Many feared the dropping of the GDPR bombshell on May 25, 2018. There were predictions of immediate enforcement actions and dire consequences for being out of compliance with what is easily the most comprehensive of privacy regulations anywhere in the world. There were even comparisons to Y2K. But what have been the immediate repercussions?
Enforcement Actions
The privacy and compliance world is still awaiting the first enforcement actions for GDPR. There is some misunderstanding leading many to believe that a data breach will lead to GDPR fines and penalties. However, GDPR allows Data Protection Supervisors to impose massive fines for being out of compliance, not for breaches. The requirement is to report all data breaches to a DPS within 72 hours. It will be failure to report in a timely manner that risks fines of up to four percent of annual revenue.
It is easy to predict what future enforcement actions will look like. A large company will discover a breach, not disclose it within 72 hours as they scramble to react, and then, when the stolen data is publicly leaked, have to explain their actions. Invariably, an audit will reveal non-compliance with GDPR’s requirements for security and data handling.
Lawsuits
ICANN, the organization that regulates internet domain names, caught GDPR relief in the German courts for their practice of collecting contact information to register a domain name. The German court ruled that they should stop collecting administrator and technical contacts because the domain owner contact information was adequate.
Max Schrems, an Austrian privacy advocate and lawyer, was quick to file lawsuits against Google and Facebook for GDPR violations. These are bound to be long, drawn out battles. Stay tuned.
Unintended Consequences
As I predicted (Forbes, November 27, 2017), many mobile game vendors are either shutting down completely or blocking access from the EU.
The list is growing:
- Brent Ozar Unlimited, a SQL server consulting and training practice was one of the first to decide to leave the EU. They announced in December of 17, 2017 that “For 2018, we’re not selling directly to folks in the EU anymore.”
- Uber Entertainment’s Monday Night Combat was shut down prior to May 25. The game developer said it would be too expensive to re-write the back-end systems.
- Loadout was shut down May 25th. On the company website the developer stated that “The well-intended GDPR legislation creates major burdens for small companies to do business in the EU, starting on 5/25.”
- Verve, a mobile marketing platform that relies on location data announced it is leaving the EU altogether to focus on the US market.
- me, a service for cleaning up your email, announced they would not allow users from the EU.
- Microsoft retired their popular Connect platform for developers. The original announcement, since modified, claimed that GDPR was the primary reason.
- Some news sites, including the LA Times and the Chicago Tribune implemented blocking to prevent EU IP addresses from accessing their sites.
GDPR has already raised the cost of doing business on the internet for every organization. As enforcement activity adds clarity to the requirements, look for more investments in security, privacy and compliance.