for "temporary and austere" internment camps for 25,000 migrants "at abandoned airfields just outside the Florida panhandle," and in Alabama, for 47,000 people near San Francisco, and "as many as 47,000 people at Camp Pendleton" in California. The document estimates that operating a camp to detain 25,000 people for six months would cost approximately $233 million.

U.S. Military Aircraft Targeted By Lasers
8 hours ago

"Lasers have targeted pilots of American military aircraft operating over the western Pacific Ocean more than 20 times in recent months," said U.S. officials. The lasers appeared to be coming from Chinese fishing boats in the South China Sea, said the officials, which is the setting of a "long-running dispute between China and Japan over the control of nearby islands ... The incidents likely will come up as part of a broader discussion of issues when Defense Secretary Jim Mattis visits Beijing next week and meets Chinese President Xi Jinping."

Trump Overturns Obama Orders on Oceans
8 hours ago

"President Donald Trump has unveiled a new policy that depicts the world’s oceans as a resource ripe for expanded business opportunities, reversing the Obama administration's emphasis on protecting 'vulnerable' marine environments." Rather than emphasizing environmental protection, as Obama's policy did, "Trump’s directive speaks mostly to the oceans as a resource for promoting national security" and creating jobs.


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.