The GDPR has just turned one and to herald this landmark for EU data privacy, AT Internet has created a guide to staying one step ahead of the regulation and making sure that your data processing is fully compliant. To accompany the guide, we are running blog series and GDPR quiz to get you up to speed!
In the first blog, we looked at the top 12 teething troubles for the GDPR 12 months in. Part two looks at the future of the regulation. Where does the GDPR go from here?
Many companies are still not fully compliant…
A range of surveys were published on the first anniversary of the GDPR which found that many businesses are still in breach of the regulation. A poll by Infosecurity Europe indicated that more than two-thirds of businesses are not GDPR-compliant one year in. Many respondents to the survey believe that organisations are not taking the regulation seriously and that the GDPR regulators are being too relaxed and lenient in enforcing the regulation. While an earlier survey carried out by IT Governance with companies across a range of industries indicated that only 29% had implemented all of the necessary changes to be GDPR-compliant. Up to 25 of the 28 official EU government websites may not be compliant either.
The US tech giants are also far from conforming to the 2018 European regulation. The recent wave of complaints against real-time bidding (RTB) filed in Belgium, Luxembourg, the Netherlands and Spain has highlighted the fact that RTB entails “wide-scale and systemic” breaches of Europe’s data protection regime. Google’s practice of harvesting personal data to profile Internet users for ad-targeting (and broadcast to a wide spectrum of bidders across the adtech chain) has been referred to by Johnny Ryan, chief policy officer at Brave as a “massive and ongoing data breach”.
Fines are coming
The UK ICO announced at the start of July that it could be handing out a £183m fine to British Airways for a cyberattack that saw the harvesting of the details of around 500,000 customers last year after they were diverted to a fraudulent site. This was shortly followed by a £99m fine on the Marriott hotel group after hackers stole the records of 339 million guests. The CNIL has already handed out a second fine of €400,000 fine to the French real estate company Sergic since the end of May for failing to adequately protect the data of users of its website and for implementing procedures for storing inappropriate data.
While, the Irish Data Protection Commissioner Helen Dixon said that substantial fines were on the way in the “coming months”. There are currently 18 investigations underway by the Irish DPA which has become the lead GDPR regulator for the majority of the major tech companies who are based there.
However, she also pointed out that “significant sanctions take time to build, conduct, and conclude” and that there were a range of procedural steps for establishing the basis of an investigation such as permitting participation of affected parties, and interacting with other Supervisory Authorities in the context of cross-border processing. Since it came into force, she has opened inquiries into Facebook and its WhatsApp and Instagram units, three inquiries into Twitter, two at Apple, one at LinkedIn, and the latest against Google’s ad exchange.
While in the UK, Information Commissioner Elizabeth Denham stated that the UK ICO have “a couple of very large cases that are in the pipeline”. However, she also stressed it was vital that Supervisory Authorities “set a strong precedent in terms of the enforcement action they take”, with the ICO particularly focusing on ad tech and the processing of children’s data.
Although the introduction of GDPR has laid the foundations of information security and privacy-related practices, 2019 is a critical year to see if the regulation carries out stronger enforcement measures.
Following on from and aligning with the GDPR, the ePrivacy Regulation (ePR) is set to arrive in 2019. Repealing the 2002 ePrivacy Directive, it aims to reach the same standard of protection provided by the GDPR for EU citizens and will concern all electronic communications. The new regulation will apply to businesses that provide any form of online communication service, use online tracking technologies, or engage in electronic direct marketing.
The regulation is aimed at protecting users’ communication data, specifically metadata. With new services such as WhatsApp, Facebook Messenger, and Skype all currently holding this type of user information, the new ePR will give users far more control over what type of metadata is being stored. If people don’t give consent, companies will have to delete that information and would no longer be able to collect it by default.
It will also simplify and streamline rules on cookies with the new rule being more user-friendly. Browser settings will give users a simple way to accept or refuse tracking cookies and other identifiers. It will also clarify that no consent is needed for:
- non-privacy-intrusive cookies that improve internet experience (e.g. by remembering shopping cart history)
- cookies used by a website to count the number of visitors.
Another major proposal in the ePR is for protection against spam (including phone calls), banning unsolicited electronic communications by emails, SMS, and automated calling machines. Depending on national law, people will either be protected by default or be able to use a do-not-call list to avoid receiving marketing phone calls. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.
Certain GDPR fines will cover ePrivacy violations
Although the ePR will be implemented through national legislation and the fine can vary from nation to nation, they are almost always less than the maximum allowed GDPR fine. However, according to the EDPB, certain data processing activities, like using cookies for behavioural advertising, fall under the scope of both the GDPR and the ePrivacy regulation.
The Digital Single Market Strategy
2019 will be decisive to give credibility to the GDPR’s legal framework and prove that this ambitious European challenge can actually work in practice. The GDPR and ePR are part of the EU Digital Single Market Strategy – an initiative that aims to open up digital opportunities for people and business and enhance Europe’s position as a world leader in the digital economy. Part of the EU’s Digital Agenda for Europe 2020, and an initiative of Europe 2020, the strategy aims to improve access to online products and services, conditions for digital networks and services to grow and thrive and stimulate growth of the European digital economy.
It is set to address issues such as:
- reforming European copyright law
- reviewing rules for audiovisual media
- cross-border sales
- reforming EU telecoms rules
- digital services’ handling of personal data
- and building a data-driven economy
The arrival of the CCPA
The California Consumer Privacy Act is set to come into effect on the first day of 2020. Although part of the global data privacy movement, it differs from the GDPR in several ways. Firstly, CCPA requires companies to set up specific communication channels, i.e. phone numbers and websites so California residents can request information about their data. It expands the definition of personal data in California to include household information and data from devices connected to the Internet of Things (IoT). The CCPA establishes a different set of data deletion requirements and establishes new ones around selling data for commercial purposes.
Much of the new law is still being defined, including changes to the definition of personal information. Nevertheless, it’s set to have a major impact as it will force US company to take on board the notion of data privacy for the first time. As the toughest US privacy regulation to date it looks like it’ll have its work cut out – only 14% of Californian companies report being CCPA compliant so far.
New York state is also following suit with its own proposed privacy act. Planned measures could go even further than the CCPA by introducing a “private right of action” giving New Yorkers the right to sue companies directly, meaning the tech giants could face “tens of thousands of lawsuits”. It would also remove the minimum size for companies subject to the new legislation and introduce far stricter rules for the handling of private data. Watch this space in the coming months…
Make sure your digital analytics is GDPR-proof!
AT Internet’s Analytics Suite is 100% compliant with the GDPR. Protecting user data and respecting user privacy has been central to our analytics approach for over 20 years.
As an independent European provider since day one, we’ve always been strongly aligned with strict European policies on data protection and privacy. Our solution has been developed with privacy-by-design since the very beginning.
Our long-standing relationships with the CNIL, France’s data protection authority, and Germany’s TÜV, speak volumes. These trusted authorities recognise the conformity and surety of the Analytics Suite and have awarded us their certificate of compliance year after year.