2018 will go down as the year that the rules changed for data privacy and data protection standards. I’m of course referring to the GDPR that was enacted in May 2018.
Update: Since this article posted in early January, it has come to our attention that there have been numerous fines handed out to various companies in varying amounts. For instance, Google was fined €50 million just a few weeks ago by France's data protection watchdog. Germany, UK, and the Netherlands have also issued a quantity of fines dating back to late 2018.
Although the GDPR was enacted last year, there still is much to be determined as to how effective it is and what the real repercussions of non-compliance are. Some big companies have already come under scrutiny and investigations are under way as far as we know, but what does this mean for the smaller fish? Is the GDPR really that far reaching? Do Supervisor Authorities (SA) even have the resources to enforce every single infraction of the GDPR?
While 2018 is the year the GDPR was enacted, the questions above are exactly why 2019 may be the year of GDPR enforcement. My guess is that lawsuits will be served towards the end of the year.
GDPR Enforcement and Penalties
For those are not familiar with what an SA is, each EU member state has its own SA that oversees data protection standards and enforces the GDPR. For instance, the UK’s Information Commissioner’s Office is responsible for enforcing the GDPR in the UK, at least until the UK exits the EU under Brexit. Keep in mind though that the ICO is still handing out penalties for non-compliance under the former Data Protection Act of 1998. There has yet to be actual fines handed out for non-compliance under the GDPR.
Here is a list of companies that I believe will be the biggest offenders of the GDPR.
Facebook actually was already fined 500,000 by the ICO, but despite some misinformed reports that are going around, it had nothing to do with the GDPR. Rather Facebook was non-compliant under the Data Protection Act of 1998, a law the GDPR has replaced.
Consider that Facebook knowingly mines data and sells it in the form of advertising, and pushing misinformation onto the masses for anybody who had the money to fork over. That’s how they make their money. They also don’t have great control over their APIs. Just take a look at this recent finding of how hackers were able to use access tokens to gain illicit access to users’ Facebook profiles.
It’s fine if you tell your users what you’re doing with that data and give them the ability to opt out. Needless to say, Facebook isn’t entirely forthcoming when it comes to what they actually do with your personal data. That’s why Facebook is enemy number 1 when it comes to GDPR and I predict a lawsuit coming their way in the near future.
Facebook has built a track record of not doing the right thing, and that will be their downfall.
2. British Airways
British Airways (BA) found out they were victim of a security breach back in September 2018. I don’t want to pick on them too much here though. They handled it well for the most part. They even went as far as to place adverts in newspapers as to make as many people as possible aware of their mistake.
A data breach in itself can’t bring on a levy under the GDPR if a company has done everything within their power to protect personal data of those residing in the EU. Also considering that BA made the right call and made the information public about the breach in a timely manner, that would protect BA since they acted in good faith.
The problem though is that they had known vulnerabilities with their website in the form of 3rd party plugins going back at least a year before the breach was identified. They knowingly did nothing to alleviate the issues with their website. That’s where BA may find themselves in trouble under the GDPR, but we will just have to wait and see if any penalties are applied.
Update: Since this article originally posted, Google has been issued fines from the French data protection watchdog in the amount of €50 million for noncompliance with the GDPR rules and regulations.
Google by definition is a GDPR nightmare. They collect everything and seemingly run the Internet these days. They know who you more than you know you, so it’s not a long shot that somewhere Google is going to be investigated and possibly fined by the ICO.
How Google will respond to threats of fines under the GDPR is anyone’s guess. It’s not like a few slaps on the wrist are going to stop them from doing what they do best, harvest data. It could come in the form of a checkbox before you enter anything into the search field or they may just ignore the fines outright.
The problem is that Google needs our data and we need Google, so there will need to be some compromise here. What’s funny is that Google has found some ways to avoid the backlash Facebook has gotten even though they are also the root of the problem.
My guess is that at the very least, Google will see some kind of fine or required action under the GDPR. But who knows, I’ve been wrong before.