• by Ray Schultz , Columnist, May 9, 2018

A few dozen surveys show that companies are unprepared for GDPR. Well, regulators aren’t ready either.

Reuters surveyed 24 commissioners throughout Europe, and found that 17 lack the funding or the power to enforce the pending law. Of those, 11 expect to get it in the future. But only five say the laws and funding are fully in place.

For example, Italy’s data protection office needs 300 people to do the job — it has 122. Its budget is a paltry 25 million euros.

In contrast, as recently reported by Email Insider, the UK has 620 people, and expects to have 700 by 2020. The annual budget of the Information Commissioner’s Office (ICO) recently was raised from £24 million to £38 million in 2018/2019.

But Commissioner Elizabeth Denham still isn’t happy — she is calling for increased powers, including a streamlined warrant process to investigate privacy breaches.

Moreover, there are vast gaps between how countries view the laws. Ireland and German commissioners have “differences of opinion,” Reuters reports. Some countries declined to be surveyed.

It makes you wonder: Can companies get away with jurisdiction-shopping?

All that said, it wouldn’t pay to get too sanguine, for there is language in GDPR that could trip anyone up. For example: The question of who is covered by it.

As attorney Alexander Stern writes in an article:  “the GDPR does not just apply to citizens of an EU country. It applies to anyone who at any time set foot in an EU country and transmitted their data to a covered Internet company. So a US tourist who visits Germany for one day and returns to the US has rights under the law if that person used e.g. Facebook while on the trip.”

Then there is the issue of permission.

“Consent must be freely given, specific to an identifiable list of data uses, and unambiguous,” Stern writes. “For example, silence, pre-ticked boxes or inactivity are not legally sufficient consent. Consent from minors involves additional rules under the law. “

He adds: “Overbroad consents are also legally invalid. For example, consent to use any data about the subject whatsoever for any purpose is insufficient. The key is to describe with reasonable particularity what you want to do and why.”

Finally, there is this question -- which we haven’t seen mentioned anywhere -- whether it is illegal under US discrimination laws to “give GDPR rights to immigrants from the EU and not to everyone.” Stern writes. This could affect companies that have one GDPR policy for EU residents and citizens and another for U.S. citizens.

There are 12 days left.