The GDPR has just turned one and to herald this landmark for EU data privacy, AT Internet has created a guide to staying one step ahead of the regulation and making sure that your data processing is fully compliant. To accompany the guide, we are running blog series and GDPR quiz to get you up to speed!
In the first blog, we looked at the top 12 teething troubles for the GDPR 12 months in. Part two looks at the future of the regulation. Where does the GDPR go from here?
Many companies are still not fully compliant…
A range of surveys were published on the first anniversary of the GDPR which found that many businesses are still in breach of the regulation. A poll by Infosecurity Europe indicated that more than two-thirds of businesses are not GDPR-compliant one year in. Many respondents to the survey believe that organisations are not taking the regulation seriously and that the GDPR regulators are being too relaxed and lenient in enforcing the regulation. While an earlier survey carried out by IT Governance with companies across a range of industries indicated that only 29% had implemented all of the necessary changes to be GDPR-compliant. Up to 25 of the 28 official EU government websites may not be compliant either.
The US tech giants are
also far from conforming to the 2018 European regulation. The recent wave of complaints against real-time bidding (RTB) filed in Belgium, Luxembourg, the
Netherlands and Spain has highlighted the fact that RTB entails “wide-scale and
systemic” breaches of Europe’s data protection regime. Google’s practice of
harvesting personal data to profile Internet users for ad-targeting (and
broadcast to a wide spectrum of bidders across the adtech chain) has been
referred to by Johnny
Ryan, chief policy officer at Brave as a “massive and
ongoing data breach”.
Fines are coming
The UK ICO announced
at the start of July that it could be handing out a £183m fine to British Airways for a
cyberattack that saw the harvesting of the details of around 500,000 customers last
year after they were diverted to a fraudulent site. This was shortly followed
by a £99m fine on the Marriott hotel group after hackers stole the records of 339 million guests. The CNIL has
already handed out a second fine of €400,000 fine to the French real estate
company Sergic since the end
of May for failing to adequately protect the data of users of its website and
for implementing procedures for storing inappropriate data.
While, the Irish Data Protection Commissioner Helen Dixon said that
substantial fines were on the way in the “coming months”. There are currently 18 investigations underway by the Irish DPA which has become the lead GDPR regulator for
the majority of the major tech companies who are based there.
However, she also pointed out that “significant sanctions take time to
build, conduct, and conclude” and that there were a range of procedural steps
for establishing the basis of an investigation such as permitting participation
of affected parties, and interacting with other Supervisory Authorities in the
context of cross-border processing. Since it came into force, she has opened inquiries into Facebook and its WhatsApp and
Instagram units, three inquiries into Twitter, two at Apple, one at LinkedIn,
and the latest against Google’s ad exchange.
While in the UK, Information Commissioner Elizabeth Denham stated that the UK ICO
have “a couple of very large cases that are in the pipeline”. However, she also
stressed it was vital that Supervisory Authorities “set a strong precedent in
terms of the enforcement action they take”, with the ICO particularly focusing
on ad tech and the processing of children’s data.
Although the introduction of GDPR has laid the foundations of information security and privacy-related practices, 2019 is a
critical year to see if the regulation carries out stronger enforcement
measures.
The ePR
Following on from and aligning with the GDPR, the ePrivacy Regulation (ePR) is set to arrive in 2019. Repealing the 2002 ePrivacy Directive, it aims to reach the same standard of protection provided by the GDPR for EU citizens and will concern all electronic communications. The new regulation will apply to businesses that provide any form of online communication service, use online tracking technologies, or engage in electronic direct marketing.
The regulation is aimed at protecting users’ communication data, specifically metadata. With new services such as WhatsApp, Facebook Messenger, and Skype all currently holding this type of user information, the new ePR will give users far more control over what type of metadata is being stored. If people don’t give consent, companies will have to delete that information and would no longer be able to collect it by default.
