American print and online media publishing company Tronc, Inc. – formerly known as Tribune Publishing – made a surprise decision in May to block access to all internet users in the European Union after failing to meet the compliance deadline of the new General Data Protection Regulation (GDPR).
Website visitors with European IP addresses, trying to gain access to Tronc-owned news sites like Chicago Tribune, Los Angeles Times, Baltimore Sun and New York Daily News, are met with the following message: “Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism.”
As the case implies, the GDPR has extra-territorial effect reaching beyond just EU citizens and EU-domiciled companies. The law applies to any company offering goods or services to EU residents, or monitoring the behaviour of EU residents, regardless of where that company is located.
“I believe this decision by major US-based news sites to block EU users may be based on the advice and counsel of their legal team, it shows the level of complexity involved in interpreting the GDPR and the extent some companies are willing to go to avoid violating the regulation,” said Dannie Combs, chief information security officer at Donnelley Financial Solutions.
“GDPR is a very complex law and non-attorney practitioners should always seek legal interpretation on the provisions within the GDPR such as whether it applies to only EU citizens or residence of the EU. Legal practitioners will be able to guide firms on whether anyone who is resident in the EU for a short period of time, regardless of their citizenship, can invoke rights under GDPR and what obligations companies worldwide have.
“There seems to be an opinion among some that if they pull their business out of the EU, then GDPR won’t affect them and they won’t be at risk of breaching the regulation. Companies that intend to follow this path may be better off if they seek clear advice and direction from their counsels especially those that specialize in international regulations. Companies may also reach out for guidance from Data Protection Authorities in the EU on decisions that affect the personal data they already have or plan to process. With regards to Tronc, one would expect that they sought legal and expert professional advice, which may include that of the DPAs in EU to ensure that they do not violate the GDPR.”
GDPR has been a bit of a skeleton in the closet for North American firms since the regulation’s genesis in April 2016. There has been a widespread lack of understanding about the expectations and the impact of the law, prompting many firms located outside the EU to sit and wait to see how the GDPR enforcement and litigation environments pan out.
The regulation was officially implemented on May 25 this year. Since then, there has been a “late sprint” with many companies seeing the light as to what impact GDPR could have on their firms, according to Combs.
“I think privacy legislation like GDPR will drive an explosion of demand for privacy professionals, which will hopefully lead to a true convergence of security and privacy. Businesses can’t accomplish one without the other,” Combs told Insurance Business. “Changes to the regulatory landscape are also opening the eyes of more organizations to the value of cyber insurance and the importance of strong privacy and security risk management strategies.”