Get ready for a GDPR bloodbath — legally speaking, at least.
On May 25, when Europes General Data Protection Regulation comes online, companies active in Europe will become exposed overnight to the risk of massive fines and costs over data breaches and other privacy-related dangers.
Some firms, like the social media analysis firm Klout or ad tech companies like Drawbridge, have given up before the fight even gets started. Several companies announced in the past few weeks they are ceasing all activities because their data-hungry business models have little chance of surviving in the era of GDPR.
For every other company that relies on collecting data to stay competitive, this is the time to gear up for epic legal battles.
The content of the new rules, which amount to the largest overhaul of global privacy regulations in 20 years, is well-known. But what remains to be seen is exactly what the rules mean, how they will be applied in each country, and what sort of entities are the most exposed to the risk of fines.
Companies will have to disclose data breaches to authorities within three days, or face crippling fines.
“We dont know what the enforcement environment will look like,” said Trevor Hughes, president of the International Association of Privacy Professionals, a trade group. “Theres a lot we dont know.”
The scope for exposure to GDPR is vast: from next Friday, Europeans will have the right to ask companies what personal data they hold on them, and demand that the information be deleted from datasets.
Companies will have to ask for approval and consent for using personal information for things like direct marketing.
Settings on online apps and services will have to be privacy-friendly by default and users can ask not to be subject to a decision made by an algorithm.
Facebook and other Big Tech companies will be in privacy groups sights once GDPR goes into effect | Joel Saget/AFP via Getty Images
Companies will have to disclose data breaches to authorities within three days, or face crippling fines.
Privacy activists are already sharpening their knives, ready to use their new rights against corporations starting on Friday. And data protection authorities, which until now have played an obscure role in law enforcement, will wake up with an array of new powers to start wielding.
Heres a list of the companies and sectors that need to be most ready to face a barrage of legal challenges on the morning the GDPR is enforced across the European Union:
Facebook, Google and the rest of Big Tech
Without a doubt, companies like Facebook and Google will be first in line when privacy groups start flexing their newfound muscle and filing legal challenges.
Already, the French NGO Quadrature du Net has an online campaign to gather complaints and launch a class action lawsuit straight away on May 25. The groups target: “GAFAM,” or Google, Apple, Facebook, Amazon and Microsoft.
Privacy activist Max Schrems NGO “None of Your Business” is focusing on consent, particularly how tech companies require users to sign up to wide-ranging privacy policies if they want to continue accessing these digital services. The aim, Schrems told POLITICO, is to file at least two complaints with various European data protection authorities — but, notably, not the Irish privacy watchdog — to test whether such consent decrees are lawful under the regions new privacy standards.
Schrems has already challenged Facebook before the Irish court several times, one of which led to the infamous “Schrems judgment” that annulled a previous EU-U.S. data transfer agreement known as “safe harbor.” Clearly, Facebook is in his crosshairs again, though he is likely to focus on other tech giants with similar privacy practices.
Austrian activist Max Schrems | Christian Bruna/AFP via Getty Images
The value of suing Big Tech is clear, said Arthur Messaud, jurist at Quadrature du Net. “We took the players that are most visible,” he said, adding: “The first step for us is to illustrate what GDPR is, and what the class action system means.”
Facebooks Stephen Deadman, global deputy chief privacy officer, said: “It comes with success that people will target you. Were reacting to make sure were compliant.” He added: “Were not worried about Max Schrems. Hell do what hell do.”
Data brokers
While big data companies are the obvious targets for privacy activists looking to take scalps in the new era of privacy enforcement, the whole ecosystem of data-trading companies is also under threat.
Data brokers, who amass and (unlike Facebook or Google) sell large datasets of personal information for direct marketing purposes are especially likely to get hit with challenges.
“Data brokers businesses is slimy. Data brokers are the vultures of the internet” — Andrew Keen, prominent critic of technology companies
These firms gather data — sometimes through physical tracking technologies, sometimes by buying and cleaning up smaller datasets — and sell them to companies that can use it for direct marketing purposes or to complement their own datasets.
“Data brokers businesses is slimy,” said Andrew Keen, a prominent critic of technology companies. “Data brokers are the vultures of the internet.”
Unlike the tech giants, these data brokers remain largely unknown to the public. The worlds largest data brokers selling information to other businesses include companies like Axciom, Datalogix (owned by tech firm Oracle) and Equifax. The latter might ring a bell, but only because it suffered a huge data breach, revealed earlier this year and affecting 143 million people, mostly in the United States.
The risk for GDPR violations is high, considering the data these companies hold is personal and sometimes sensitive and the conditions under which this data is sold and traded are murky. Data protection authorities including the U.K.s Information Commissioners Office have launched investigations into their practices before — cracking down on data brokers Verso and The Data Supply Company with fines for violating privacy rules — and you can expect them to do it again.
Carmakers, pharma and health care companies
The GDPR has been on the minds of technologists and tech regulators for years, but the rules extend far beyond just the tech sector.
As companies “digitize” their businesses, more and more are in the business of using data. Today, carmakers such as BMW, Volvo and others hold data on where their customers are located, and cars contain ever more sensors and code, storing data and preparing vehicles for automated driving. Health care companies process and analyze plenty of sensitive data and hold medical records. Banks have always held large sets of personal data.
“The pharma industry and medical devices industry: I wouldnt be surprised if we see at least some targeted investigations in that industry” — Wim Nauwelaerts, privacy lawyer
Companies in these sectors, in time, will catch regulators attention as they expand their databases.
“Particular industries will be more prone to enforcement actions than others,” said Wim Nauwelaerts, top privacy lawyer at Sidley Austin. His top tip: “The pharma industry and medical devices industry: I wouldnt be surprised if we see at least some targeted investigations in that industry.”
The NSA, snoops and spies
In all the cases against Big Tech, government surveillance services outside of Europe could become collateral damage.
When Schrems sued Facebook for their transfers to the United States under safe harbor, his target was primarily the U.S.s surveillance powers granted through national legislation — or the lack of it — governing the National Security Agency and its surveillance programs like PRISM. Facebook denies any cooperation with U.S. authorities on these programs.
The U.K. is seeking a special deal on data flows after Brexit | Carl Court/Getty Images
It shows how activists, and even the European Commission, try to curb invasive powers of foreign intelligence services by asking foreign companies to better protect data — thus putting pressure on their governments to up their protections too. Its what academics and observers have called the “Brussels Effect.”
An early example could be the U.K., where the countrys Investigatory Powers Act is already causing EU policymakers to question whether Europeans personal data can just flow to Britain. The U.K. is seeking a special deal on data flows after Brexit but could be prompted by the EU to build in safeguards on how it governs intelligence and security agencies.
Road to Luxembourg
For the privacy activists and litigators, the fight will be won only if rules are enforced across the bloc — and the world — consistent with European fundamental rights.
That means, for any case, the final scene is set in Luxembourg before the European Court of Justice.
“What we hope — and well help others — is that everyone does its own case, and that all class action court cases in the end come together before the [European Data Protection] Board or before the European Court of Justice,” said Messaud at Quadrature du Net.
This could take time. Challenges to the EUs data transfer deal privacy shield are pending still before the EUs General Court, and other key privacy cases have taken several years on average to finish.
[contf] [contfnew]
