GDPR Day 1: Litigating the Right to Data Privacy

NEWS ANALYSIS: The General Data Protection Regulation is the most contested law in the E.U.’s history, and we've only touched the surface of its influence.

GDPR.flags

It didn’t take more than a few hours after midnight on May 24/25 for all the talk, written analysis and official notifications to enterprises about the European Union’s General Data Protection Regulation to turn into a phalanx of lawsuits about how organizations handle—or don’t handle—data privacy.

On the first day of GDPR enforcement, Facebook, Instagram, WhatsApp and Google were slapped with litigation accusing them of unfairly coercing users into sharing their personal data. The complaints, which could carry fines totaling $9.3 billion if levied, were filed by Austrian privacy activist Max Schrems, a longtime critic of the companies’ data-collection practices.

Schrems runs an Austria-based privacy-advocacy group, Noyb.eu (None of Your Business). Schrems has been fighting Facebook in court for several years. His legal action filed with the EU claims the four companies force users to adopt a take-it-or-leave-it approach with regard to data privacy, basically demanding that users submit to intrusive terms of service to use the companies’ social networks. 

The GDPR is the most contested law in the EU’s history. It is the product of years of intense negotiation and thousands of proposed amendments, despite its foundation having roots in European law for decades.

GDPR: The Most Sweeping Change to Data Protection in 20 Years

As Datos IO Vice-President Peter Smails told eWEEK: “The GDPR is the most sweeping change to data protection in the past 20 years. Under the new set of regulations, both U.S. and European companies will need to demonstrate compliance when it comes to managing, storing and sharing data–no matter how massive the data sets. Security-wise, companies will have to report data breaches within 72 hours of their knowledge of them.

"One of the biggest issues will be GDPR Article 17, which enables a user's right to be forgotten, which will increase demand for storage and data management solutions that are data-aware. Whether it’s application-specific backup and recovery to protect against ransomware, or intelligent query-based data movement to support test/dev, CI/CD, or GDPR initiatives, organizations will require data management solutions that are data aware and enable them to protect, mobilize, and monetize their data across any cloud boundaries.”

GDPR requires clear consent and justification for any personal data collected from users. These new guidelines have pushed companies across the internet to revise their privacy policies and collection practices—you probably have seen plenty of emails to this effect already. But there is still widespread uncertainty over how European regulators will treat the requirements, and many companies are still unprepared for enforcement.

Google, Facebook, Yahoo, LinkedIn and numerous others have published new policies and products to comply with GDPR. You may have seen their updated user agreements yourself. However, Schrems’ complaints argue those policies don’t go far enough. In particular, the complaint points out the way companies obtain consent for the privacy policies, asking users to check a box in order to access services. It’s a widespread practice for online services, but the complaints contend that it forces users into an all-or-nothing choice, a violation of the GDPR’s provisions around particularized consent.

Early Lawsuits Get Specific

The lawsuits are broken up into specific products, with one filed against Facebook and two others against its Instagram and WhatsApp subsidiaries. A fourth suit was filed against Google’s Android operating system.

Naturally, both Facebook and Google have disputed the charges, contending that existing their current policies are adequate to meet GDPR requirements. “We build privacy and security into our products from the very earliest stages and are committed to complying with the EU GDPR,” Google said in a media advisory.

“We have prepared for the past 18 months to ensure we meet the requirements of the GDPR,” Facebook said in its own media advisory.

This is only Day 1 of the new era of data privacy. This topic will certainly be in the news for months and years to come as companies amend their policies and other consumer complaints come to the fore.

What People Are Saying

eWEEK collected a number of comments and perspectives from several IT thought leaders. Here are some of them.

Karen Schuler, BDO’s National Data & Information Governance Practice Leader:

“We genuinely believe that this is just the tip of the spear and that broader data privacy changes are yet to come. Given that Canada enacted their laws last year, China implemented a new cybersecurity law, the Caymans will expand upon GDPR even though they are part of the UK, and the Salesforce’s CEO stated in a recent interview that he believes the US needs to adopt its own GDPR. This is just the beginning.