It will also simplify and streamline rules on cookies with the new rule being more user-friendly. Browser settings will give users a simple way to accept or refuse tracking cookies and other identifiers. It will also clarify that no consent is needed for:
- non-privacy-intrusive cookies that improve internet
experience (e.g. by remembering shopping cart history) - cookies used by a website to count the number of
visitors.
Another major proposal in the ePR is for protection against spam (including phone calls), banning unsolicited electronic communications by emails, SMS, and automated calling machines. Depending on national law, people will either be protected by default or be able to use a do-not-call list to avoid receiving marketing phone calls. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.
Certain GDPR fines will cover ePrivacy violations
Although
the ePR will be implemented through national legislation and the fine can vary
from nation to nation, they are almost always less than the maximum allowed
GDPR fine. However, according to the EDPB,
certain data processing activities, like using cookies for behavioural
advertising, fall under the scope of both the GDPR and the ePrivacy regulation.
The
ePrivacy regulation will also be aligned with the GDPR in terms of user consent.
The user will be required to give consent by providing an ‘unambiguous
affirmative action’ – as with the GDPR, pre-ticked boxes will be banned. The GDPR’s
approach to consent was reaffirmed in March 2019 in the Planet49 case, where the Assembly General’s office
ruled that pre-ticked boxes do not qualify as a user’s express consent for
cookies.
The Digital Single Market Strategy
2019 will be decisive
to give credibility to the GDPR’s legal framework and prove that this ambitious
European challenge can actually work in practice. The GDPR and ePR are part of
the EU Digital Single Market Strategy – an initiative that aims to open up digital
opportunities for people and business and enhance Europe’s position as a world
leader in the digital economy. Part of the
EU’s Digital Agenda for Europe 2020, and an initiative of Europe 2020, the strategy aims to improve access to online products and services,
conditions for digital networks and services to grow and thrive and stimulate
growth of the European digital economy.
It is set to address
issues such as:
- reforming European copyright law
- reviewing rules for audiovisual media
- geo-blocking
- cross-border sales
- reforming EU telecoms rules
- digital services’ handling of personal data
- and building a data-driven economy
The arrival of the CCPA
The
California Consumer Privacy Act is set to come into effect on the first day of
2020. Although part of the global data privacy movement, it differs from the GDPR in several ways. Firstly, CCPA requires companies to set
up specific communication channels, i.e. phone numbers and websites so
California residents can request information about their data. It expands the
definition of personal data in California to include household information and
data from devices connected to the Internet of Things (IoT). The CCPA
establishes a different set of data deletion requirements and establishes new
ones around selling data for commercial purposes.
Much
of the new law is still being defined, including changes to the definition of
personal information. Nevertheless, it’s set to have a major impact as it will force US company to take on
board the notion of data privacy for the first time. As the toughest US privacy
regulation to date it looks like it’ll have its work cut out – only 14%
of Californian companies report being CCPA compliant so far.
New
York state is also following suit with its own proposed privacy act. Planned measures could go even further
than the CCPA by introducing a “private
right of action” giving New Yorkers the right to sue companies directly,
meaning the tech giants could face “tens of thousands of lawsuits”. It would also
remove the minimum size for companies subject to the new legislation and
introduce far stricter rules for the handling of private data. Watch this space
in the coming months…
Make sure your digital analytics is GDPR-proof!
AT Internet’s Analytics Suite is 100% compliant with
the GDPR. Protecting user data and respecting user privacy has been central to
our analytics approach for over 20 years.
As an
independent European provider since day one, we’ve always been strongly aligned
with strict European policies on data protection and privacy. Our solution has
been developed with privacy-by-design since the very beginning.
Our
long-standing relationships with the CNIL, France’s data protection authority,
and Germany’s TÜV, speak volumes. These trusted authorities recognise the
conformity and surety of the Analytics Suite and have awarded us their
certificate of compliance year after year.
Data practice hygiene is growing! Read our latest FREE guide: Digital Analytics and the GDPR – one year on – making sure you’re compliant, to find out more!
