The State of GDPR Compliance—and the Rise of Global Privacy Laws

February 5, 2019

This blog post is not legal advice for your company to use in complying with EU data privacy laws like the GDPR or other privacy laws. Instead, it provides background information to help you better understand the GDPR and/or other privacy laws. If you are concerned about complying with the GDPR and/or other privacy laws, we recommend that you consult an attorney familiar with the new laws.

The State of GDPR Compliance

The General Data Protection Regulation, or GDPR, which regulates data protection and privacy of all European Union and the European Economic Area individuals, went into effect almost nine months ago on May 25, 2018. Since then, compliance has been a slow process. According to the IAPP-EY Annual Privacy Governance Report 2018, of all surveyed companies saying they must be compliant with the GDPR, only 44% reported full compliance, 7% were not-at-all-compliant, and 49% said they were in the compliance process.

IAPP-EY Annual Privacy Governance Report 2018 

For those still in the compliance process, many in the same study cited GDPR obligation difficulty, with two aspects of the law, “the right to be forgotten” and “data portability” proving the most difficult. In some instances, especially for those companies residing outside of the EU, there is still confusion about just how much they must comply with the GDPR or whether they even need to be compliant at all. In response to this, the European Data Protection Board (EDPB) published in November 2018 Draft Guidelines to help those outside the EU determine their obligations under the GDPR.

In short, however, as we wrote previously in our Insights column, “Should US Companies Worry About GDPR,” the law affects both data processors and data controllers in any country inside or outside of the EU who do business with any EU individual. Data Controllers determine how and why personal data is processed, and Data Processors handle the technical processing of the data on the controller's behalf. The controller could be any business, charity or government agency, and the processor could be any IT service provider. In the case of Animus Rex, our clients are data controllers and we are data processors. We go into even more detail about GDPR requirements in that same column and our follow-up column, “Ways to Make Your Website GDPR Compliant.”

So with all of this confusion and difficulty, should you be concerned about compliance? Yes. And yes, again and again. Here’s why…

Yes: Heightened Privacy Concerns and Growing GDPR Enactment and Penalties

Privacy concerns with subject data has been around for a long time, but recent news regarding such companies as Cambridge Analytica, Facebook, Equifax, etc., has only served to heighten and strengthen the public’s concerns over personal data misuse and security. The GDPR is a reflection of the public’s rejection of unmitigated private data usage. And while enforcement of the GDPR has been slow, it is growing steadily; and, at this point, not only have several well-known tech firms had complaints filed against them, but the following fines have been levied in accordance with the GDPR:

  1. Equifax Limited – £500,000
  2. Bupa Insurance Services Limited – £175,000
  3. Oaklands Assist UK Limited – £150,000
  4. Heathrow Airport Limited – £120,000

For further fines and actions the ICO has taken to enforce the GDPR, see here.

Consider also that with the GDPR, data subjects can seek redress, with a reversal of burden of proof, which would require data controllers and/or processors to prove they were in compliance with the GDPR.

GDPR Is Just the Start

GDPR is also just the beginning of more laws worldwide that have been either recently enacted or are on the way.

ePrivacy Act

The ePrivacy Act (ePR) is the next step in EU privacy regulation and, while not yet law, it is expected to come into effect in 2019. Currently, it is thought companies will have about a year from the date of enactment to become compliant.

While the GDPR governs privacy law in a broader context and is concerned primarily with the protection and handling of personal data, the ePR would focus specifically on data privacy and the right to confidentiality as they relate to electronic communications. This would include email, texts, online messaging, Skype, WhatsApp, Internet of Things (IoT), online advertising networks, and more. The ePR would also carry the same fine for non-compliance as the GDPR—20 million euros or four percent of annual global turnover.

Also known as the “Cookie Law,” the ePR would give end-users more control over how cookies are deployed on their devices. Since it would allow individuals to set cookie preferences at browser level, it would mean the effective end to the current practice of cookie consent banners presently on websites.

The ePR would also limit direct marketing through electronic communications to end-users since it would require marketers to first obtain consent for such communication. A marketer would, therefore, have to have proof of such consent via an “Opt-in” process before marketing electronically to EU individuals (and possibly also B2B, though this is not yet set with the ePR) or face penalties. One might be able to argue an end-user’s “legitimate interest” (genuine interest or need of a product) instead of consent, as is presently the case with certain aspects of the GDPR, but again, bear in mind, the burden of proof in the case of a complaint filed will be on the data processor or controller—not the individual.

And Yes Again and Again: Other Privacy Laws and Regulations

PIPEDA

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) first became law in April 2000, but had important updates made to it, which came into force as of November 1, 2018. Like the GDPR, it covers how businesses may handle an individual’s personal information, carries with it fines (as much as $100,000) for non-compliance, and applies to organizations even outside of Canada if they are doing business with Canadian individuals. It also requires an individual’s consent for collection, use or disclosure of her or his personal information; gives people the right to access their information held by an organization and the right to challenge the accuracy of that information. Interestingly, not all of Canada is covered by PIPEDA, with Quebec, British Columbia, and Alberta provinces supplanting PIPEDA with their own privacy laws. For those interested in how this may affect their future e-marketing campaigns, please see here.

California Consumer Privacy Act

California’s Consumer Privacy Act was signed into law by its governor last June but will not come into effect until January 1, 2020. There are similarities to the GDPR, such as giving individuals the right to know what of their information is collected by an organization, but there are also vast differences, such as not requiring companies to get a person’s permission to collect or use their data, or to even allow someone to opt out of the collection of their data. For more information of the Consumer Privacy Act, see here; and for the full text of the Act, itself, see here.

Other States Joining the GDPR Bandwagon

Several other U.S. states have either passed or will pass data protection, including Alabama, Arizona, Colorado, Iowa, Louisiana, Nebraska, Oregon, South Carolina, South Dakota, Vermont and Virginia. The Data Protection Report goes into more detail about these GDPR-like laws—and more states are considering similar legislation.

Meeting Customer Expectations

Clearly, data protection and privacy laws are on the rise, and while each of these and the prior legislation mentioned can be very intricate, often requiring legal assistance and spend, compliance with them is growing as the norm. Behind it is not just an application of the various laws and an avoidance of penalty, but the idea of companies meeting customer expectations, dealing fairly with an individual’s data and respecting their privacy. Consumers have access to more choices than ever before, and those organizations who show they are on the same page as them are positioning themselves for greater market share. GDPR compliance is just the start…

If you need guidance with GDPR compliance or have questions, please contact us. We’re happy to help. 

Thanks and be well,
~Your Friendly Animus Rex Team