Six Months In, GDPR’s Impact Uncertain In the U.S.
We’ve barely scratched the surface on the impacts of the General Data Protection Regulation (GDPR), the far-reaching European Union law that went into effect six months ago. As European law enforcement organizations prepare their first cases against Google, it appears that some organizations in the United States are taking a wait-and-see approach to GDPR compliance.
Formal complaints were filed by seven EU countries against Google last week for a purported violation of GDPR with its Android operating system. Apparently, users cannot turn off GPS tracking by disabling the “Location History” option. Instead, they must also disable “Web and App Activity,” which are enabled by default. Because no consent was given to be tracked, all this constitutes a violation of GDPR, according to European regulators.
“Google’s data hunger is notorious but the scale with which it deceives its users to track and monetise their every move is breathtaking,” states Monique Goyens, director general of the European consumer organization (BEUC), said in a press release. “Google’s deceptive practices are in breach of the spirit and the letter of this regulation. We need strong, coherent, enforcement of the rules. We can’t have companies pretending to comply but de facto circumventing the law.”
If Google is found in violation of the GDPR, it could be fined up to 4% of its annual revenue, which would be $4 billion. A Portuguese hospital appears to be the organization with the dubious title of receiving the first GDPR fine from the EU, in this case €400,000.
But the Web giants were odds-on favorites to receive the most attention under GDPR, and reality appears to be living up to the hype. Facebook could face charges of violating GDPR as a result of the way it handled the data breach that occurred earlier this year that compromised more than 50 million accounts. Under GDPR rules, organizations must notify regulators of the breach within 72 hours of discovering its existence. Facebook says it made the notifications within that timeframe, but the Irish privacy commissioner is reportedly still seeking information.
Other companies have also been referred to authorities for GDPR violations, although no formal complaints have been filed by regulators. Last month, Privacy International accused Oracle, Acxiom, Experian, Equifax, and three ad-tech firms of violating GDPR. “Part of their business models are about fundamentally exploiting data and therefore clash with many of the provisions [of the EU’s General Data Protection Regulation],” Privacy International legal officer Ailidh Callander told Financial Times.
Uber received a GDPR-style fine this year for how it handled a data breach. The ride-sharing firm was fined $158 million this year by attorneys general in all 50 states (plus Washington D.C.) for attempting to cover up a 2016 data breach that impacted 57 million customers, including some in Europe. The firm was subsequently fined smaller amounts by privacy commissioners in the Netherlands and the UK, although it was not a GDPR fine because the violation happened in 2016.
The fine, which amounted to 2.4% of Uber’s 2016 revenues, was seen by some as a GDPR-esque shot over the bow of a large tech firm by American regulators. “Uber’s decision to cover up this breach was a blatant violation of the public’s trust,” said California Attorney General Xavier Becerra.
California has been on the frontline of the battle over who controls data and consumers’ rights to privacy and security. Just after GDPR went into effect this spring, Governor Jerry Brown signed the California Consumer Privacy Act of 2018 into law. The law, which goes into effect in 2020, has been dubbed “GDPR Lite.”
However, besides California, few other states seem to have the appetite to take on established technology interests by passing GDPR-style data protection laws. Even after Facebook CEO Mark Zuckerberg and other tech titans testified before Congress earlier this year following the Cambridge Analytical scandal, there is no coalition of voices calling for greater regulation of data. US Senator Ron Wyden of Oregon submitted a GDPR-like privacy bill, but it stalled in the House.
Against this backdrop, it’s curious that Apple CEO Tim Cook has been so outspoken about the need for data privacy in the United States. “Our own information, from the everyday to the deeply personal, is being weaponized against us with military efficiency,” Cook said during a speech in Brussels earlier this year. “It is time for the rest of the world, including my home country, to follow your lead.”
While the American tech giants work to ensure they don’t run afoul of GDPR when it comes to EU citizens who use their services, the same cannot be said of all US companies. By some accounts, large firms in the US are doing just the bare minimum to be able to check the GDPR box.
Fouad Khalil, the compliance director at SSH Communications Security, took several unnamed US publications to task for putting their old business models ahead of compliance. “Several prominent US publications are currently inaccessible to EU-based readers,” Khalil wrote in an article in the Silicon Republic. “These organisations have apparently made a judgement call that their business model is better off shedding international readers than investing in compliance.”
Surveys show that 70% of companies around the world are not GPDR compliant, which shouldn’t come as as surprise, considering how many different aspects there are to GDPR compliance, and the fact that addressing each one of them takes time.
“Customers are still working on it, first of all,” says Stan Christiaens, co-founder and CTO of Collibra, which develops data governance solutions. “They realize it’s a big initiative, and it’s taking a lot of work.”
The first wave of GDPR remediation largely involved organizations adding check boxes to their websites and other forms of communications with customers, Christiaens says. It’s a good start, but it’s not nearly enough. Full GDPR remediation will require organizations to make invasive changes to their business processes and – most importantly – change their business cultures.
