The day finally arrived. The EU's flagship GDPR came into effect today and already there are U.S. casualties, with the Los Angeles Times, Chicago Tribune, New York Daily News, Baltimore Sun and Orlando Sentinel blocking their services in Europe.
Why the EU Launched GDPR
Elsewhere, a number of American tech giants are already facing legal action as one privacy campaigner, Max Schrems, launched four court cases under the new regulation targeting Google in France, picture-sharing site Instagram in Belgium, WhatsApp in Germany and Facebook in Austria. If the name Schrems rings a bell, you might remember him as the campaigner who brought Safe Harbor to the European Court of Justice, which struck the agreement down in 2015.
That outcome, in fact, is why the General Data Protection Regulation has been introduced. GDPR is being billed by the EU as the biggest shake-up of data privacy regulations since the birth of the web, saying it sets new standards in the wake of the recent Facebook data harvesting scandal.
In the hours before the GDPR came into effect, EU Justice Commissioner Vera Jourová issued a statement saying as a result of the regulation, “Europeans' privacy will be better protected and companies benefit from a single set of rules across the EU.”
Despite the long run-up to the launch, at least a few companies were caught unprepared, including the Los Angeles Times and other titles owned by the Tronc group, formerly known as Tribune Publishing. In Europe, access to the Los Angeles Times was blocked and those who tried to access it were offered a screen with a notice which simply read: "Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism."
However, the European Commission, the executive arm of the EU, was unapologetic. In a statement issued to the French news agency AFP it said simply: "We have seen the press reports, but it is not for the Commission to comment on individual companies' policies in terms of offering services in the EU. We expect all companies to fully comply with the General Data Protection Regulation as of today. With the new rules in place, EU data protection authorities will watch over their correct application across the EU and ensure full compliance."
Related Article: All That GDPR Consent Spam? In Many Cases It's Unnecessary
GDPR Goes Beyond EU-US Privacy Shield Framework
Even with the EU ruling on the Safe Harbor agreement, companies in the U.S. should have been ready. They also should have been working with the EU-U.S. Privacy Shield Framework. The Privacy Shield was introduced in 2016 by the Commerce Department’s International Trade Administration and provided U.S. companies with a mechanism to comply with EU data protection requirements pertaining to the transfer of personal data from the EU to the United States.
To join the Privacy Shield Framework, a U.S.-based organization is required to self-certify to the Department of Commerce and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield is voluntary, the GDPR goes far beyond it.
Alexander Stern has written extensively about the GDPR. Stern is an attorney and CEO of Attorney IO, a provider of an artificial intelligence-driven service that helps attorneys manage their legal documents. He said U.S. companies cannot simply rely on the Privacy Shield Framework to satisfy the EU on data privacy. “The GDPR is a sea change and requires companies to go much further than they have in the past under the old framework. Principles like data minimization, what constitutes valid consent, and when a business can claim a legitimate interest in someone's personal data provide serious challenges to U.S. businesses. This is so regardless of whether they joined the Privacy Shield Framework,” he said.
One way U.S. companies can contain their risk, Stern suggested, was to consider forming a European-facing operating subsidiary. "They can form a new company that handles all operations within the EU but nowhere else. This subsidiary company can license and segregate European data from the parent company,” he said. “Such a corporate structure helps contain the otherwise massive potential fines which are derived from the company's worldwide revenue. However, the worldwide part would in practice be limited to the EU as that is the only market such a subsidiary would operate in."
Related Article: US Companies Face Yet Another Hurdle in EU-US Data Transfer
Privacy Shield as a Roadmap
The Privacy Shield was designed to bridge the gap created by the lack of adequate U.S. data protection laws. For companies who self-certify under Privacy Shield, it provides a legal basis for the transfer of EU citizens’ personal data to and from the U.S..
It also provides the most convenient roadmap for GDPR compliance, as many of the certification requirements under Privacy Shield match what GDPR requires, according to Joseph "Jay" Arcata III, a partner at Halloran & Sage who heads the cybersecurity and data privacy practice for the Hartford, Conn.-based law firm.
Arcata said while Privacy Shield certification can provide companies with a jump-start on fulfilling the requirements of GDPR, it does not ensure total compliance with GDPR. “In addition, Privacy Shield will be revisited on a yearly basis, so it is entirely possible that its terms and requirements could change. Privacy Shield is merely a tool to assist U.S. companies with GDPR compliance but it does not, in and of itself, guarantee compliance."
Patrick Lastennet is director of marketing and business development at Amsterdam-based Interxion. He said the Privacy Shield legal framework has not been tested against GDPR, so it could sustain a complaint under GDPR. “If there's a data breach and you imported data and it's misused, I'm not sure that Privacy Shield will protect you. It's not GDPR compliant. You can have it, but on top of that you need to complete all the GDPR privacy requirements," he said.
“No matter what the project is, if it handles data you have to have processes in place to ensure that you use the data appropriately. You can't GDPR self-certify with the Privacy Shield.”
Related Article: The Missing Step in Reaching GDPR Compliance: Privacy Shield
The GDPR Silver Lining
Despite some of the concerns outlined above and the more dramatic claims about the impact of GDPR on businesses, it will only be bad for those companies that buy and trade in user data, or those companies that consistently fail to protect personal data.
Palo Alto, Calif.-based Moloco offers a cloud-based mobile advertising platform. Its CEO, Ikkjin Ahn, said the only companies that will lose out with the GDPR are companies that are breaching data regulations already.
"While GDPR will be bad news for ad tech companies buying and trading user data without proper consent, that is only one sector of ad tech players. The need for infrastructure to organize and utilize first-party data with proper consent will increase with GDPR," he said. “Ad tech companies will be the first to provide the right technology to comply. There will be no downturn to the ad tech sector, just a shift from companies focused on second-party data to those focused on first-party data."
GDPR, however, will not kill ad tech. Ahn noted Amazon grew its ads business quickly last year, and there is every reason to expect a new player to crop up using properly-handled first-party data. “The impressions that were filled by ad tech companies focused on second-party data will be replaced by a newer ad platform like Facebook Audience Networks and others that will make the online ad experience better, not worse,” he said.
Michael Priem, founder and CEO of Minneapolis-based marketing agency Modern Impact, agreed. He argued new industry regulations such as GDPR should not impede progress as marketers. “On the contrary, they reset the balance between advertiser and audience by giving consumers more control, directing technology to be employed for more noble uses, and compelling marketers to interact with consumers in more meaningful ways that create positive sentiment and ultimately restore trust,” he said.
Advances in digital technology, the advent of artificial intelligence and the application of machine learning have all empowered quantum leaps in advertising. But the fuel for most of this progress has undoubtedly been data. Data has become a “natural resource” for advertising technology. “And, just as with every other precious resource, we all bear responsibility for its consumption,” Priem said.
Related Article: Marketers Are Missing the Point – and the Opportunity – of the GDPR