GDPR has been in effect for a month today. Lawsuits have been filed, surveys have been done, and the UK has taken some action. But in Brussels there is only silence.
The last
announcement on the EU’s data protection site was on May 31. Either the entire world is in compliance or the EU’s data police are out of the office.
Where are those ruinous fines
the EU has warned us about?
Meanwhile, confusion reigns. For example, The Register reports that many non-EU websites are locking out non-EU users. Pottery Barn says on its
site that “due to technical challenges caused by new regulations in Europe,” it is not accepting orders from the EU.
Some media sites, like Tronc, are also blocking EU
residents, The Register continues.
This is an iffy game, considering that GDPR requires that EU citizens who live elsewhere are also protected by the law.
"The GDPR gives
rights based on location not citizenship," says Alexander Stern, Alexander Stern, an attorney and CEO of
Attorney IO, LLC. "When an EU
citizen moves elsewhere, they keep the rights they had over data transmitted while in the EU. However, new data they transmit is not covered. So if Pottery Barn never had any of these people's data
while they were in the EU, the argument would be that the GDPR does not apply to them at all."
Stern adds, however, that there is a corollary that companies such as Pottery Barn seem to
underestimate:
"Companies that think they are safe by merely blocking EU IP addresses are engaging in wishful thinking. Many people use VPNs (virtual private networks)
which change the IP address of the user. So, it is common for people to be in the EU yet have their IP addresses appear to be somewhere else in the world. These users have the same GDPR rights as
those not using a VPN."
Then there is the confusion that still seems to exist about differing laws — for example, over the potential conflict between GDPR and the EU’s PSD2
(Revised Payment Service Directive). This rule opens up financial payments to third parties like Facebook and Google, and it requires that banks share information with them.
Amit Dua,
global head of client operations for SunTec, speculates that GDPR and PSD2 contradict each other. “How can businesses possibly juggle the two seemingly contradictory regulations?” he asks
on ITProPortal.
Dua concludes that while the two laws seem to be contradictory, they will lead to “a much needed acceleration of their digital transformation process by placing
the customer in the centre.”
As for the lack of comment from iBrussels, Stern says that there has been "a significant but expected silence from regulators since the GDPR went live. We
are now at the phase of a new law where complaints are filed and slowly processed. Major US technology companies have been hit with lawsuits seeking billions of dollars. The legal system will take
these cases very seriously, which means a ton of time needs to be spent on them. It could be years before the first major judgment is issued. In a few years it may look like out of nowhere the EU is
issuing billion dollar fines. That is only because the nuances of these lawsuits may not be of interest to the general public before there is a judgment"
We will see. But it proves again that
consumers themselves will suffer the most under GDPR if companies can't figure these things out.
In perhaps the worst piece of absurdity to date, a man complains that he was locked out of his
hotel room because of a “GDPR update on the door system,” the Register notes.