One of the most effective ways that companies can change their data cultures is by hiring a chief data officer (CDO), he says. That’s how banks started getting a handle on some of the new digital regulations that were foisted upon their earlier this decade, and it’s how organizations in other industries will survive GDPR too.
The bigger question for Christiaens, however, revolves around consumer sentiment. If people don’t demand that companies take better care of their data, then it’s likely nothing will change. Making people aware of what companies are doing with their data is the best way to force change.
“People don’t know their data exhaust online is exposing them to all sorts of ranking and ratings that effect their lives. They just don’t underhand or see those connections,” he says. “Everybody is pointing the finger at China. They say, ‘Oh the social credit system in China, you won’t be able to take a bus any more if you don’t behave.’
“But the same exact thing is happening in the US,” he continues. “If you submit your resume for a job interview, in the background a social media check is happening. You don’t even know it’s happening. You apply for a loan and based on skin color — because the bias is encoded in the algorithm — you get it or you don’t, or your interest is higher or lower. All of these effects are completely hidden and in-transparent to people.”
June 22, 2021
- HPE Announces GreenLake Enhancements in Silicon, Software, Security for Edge-to-Cloud
- Exasol, Protegrity Partner to Help Organizations Run Analytics Against Private Data Securely
- StreamSets Announces Beta of StreamSets Summer ’21
- ABBYY’s NeoML Open-Source Library Adds Python Support, 10x Speed Improvements
- New Research Finds Businesses Must Rethink Path to Trusted Data as Foundation for Growth
- LogDNA Unveils Spike Protection to Give Companies Control Over Fluctuations in Data, Spend
- Expert.ai Announces General Availability of New Hybrid Natural Language Platform
- Moderne Closes Initial $4.7 Million Seed Round for Code Automation Tool
- NetApp Acquires Data Mechanics to Optimize Analytics, ML in the Cloud
- Splunk Launches New Security Cloud
June 21, 2021
- Ceph Foundation Announces the Formation of the Ceph Market Development Group
- Domino 4.4 Boosts Data Scientists’ Ability to Work the Way they Want, Maximize Productivity
- HPE Fuels GreenLake Expansion with Cloud Services Support for Azure Stack HCI, SQL Server
- Dataiku Launches in AWS Marketplace
- HPE Acquires Determined AI to Accelerate Machine Learning Training
June 18, 2021
- Alva Named Winner in AI and Machine Learning Awards 2021
- Collibra Announces 24 Gold and Silver Partners for 2021
June 17, 2021
- Esri’s ArcGIS Platform Chosen for Red Bull X-Alps Competition Live Tracking App
- Collibra Announces 2021 Excellence Awards
- Latest Release of InterSystems IRIS Data Platform Provides Next Step in Data Fabric Adoption
Most Read Features
- Newly ‘Headquarterless’ Snowflake Makes a Flurry of Announcements
- Big Data File Formats Demystified
- Do Customers Want Open Data Platforms?
- What’s the Difference Between AI, ML, Deep Learning, and Active Learning?
- Understanding Your Options for Stream Processing Frameworks
- Why Data Science Is Still a Top Job
- Three Reasons Python Is The AI Lingua Franca
- Databricks Unveils Data Sharing, ETL, and Governance Solutions
- Cloudera To Go Private in $5.3 Billion Buyout by Wall Street Firms
- Who’s Winning In the $17B AIOps and Observability Market
- More Features…
Most Read News In Brief
- Confluent S-1 Reveals ‘Reimagining of Business’ Theme
- Confluent Files to Go Public. Who Could Be Next?
- Lakehouses Prevent Data Swamps, Bill Inmon Says
- Google Cloud Tackles Data Unification with New Offerings
- Google’s ‘Breakthrough’ LaMDA Promises to Elevate the Common Chatbot
- Databricks Unveil New Machine Learning Solution
- MIT Researchers Leverage Machine Learning for Better Lidar
- Dremio Charts Open Course with Dart
- Databricks Edges Closer to IPO with $1B Round
- Data Prep Still Dominates Data Scientists’ Time, Survey Finds
- More News In Brief…
Most Read This Just In
- SAS Named a Leader in Streaming Analytics Per Independent Research Firm
- Relativity Acquires Text IQ to Drive Leadership in AI for e-Discovery, Compliance and Privacy
- Sumo Logic Signs Definitive Agreement to Acquire Sensu to Extend Open Source Strategy
- University of Texas at San Antonio Researchers Collaborate to Improve Computer Vision for AI
- US Air Force RSO Expands Engagement with C3 AI as Strategic AI Platform
- Latest Release of SnapLogic Fast Data Loader Provides Fast, Free Cloud Data Warehouse Loading
- Esri’s ArcGIS Platform Chosen for Red Bull X-Alps Competition Live Tracking App
- Dgraph Rises to the Top Graph Database on GitHub with 11 G2 Badges, 11M Downloads
- Incorta Announces Tableau Connector to Extend Faster Data Analytics to All Customers
- NVIDIA to Acquire DeepMap, Enhancing Mapping Solutions for the AV Industry
- More This Just In…