On Day One of GDPR Facebook and Google Hit With Billion Dollar Lawsuits
The highly anticipated General Data Protection Law (GDPR) took effect on Friday. This new privacy law, developed by the European Union (EU), aims to protect internet users’ privacy in hopes that the data breach scandal involving Facebook and the now-defunct political consulting firm Cambridge Analytica will not happen again.
On day one, Austrian privacy activist Max Schrems filed billion dollar lawsuits against Facebook and Google. Shrems told the Financial Times that the existing consent systems were clearly noncompliant. “They totally know that it’s going to be a violation,” he said. “They don’t even try to hide it.”
Schrems lawsuits were broken up into cases against different products; one was filed against Facebook and two others against Instagram and WhatsApp which Facebook owns. A fourth suit was filed against Google’s Android operating system. Both Google and Facebook dispute the charges.
What is GDPR?
GDPR is now the main law stipulating how companies protect the personal information of the E.U. members citizens. All corporations saving E.U citizens’ data must comply with GDPR. Companies outside the E.U. who want to use data from E.U. citizens (for example, for advertisement purposes) must obey the regulation.
GDPR is a new law regulating data privacy implementation by all companies worldwide that save and process personal data of E.U. citizens.
Under this law, personal data cannot be used if data owners have not granted permissions. The policy serves to protect consumers so that their personal data will not be harvested illegally without their consent.
Examples of companies that must comply with GDPR
- E.U. Airline companies or hotels that save E.U. passenger info
- E-commerce websites that save E.U. consumers’ data, addresses, and transaction info
- Vehicle or property sellers that market to E.U. citizens
What does GDPR do?
GDPR aims to provide stricter protections for data privacy in the ever growing and more complicated digital age. If there is a data breach, each company or organization must report to the related authority within 72 hours. If a company is found in violation of the regulation, the regulator has the right to ban that company from processing both employee and consumer data.
Companies violating the regulation may pay fines anywhere from two to four percent of their global revenue. This harsh sanction proves the E.U is serious in increasing data protection for its residents.
Varonis, a data security company, says Data Protection Impact Assessments are new too. “When certain data associated with subjects is to be processed, companies will have to first analyze the risks to their privacy.
“Overall, the message for companies that fall under the GDPR is that awareness of your data—where is sensitive data stored, who’s accessing it, and who should be accessing it—will now become even more critical,” Varonis explains.
Are companies ready for GDPR?
During Facebook CEO Mark Zuckerberg’s hearing with the E.U. parliament last Tuesday, he stated that Facebook is ready to comply with GDPR. But, some experts cast doubt that business owners are ready for GDPR.
“Very few companies are going to be 100 percent compliant on May 25th,” said Jason Straight, an attorney and chief privacy officer at United Lex, a company that establishes GDPR compliance programs for businesses owners.
According to a survey conducted by the Ponemon Institute in April which surveyed 1,000 companies, half the respondents said they were not ready for the new law. When it comes to companies in IT industries, 60 percent of IT firms surveyed said they were not compliant by the deadline.
Research from RealWire shows that only 16 percent of firms in America believe they must follow GDPR law.
Even regulators who will be tasked with policing the GDPR say they are not fully prepared. According to a survey by Reuters earlier this month, 17 out 24 European regulators felt they are not 100 percent ready for GDPR as they did not have an adequate budget yet or the legal power to implement the new privacy law.
What are the flaws?
Perhaps, the most complicated part of the GDPR is the data subject access request. E.U. residents have the right to review their personal information collected by companies. But, the process, as The Verge explains, is not that simple as the data could be stored on five different servers in multiple formats and hard for companies to even find.
Another problem is the definition of personal information. Names, email addresses, location data, and phone numbers are personal information. What about less technical and more oblique information? For example, “the old man who lives on Bond 19th Street?” As The Verge reports, under GDPR, that ambiguous information should be provided too.