“Day 1 of GDPR is here and there is still a lot of unknown. The request for assessments continue, the need for implementation is just beginning for many companies, and I believe that we are yet to see the worst of enforcement actions and law suits. Companies that are just starting to implement changes should do this diligently and not rush to upheave their entire business practices. In other words, take a systematic approach to implementing new practices for GDPR instead of being reactive.

“This reminds me of the early days of e-discovery and defensibility around data collections. For many years courts did not require companies to understand what data sources they should collect, review and produce. However, as time passed the courts made it a point that you need to get your house in order if you are going to respond to a discovery request.”

Dana Simberkoff, Chief Risk, Privacy and Information Security Officer, AvePoint:

Q: How are cybercriminals using GDPR to fit their needs? A: “There are a number of ways cybercriminals can leverage GDPR to fit their needs. An obvious area of exploit is the Data Subject Access Request, which gives a person the right to request all information an organization holds about them. It’s crucial that companies first and foremost confirm the identity of the individual making the request, or else this aspect of GDPR could present a clear risk for identity theft.

“Another potential loophole that cyber criminals can take advantage of is the creation of data flow record and data mapping aspect of GDPR, which document all data flows of sensitive personally identifiable information (PII) across an organization. If not properly protected, these data maps could create a potential vulnerability for companies, so ideally, this kind of data should be maintained in an on-premise system.

“Companies that embrace GDPR as an opportunity to digitally transform their data and their corporate culture will be the most successful. Consumers’ trust is hard to gain and easy to lose, so when done right, privacy best practices are a competitive advantage, and companies that are embracing GDPR will definitely see that come to light moving forward.”

Patrick McGrath, Director of Solutions Marketing, Commvault:

Q: Are the Facebook and Google lawsuits fair or not fair? A: "It was not expected. There are likely to be an influx of ‘right to be forgotten’ and other similar requests being made early into the GDPR timeline to try and make some noise about it.  We’ll have to watch how these and other similar suits are handled to establish precedent, but I don’t expect much (in my opinion) to happen at this stage. 

“GDPR legislation was finalized two years ago with a very clear expectation of the effective date, giving organizations that amount time to become ready for GDPR compliance.  Forrester estimates that 80 percent of organizations are still not compliant and many organizations have adopted a ‘best efforts’ approach hoping that will reduce their exposure to regulatory actions. US companies have clearly lagged in their efforts, with notable lack of actions taken against companies such as Equifax with egregious breaches.”   

Kathie Miley, COO, Cybrary:

“While I have no knowledge of the compliance status for either specific company pertaining to GDPR I can say that the world had 2 years to prepare for their companies, suppliers, and processes for GDPR. However, in spite of 2 full years,  there are still absurd numbers of companies who waited too long, and now it's too late. I am sure we are going to hear many excuses moving forward, but there simply is no excuse that will save them.

“Cybercriminals are already seeking evidence of GDPR non-compliance, once they have enough to establish a hefty fine (up to 4 percent of revenues) they will use the information to extort companies in the form of good old fashioned hush money. It’s already happening; it is just a matter of time before someone goes public with it.

“I understand the importance of the regulation, and completely agree with its intent. I wish the U.S. would adopt similar regulations to protect our citizen’s personal data. Unfortunately, GDPR has placed an enormous burden not just on the Facebooks and Googles of the world but [also] very small companies who can’t afford the costs of managing the complexity of GDPR. The reality is this regulation will end up putting companies out of business.”

Matt Bertenthal, Senior Privacy Counsel, Medallia:

“Companies have done a tremendous amount of work to get ready for today, but the work doesn’t end. Now is a good time to establish good processes for honoring your ongoing obligation to ensure GDPR processes work well.

“Test your data export and deletion process. GDPR allows individuals in the EU to request copies of all of the personal data you have about them, and request that you delete it. When your company starts to receive requests to access and delete data, use these first requests as a learning process. Does everyone involved in the process know what to do? What is working well, and what isn’t? Start keeping track of the types of data deletion requests you’re receiving. Maybe you’ll find that a particular part of your marketing approach is prompting more deletion requests and should be reviewed more holistically. Maybe you'll need to design new product features of automated processes to handle the volume and types of requests you will receive.

