The Changing Landscape of GDPR Compliance in IT
General Data Protection Regulation (GDPR) compliance is something that every IT team in a business needs to take seriously. While GDPR is an EU law, it applies to any company that makes its website or services available to EU citizens. This includes US companies.
Also, even though GDPR became law in 2018, the landscape of GDPR compliance is still changing. You need to keep abreast of these changes to ensure that your enterprise is meeting the EU’s standards of data protection. Failing to do so could incur (potentially large) fines, as well as a significant (and potentially permanent) loss in reputation.
Let’s take a look at the latest changes to GDPR compliance that are relevant from an IT perspective.
A Broader Definition of ‘Joint Controller’
First of all, in two test cases involving Facebook (see here and here), the Court of Justice of the European Union (CJEU) created a much broader definition of ‘joint controller’ than expected.
A joint controller situation crops up when two or more controllers should both be held accountable for meeting GDPR regulations. In the cases involving Facebook, the CJEU confirmed that a company that ran a Facebook fan page counted as a joint controller alongside Facebook, as did a company that embedded a Facebook Like button onto its website.
This change grabbed the attention of IT specialists, as it makes social publishers, website operators, and fan page moderators responsible for user data alongside platforms like Facebook.
However, the CJEU has clarified that shared responsibility does not mean equal responsibility. In the two test cases, responsibility lied mainly with Facebook, as only the social network had access to the data and could delete it. But this doesn’t mean that enterprises involved in cases like these won’t be impacted.
Privacy Shield Struck Down By The Courts
Privacy Shield is the mechanism that made it easier for American enterprises to process European customer data. But now the CJEU has struck it down. This is to encourage countries who want to trade with the EU bloc to match its data privacy standards.
The United States and Europe have two opposing views when it comes to data privacy. The American view is that your data is public unless you expressly request for it to be kept private. The European view, meanwhile, is that your personal data is private unless you give explicit permission for it to be made public. To facilitate trade between these consumer markets, despite these opposing views, the US and the EU developed Privacy Shield. This allowed US companies to process EU citizens’ data, so long as those organizations agreed to the EU’s higher privacy standards.
The problem was that under US law, the US government could still monitor the EU data.
Austrian privacy advocate Max Schrems challenged these powers. The CJEU sided with him and struck down Privacy Shield. The result was that 5,300 American SMEs who used Privacy Shield were forced to adopt the EU’s Standard Contractual Clauses instead.
Changes To Cookie Consent
In May 2020, the EU updated its GDPR guidance on consent, which included two crucial points related to cookie consent:
- Cookie walls do not provide users with a genuine choice since if someone rejects cookies, he or she will be blocked from accessing content. The updated guidance confirms that cookie walls should not be used.
- Scrolling or swiping through web content does not amount to implied consent. The EU stresses that consent must be explicit in nature.
Large GDPR Fines Have Become More Commonplace
Understandably, organizations of all shapes and sizes were quick to comply with GDPR when it came into force because they didn’t want to get fined. Here are some examples, all from 2020, exemplifying just how severe these fines can be:
- The French data regulator fined Google $57m for a lack of transparency, inadequate information, and a lack of valid consent regarding ads personalization. The regulator said users were not sufficiently informed about how and why Google was collecting their data.
- The Information Commissioner’s Office (ICO) fined US hotel conglomerate Marriott International Inc. £18.4m for failing to keep 339 million guest records secure.
- The ICO fined British Airways £20m for a data breach of 40,000 customers’ personal and credit card data, which occurred in 2018.
GDPR Compliance is Continually Evolving
There are many ways GDPR could develop in the future. Here are some potential scenarios:
- Clarity regarding GDPR compliance will come from new test cases and possibly further legislation, such as the ePrivacy Regulation.
- We’ll see more clashes between the EU and the US, in light of their opposing approaches to privacy.
- Since data is now the new oil, we could see more situations where users receive free products or services in exchange for giving away their data through cookies.
- Organizations will shift away from third-party cookies and toward server-side tracking and automation in order to stay compliant.
- We may see international convergence of data privacy legislation, especially if the US implements data privacy at the federal level.
- We’ll certainly see more and bigger privacy lawsuits, but whether big tech or privacy advocates come out on top remains to be seen.
The main point that any organization dealing with EU data should keep in mind, however, is that GDPR compliance needs to be a top priority. By complying with the latest updates to GDPR regulations, you will be better able to protect sensitive data, which is critical to the long-term success of your organization.
Cyberlocke is a comprehensive, full-service IT services provider that architects and implements efficient and secure solutions for enterprise customers and their data centers. We specialize in security , cloud , managed services , and infrastructure consulting. Contact Us today to learn more.