The United Kingdom’s Information Commissioner’s Office (ICO) has found that the Washington Post online subscription options are not in compliance with the European Union’s General Data Protection Regulation (GDPR).
The online subscription options are not subjected to GDPR, however, ICO may issue it with a reprimand. The Washington Post makes three separate subscription levels available but only the highest level allows users the options of turning off trackings cookies. Tying this “consent” to access has raised the eyebrows of privacy activists before, who have questioned whether this meets the requirements for consent set out in EU data protection laws. As per GDPR legislation to Washington Post should have offered subscribers a free alternative to accepting cookies.
The ICO case manager reviewing the case said: “I am of the view that the Washington Post has not complied with their Data Protection obligations. This is because they have not given users a genuine choice and control over how their data is used.We have written to the Washington Post about their information rights practices. We have told them they should now ensure that users of the Washington Post website have the option to access all levels of subscription without having to accept cookies. We hope that the Washington Post will heed our advice, but if they choose not to, there is nothing more we can do in relation to this matter.”
This case highlights the emphasis that ICO is placing on ensuring that US-based are complaint with GDPR in relation to EU subscribers. If companies are found to be in breach of the GDPR rule then they are subject to financial penalties of up to a maximum of €20m or 4% of annual global revenue, whichever figure is higher.
As there is some degree of uncertainty in relation to GDPR’s extraterritorial applicability and how it can be enforced non-EU based organizations, the European Data Protection Board is due to make public guidance around on the GDPR’s extraterritorial applicability soon.
Pat Walshe, Managing Director of Privacy Matters and privacy advocate, commenting on the issue said that he believed that controlling the situation may be beyond the scope of the GDPR legislation. He said in relation the issue: “I would respectfully suggest the ICO does not have the resource nor the inclination to pursue cross-border action. Especially when it diverted 70 staff to work on the Facebook/Cambridge Analytica investigation. It seems to be struggling to cope with complaints raised about UK based data controllers.”