“Test your data breach response plan. GDPR requires data controllers to report certain kinds of data breaches to regulators within 72 hours, and data processors have to notify controllers of any breaches 'without undue delay.' Privacy lawyers and compliance professionals know how important it is to respond promptly in a data security context, but do all of the people in your breach response plan know exactly what to do? And are they ready for the urgency that would be presented by an actual incident? Don’t just ask these questions, test them. Run cross-functional table top exercises, so that your team is truly ready.

“Evaluate your training programs. Many companies have just gone through significant efforts to train teams about GDPR compliance. Is everyone in your organization knowledgable about how they should handle data throughout the company so you comply with GDPR? What worked, what didn’t? Plan now for what you’ll do differently in your next round of GDPR and privacy training.”

Ian Eyberg, founder of NanoVMs:

“I thought this was completely expected. There is definitely a backlash brewing against 'big tech.' I'm personally split on it as I've always been a privacy advocate, yet at the same time enjoy certain conveniences that exist with personal data. I think there is a large opportunity for the right entrepreneurs to find new ways of dealing with these issues.

“I would be surprised if we don't see quite a lot of scams hijacking companies for fees to ensure they are compliant.

“It's one thing to be tracked at the airport which our constitution explicitly prohibits, yet at the same time realize that Google knows every single footstep you have ever taken and feel wronged about one and not outraged at the other.

“I think the industry should find ways of dealing with privacy issues before governments get involved.”

Brian Vecci, Technical Evangelist, Varonis:

“It’s not surprising that the big tech companies are the first to face problems now that the GDPR is in effect. They have the most data about the most people and their business depends on it—they were always going to get hit first and potentially hardest. What’s interesting is that they’re already being accused of ignoring the new regulation when it seems clear to everyone paying attention that while they certainly might not be compliant, ignoring it is the last thing that the big tech companies have been doing. But that’s not necessarily true of all of the other companies that collect and use consumer data and are now subject to the GDPR.

“As a society we dramatically underestimated the inherent value of our own personal data and what it reveals about us over months and years. The GDPR isn’t going to kill their business model, but it is going to force them to finally treat our personal data as something that’s valuable not only to them but to us as well.

“Many organizations have taken a wait-and-see approach to the GDPR, betting that they can fly under the radar for a while and save some money by not having to change much about how they secure this kind of data and keep it private (or fail to do so). That could end up proving more expensive in the long run, since while many companies aren’t yet fully compliant, the ones that have taken clear steps will likely see far more lenient penalties for violations. The ones that actually are ignoring the GDPR and have done nothing will probably get hit the hardest.”

Nikki Cosgrove, Cybersecurity specialist, EMEA, Proofpoint:
"Cybercriminals are opportunistic, and the recent surge in legitimate 're-consent' emails and privacy policy update notifications present a golden opportunity. We're seeing cases of malicious actors spoofing the identities of trusted brands to socially engineer users and customers into giving up credentials and personal data, or to spread malware. Criminals are constructing convincing GDPR emails to trick consumers into 'clicking'.
"With that in mind, GDPR mandates that organizations protect the personal data that they have collected or are processing. Data exposed by the consumer is not under the purview of the regulation. Despite this, to maintain consumer trust and to defend the brand from impersonation attacks, it is critical that businesses work to authenticate their domains. Without email authentication, cybercriminals have a powerful tool (the brand) to lure employees of the organizations into accidently opening the door to a hack or inadvertently giving away personal data.
"By safeguarding email communications to customers and by preventing criminals from spoofing their domains in phishing emails, organizations can maintain trust and prove to regulators that they have implemented 'appropriate technical and organizational controls.'"

Brian NeSmith, CEO and Co-Founder at Arctic Wolf Networks:

“Privacy is on its way to becoming a fundamental right in the U.S., and as such parts of GDPR will undoubtedly become policy in the U.S. in the coming years. The process may take longer than we’d like, but with every major breach the process will be expedited.

“For many years, online data collection flew under the radar of regulators and most consumers. But the tide has turned as years of cases like the Equifax breach and Cambridge Analytica scandal have accumulated and brought heightened awareness to the economic, political and social havoc that leaked customer data can create.

“We the people now believe that everyone is entitled to life, liberty, the pursuit of happiness … and data privacy.”

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 13 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...