GDPR deadline arrives - and the first complaints are already filed

Long awaited GDPR legislation has finally come into force in the UK, and the first complaints (against Google, Facebook, What’s App and Instagram) have already been filed.

Austrian privacy activist Max Schrems filed lawsuits seeking to fine Facebook 3.9 billion and Google 3.7 billion euro (roughly $8.8 billion in dollars).

Welsh IT Support and Cloud Data specialists ITCS held a series of free workshops earlier this year to help customers prepare ahead of the GDPR rules coming into force, and the company’s GDPR consultancy team have been flat out helping customers ever since.

The new rules require business to obtain clear consent and justification for any personal data collected from users – this impacts on everything from company contact databases to website cookie policies, and despite the rules now being in place, many businesses are still unprepared – a recent study by Shred-It found 22% of small businesses were not even aware of them.

As well as marketing lists, the rules also apply to sensitive employee data, with employers now having a duty to inform staff of any information they hold about them and where and how it’s stored.  As well as personal data like address and national insurance numbers, and employment history, it also includes, for example, information like criminal records, sickness history, sexual orientation and ethnic background.

It is perhaps the most all-embracing change to data protection in Europe’s history and the ramifications (as well as the fines) could be huge – but uncertainty remains as to how European regulators will interpret the rules and now the law is in place, many experts are awaiting the outcome of the first cases.  Thanks to Schrems, it is expected they won’t have to wait long.

Schrems told the Financial Times that the existing consent systems from the online giants was clearly noncompliant. “They totally know that it’s going to be a violation,” he said. “They don’t even try to hide it.”

The companies have disputed the charges and claim that the measures they have put in place are adequate.  A Google spokeman said:

“We build privacy and security into our products from the very earliest stages and are committed to complying with the EU GDPR.”

Facebook’s response was similar, with a spokesman saying, “We have prepared for the past 18 months to ensure we meet the requirements of the GDPR.”

However, as the rules also apply to offshore companies who offer services to users within the EU, many US operators, including popular news outlets like the Los Angeles Times, the Chicago Tribune, and The New York Daily News, have simply banned EU residents from accessing their services, rather than risk the huge fines for non-compliance.  Business World reports:

“Blanket blocking EU internet connections – which will include any U.S. citizens visiting Europe – isn’t limited to newspapers. Popular read-it-later service Instapaper says on its website that it’s “temporarily unavailable for residents in Europe as we continue to make changes in light of the General Data Protection Regulation”.

Ironically, the very legislation that was intended to give individuals more freedom over who and what can access their private information, could prevent them from accessing information freely available to the rest of the world.   ITCS Managing Director Brian Stokes says:

“We have done our best to prepare our clients and our business and now the law is upon us.  Like the rest of the world, we await the first case law to see what happens in practice.”