The deadline for implementing the European Union’s tough GDPR privacy law was barely hours old when a privacy activist launched an $8 billion dollar lawsuit against Google, Facebook and that company’s What’s App and Instagram divisions, alleging the companies are breaking the regulation.
A non-profit called NOYB.Eu, headed by Max Schrems, alleges the consent boxes now showing up on user screens doesn’t meet GDPR’s requirement that organizations get free consent to collect personal data. Instead, it is alleged, users are given a “take it or leave it” choice: Agree to the terms or you can’t use the service.
The GDPR prohibits forced consent and any form of bundling a service with the requirement to consent, it said in a news release, citing Article 7(4) of the regulation.
That section says “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.” (See also this advisory page from the EU)
The interpretation of the consent section is just one of the many unknowns about the regulation that privacy lawyers and company privacy professionals have to struggle with. That was made clear at the closing session Friday in Toronto at the annual Canadian conference of the International Association of Privacy Professionals (IAPP).
In fact, there isn’t one GDPR, one panel told attendees: The regulation allows each of the 28 EU countries to tailor its privacy law over a range of things including the minimum age children are allowed to give consent to data collection without the approval of their parents, the handling of criminal conviction data, the scope of data subject rights, additional requirements to appoint data protection officers, fines, and rules for processing employee data, archiving, processing national identification numbers.
The U.K, France, Germany, Slovakia, Croatia, Belgium, Austria are the countries that so far have passed GDPR enabling legislation with country-specific changes. Already some experts have said sections of the German privacy law are overly broad, vague or even illegal., panelist Erica Kitaev, the managing editor of privacy and data security at the Thomson Reuters publication Practical Law, told the conference.
One Italian regulator has promised its version of the GDPR will look like the country’s existing privacy law, she said.
“It’s going to be a bumpy ride,” Kitaev concluded, but nothing to be scared about. Privacy pros have to take a risk-based assessment approach: Look at what and the organization is doing, where the data and if the heart of GDPR is being used to protect it, see where local laws differ from GDPR, make a call and be prepared to defend it.
Although it’s late, some Canadian companies still haven’t decided if they have to comply with GDPR. Wendy Mee, a partner at the Canadian law firm Blake, Cassels & Graydon, said GDPR only applies to organizations that offer goods and services in the EU. “Just because someone comes here and you have their name and address doesn’t mean GDPR necessarily applies,” she said. For example, if an EU resident on a trip to Canada gives their name and contact information to a hospital or a store here may not mean GDPR data protection rules apply.
However, she warned organizations that sell products online not to be complacent. Their strategy may be to target sales at non-EU countries like the United States, but in fact sales are open to anyone in the world.
For Canadian privacy pros who believe their company has to comply, she noted that there are some differences between GDPR and Canadian federal and provincial privacy laws. For example, laws here may not apply to the processing of employee data or to non-profits processing data for non-commercial purposes, but GDPR does.
On accountability, GDPR plus Canadian regulator guidance means the European regulation isn’t much difference from Canadian privacy law, she said, “so Canadian firms that have appropriate data management processes in place are in a very good starting point.”
Ultimately, several speakers said, much will hinge on interpretations and guidance that will hopefully be released shortly by the GDPR Article 29 Working Group.
For Canadian organizations that have not quite finished their GDPR implementations, speaker Eloise Gratton of the Canadian law firm Borden Ladner Gervais had some sobering comments. At a conference in March she asked a French privacy regulator and member of the Article 29 Working Group if there is an unofficial grace period for compliance. No, was the reply. Would it be enough if an organization that isn’t fully compliant can show it is working hard at it? “The answer was ‘maybe,’”
“I hope it’s good news,” said Gratton. The official did say “we (regulators) intend to be pragmatic.”
Finally, Canadian privacy expert Ann Cavoukian gave an enthusiastic welcome to the GDPR
“We’ve been waiting for this for so many years,” she said. The regulation emphases organizations should integrate the Privacy by Design principles she has championed for a while. GDPR “ushers in an era of heightened privacy protection.”
Organizations shouldn’t see privacy as something that competes with security or analytics, she said. Privacy works with security.
GDPR “is not just a regulatory exercise that you have to do because it’s the law. Do it because it makes sense, because it is positive for you, you’ll get positive returns.”