Just hours after the General Data Protection Regulation (GDPR) came into effect last Friday (May 25), complaints of privacy violation were filed against tech corporation Google, social media giant Facebook and its subsidiaries WhatsApp and Instagram.
In total, the firms could be facing $9.3 billion in fines if they’re found to have breached obligations under the new extra-jurisdictional European privacy law. They’ve been accused by privacy-advocacy group Noyb.eu, based in Austria, of forcing users under a “take it or leave it” approach to consent, which the group says is against the principals of GDPR.
US companies hoping for a relaxed GDPR honeymoon period should think again.
The GDPR has extra-territorial effect and applies to any company offering goods or services to EU residents, or monitoring the behavior of EU residents, regardless of where that company is located. It has broad ramifications and sets out obligations for data controllers (someone legally processing EU personal data) and data processors (a third-party entity legally processing EU personal data on behalf of a data controller).
“The US tech industry is very much scrambling to become GDPR compliant,” said Charlotte Worlock, Associate, Clyde & Co. “The statistics are quite scary. Around 80% of US companies will not be GDPR compliant by the end of 2018, and that’s because many of them simply don’t realize they fall within the geographic scope of this new regulation. The larger organizations have been doing their best to become GDPR compliant, but, generally speaking, there’s still an awful lot of work to be done.”
Firms that fail to comply with strict GDPR obligations could face significant fines and penalties. At present, it remains a gray area whether such penalties will be insurable under cyber insurance policies. There have been suggestions that European data protection authorities may look to take a hardline approach and make an example of non-compliant companies by refusing to settle GDPR cases until a company agrees not to seek insurance coverage for a fine.
“Cyber insurance policies in the US tend to use favorable venue language that covers privacy breach fines and penalties. But now that GDPR has come into effect, even the most favorable venue wording will fail if a regulator refuses to settle a case until a company agrees not to pursue insurance coverage for the fine. Essentially, it’s a bit of a waiting game to see what sort of fines come through, but US companies must understand there’s the potential for GDPR fines not to be insurable,” Worlock explained.
“A lot of commentators are saying European regulators will allow a honeymoon period where they won’t go too hard after companies while they get used to GDPR regulations. But it’s important to remember that elements of GDPR are user-driven, so if an EU individual files a complaint under GDPR, the regulators are bound to investigate it, they’re bound to offer some sort of legal recourse if a breach is identified, and they’re bound to enforce the regulation through fines and penalties. US companies should not be complacent about the regulators getting involved early on.”
GDPR requirements are a lot more stringent and wide-reaching than existing US privacy laws. Its definition of personal data covers a much broader range of identifiers, such as: sensitive personal data, genetic and biometric information, physical and mental health, economic status, cultural identifiers, religious beliefs, social identity and so on. Likewise, its definition of data breach is much broader, including: unauthorized access to, or acquisition of, personal information, accidental or unlawful destruction, and loss or alteration of personal data.
Breach notification laws are also tighter, with firms required to notify the data protection authority within 72 hours of a breach. The law also allows compensation for material and non-material harm, meaning there doesn’t need to be any financial loss arising from a breach of GDPR for individuals to be eligible for compensation.
“US companies should be taking various actions to comply with GDPR. They should be implementing a compliance plan and appointing a GDPR representative in the EU member states in which they offer goods or services,” Worlock told Insurance Business. “Companies should also appoint a data protection officer if they engage in systematic monitoring of people or they process sensitive data on a large scale.”