Two years of the GDPR: What should American businesses have already learned? What can they now expect?

Implemented on the 25th of May 2018, Europe’s General Data Protection Regulation (GDPR), has now entered the terrible twos. Birthdays are an occasion to take stock, and this anniversary is particularly interesting from an American perspective. 

For those who need reminding, the GDPR is a regulation in European Union law concerning data protection and privacy in EU member states and in those covered by the European Economic Area (EEA). Crucially from an American perspective, GDPR also addresses the transfer and treatment of personal data outside the EU and EEA areas in certain circumstances. The first piece of data regulatory legislation of its scale, the primary aim of the GDPR was to ensure that individuals could exercise control over their own personal data. Additionally, it was intended to declutter the regulatory landscape for international trade by uniting the regulation within the European Union.

GDPR has made it clear that any company or organisation gathering consumer data must take the obligation to get consent for it seriously. 

Why was the GDPR necessary? 

The introduction of the GDPR followed several years of careful preparation in order to bring its long-planned data protection measures into force across the European Union. The EU regulation modernised the laws that protect individuals’ personal information and brought previous data protection rules up to date. The necessity of this can be explained by looking at the age of some of the legislation that it ultimately replaced; e.g. the United Kingdom’s Data Protection Act (DPA) had in fact been drafted in the 1980s, before the advent of the internet as we know it. 

The European Union stated that the GDPR was intended to harmonise data privacy laws throughout its member states, afford more complete rights to individuals, and permit for significant fines to be imposed on any data handler or processor which does not comply with the rules. 

What does the GDPR have to do with the USA?

As a European law, an American business owner might understandably assume that it probably applies only to the EU member states. The nature of the internet, however, means that in legal terms international borders are no longer such a simple concept. GDPR’s territorial scope is defined under its Article 3(2);

“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union…”

In layman’s terms, if you engage in business with people who are European citizens or are based in an EU member state, then you are indeed obliged to respect the terms of GDPR no matter where in the world your company is headquartered.

The Brussels Effect

Some commentators have suggested that the expansive scope of GDPR is a deliberate strategy of the EU, a strategy that has been labeled the “Brussels Effect” by Professor Anu Bradford of Columbia Law School. The power of the European market means that when the European Union adapts laws for its own member states, other economies are in fact left with no option but to conform to them. The logic is rather straightforward; when dealing with multiple regulatory systems, most organisations will opt to adopt that which insists upon the highest standard. Obviously, this is also dependent to some extent on the system being that of a suitably large or powerful market, and the EU clearly is that. This has previously been observed in a number of fields, e.g. antitrust law, chemical regulation, and aircraft emissions. The GDPR has similarly increased the European Union’s influence when it comes to the handling of personal data.

Professor Bradford named the Brussels Effect after the similar “California effect” that had previously been witnessed in the United States. This term was coined to describe the rapid spread of environmental regulatory standards that had originated in the state of California throughout numerous other states. In the Californian model, the spread was supported by large corporations, which stood to benefit as they had the resources at hand to adapt to meet the new regulations, unlike some of their smaller concurrents.

What has happened since 2018?

Two years later, it seems that numerous nations that signed up to the GDPR have still not realised the extent of their responsibilities when it comes to enforcement. To take the United Kingdom as an example, its government privacy regulator is the largest in Europe, yet a mere 3% of its 680 strong workforce is dedicated to tech privacy problems. 

A lack of funding may explain why there have been relatively few fines relating to data breaches in recent years. To date, the most significant penalties in the UK have in fact been issued merely as intentions to fine. The parties concerned are British Airways (£183,000,000) and the Marriott hotel group (£99,000,000), and appeals are pending in both. Furthermore, BA could be required to pay compensation amounting to £3 billion. 

It would appear that these cases, despite their high profiles and substantial figures, have not served as a deterrent. The first half of 2020 has seen further high-profile data breaches from Travelex and Virgin Media. In Virgin’s case, the personal details (including the full names, email addresses, birthdates, telephone numbers, and information linking some customers to explicit websites) of 900,000 people in fact remained accessible online for a period of ten months. Virgin Media has therefore exposed itself to a compensation bill that could reach £4.5bn. 

In May, EasyJet acknowledged that it had been the victim of a “highly sophisticated cyber-attack” that had compromised the personal data of up to 9 million of its customers. Worryingly, 2,208 of those customers had in fact also had their bank card details “accessed”.  It seems, therefore, that early warnings are not being heeded. There does not appear to be a sufficient deterrent for organisations to respect the law. As noted above, the cases mentioned are under appeal so the fines have not yet been paid. Perhaps it will take the money actually changing hands for the lesson to be learnt. When a definitive judgement is issued, or where a compensation claim is settled, real changes may be seen. In the meantime, additional breaches will continue to occur.

The GDPR is the model for US legislation

The GDPR is seen as the first significant piece of the new wave of data privacy and data protection laws, and in that sense is the blueprint for other parts of the world. The USA still lacks a wide-ranging federal data protection law, although a number of individual states have introduced their own. Recently, the California Consumer Privacy Act (the “CCPA”) was passed and is due to come into force on July 1st 2020. This Act has been greatly influenced by the GDPR. America has already developed at least twenty-four federal sector-specific rules dealing with privacy concerns in particular contexts, and several hundred more at state level. Nonetheless, these laws leave certain voids between them, and the Federal Trade Commission Act (FTC), via application of Section 5 of the FTC Act, which offers protection to consumers from “unfair and deceptive acts and practices,” has been working diligently with state attorneys general for two decades in order to develop a common approach to the law on privacy, employing a case-by-case method to problems as they arise. Politicians such as Cathy McMorris Rogers have called for functional national privacy standards, and almost three quarters of US citizens agree that internet safeguards should be the same in all fifty states. The CCPA has acted as a catalyst for an honest conversation regarding whether there should be a national privacy standard, and if the California Act itself should be considered the blueprint for it.

GDPR Compliance for US based companiesGDPR appears to be the model for future US legislation. Becoming GDPR compliant now therefore serves two purposes for any American company.  First of all, the obvious; given the importance and scope of the European market, few companies that engage in any form of international trade will have no links whatsoever to the European Union. If you process the data of EU citizens or residents, you must comply. It is that simple. Secondly, even if one is not presently trading with EU member states, GDPR is the template for new data protection laws worldwide. Therefore, becoming GDPR compliant now will almost certainly serve as the perfect preparation for upcoming domestic law, leaving you ahead of your competitors.

 

About Eoin Campbell 19 Articles
Eoin P. Campbell is an honours law graduate (LL.B) from Queen's University Belfast and is a qualified solicitor. Eoin has moved from practicing law to teaching. Eoin is currently lecturing in law at two universities in Lyon, France, including a master's degree course in cyberlaw. Eoin provides commentary with a legal perspective on cybersecurity and data protection.