It has been six months since the European Union’s General Data Protection Regulation (GDPR) took effect on May 25, 2018, but the law is still in the early implementation stage. As discussed in a previous blog post, the GDPR has particularly broad reach, applying to any entity—regardless of location—that processes or collects personal data of EU residents. Many businesses across the globe took note, modifying their policies to be compliant. However, there are still many unknowns with regard to how the GDPR will be enforced, especially against non-EU companies.
Differences Between Member States
It is likely that the application and enforcement of the GDPR will be inconsistent across the member states. Each member state is required to enact enabling legislation to carry out the GDPR and designate its own supervisory authority. The member states have taken varying approaches both in the enabling legislation and the designated regulators. For instance, some member states have adopted stricter interpretations of the GDPR, while others had failed to enact legislation until after the GDPR was already in effect. Additionally, Germany has designated multiple regulators, while other member states just have one. With the variances in the enacting legislation and regulators to enforce the law, it is possible that the law will be carried out differently.
Complaints and Suits Relating to the GDPR
Under the GDPR, EU residents can enforce the GDPR’s protections by lodging a complaint with the supervisory authority of the EU member state or by filing an action if the supervisory authority fails to address the complaint properly. Additionally, an EU resident may take direct action through class action proceedings.
As of October 2018, the newly formed European Data Protection Board (EDPB) had already received more than 42,000 complaints since the GDPR went into effect on May 25, 2018. Many of these complaints were focused on consent being improperly obtained or not obtained at all.
We have already seen GDPR privacy complaints filed relating to practices of U.S. companies. In fact, some of the very first complaints lodged were against U.S. companies. On May 25, 2018 (the day the law went into effect), a consumer group filed complaints against Google[1], Facebook[2], Instagram[3], and WhatsApp[4] for “forced consent,” arguing that the companies were offering users no choice but to have their personal data processed to be able to use certain services, and pointing out that the GDPR requires freely-given consent. Then, in November, a privacy complaint was filed by another consumer group relating to Google’s location tracking on cellular devices, arguing the company uses manipulative tactics in order to keep tracking web users’ locations for ad-targeting purposes.[1]
Additionally, at least one U.S. company has been targeted with a class action suit related to the GDPR. On August 22, 2018, a shareholder of Nielsen Holdings PLC sued the company seeking class certification on behalf of shareholders for the company’s alleged misleading statements regarding its preparedness for the GDPR and the impact the statute would have on the company’s business. This case is significant because the plaintiff’s claims do not allege that the company violated the GDPR, but are based in U.S. securities law, for the defendant’s alleged lack of preparation for the GDPR and for making related misleading representations. Nielsen provides comprehensive data regarding consumer television consumption and purchase decisions and how those choices intersect. The suit alleges that the company misled investors regarding how the GDPR’s new privacy laws would impact its ability to continue providing this type of data. This is case is one of the first brought under U.S. law seeking damages against a U.S. corporation for the company’s alleged failure to assess adequately the impact of the GDPR on the company’s revenue streams.
While it is yet to be seen what will come of these complaints and claims, it is an important reminder for U.S. based companies to review their data privacy compliance with applicable data protection law, including the GDPR and domestic state law. Although the extent and manner of enforcement remains unclear with the GDPR, it is advisable for U.S. companies to take steps now to ensure compliance.
[1] Complaint available at https://fil.forbrukerradet.no/wp-content/uploads/2018/11/complaint-google-27-november-2018-final.pdf.
[1] Complaint available at https://noyb.eu/wp-content/uploads/2018/05/complaint-android.pdf.
[2] Complaint available at https://noyb.eu/wp-content/uploads/2018/05/complaint-facebook.pdf.
[3] Complaint available at https://noyb.eu/wp-content/uploads/2018/05/complaint-instagram.pdf.
[4] Complaint available at https://noyb.eu/wp-content/uploads/2018/05/complaint-whatsapp.pdf.
