GDPR Data Laws Take Effect Across Europe

Europe’s new General Data Protection Regulation (GDPR) law has come into force across EU countries, creating strict protections for citizens’ personal data and presenting companies with severe penalties for unauthorised use of consumers’ information.

Under the new legislation, companies that offer any products or services in Europe must justify their consumer data processing on limited legal grounds, or else face steep fines of either €20m or 4% of their global turnover.

The modernised data privacy regulations update data access and deletion rules and outline six lawful bases for companies to process consumers’ personal data – including to fulfil a contractual duty or legal obligation, to promote the user’s “vital interests” or to serve the public interest.

If a company cannot justify their use of personal data on other grounds, they are obliged to obtain express consent from users to legally process their data. This stipulation has caused much activity, as digital platform companies scramble to obtain express permission from their users to continue lawfully analysing personal data.

EU digital consumers experienced widespread disruption as the rules came into force on May 25^th, with many organisations withholding their services from European users during their search for “compliance solutions.”

Several internet-connected smart home devices stopped working in European homes, with one app stating: “According to GDPR, we will not be able to continue to provide this service for you.”

Multiple American news organisations including the Los Angeles Times and New York Daily News temporarily removed access to their websites in European countries as the new regulations came into force.

Beyond initial alignment hiccups, the laws will have widespread implications for companies continuing digital business in the EU. Risk management software firm Russel Group speculates that the rise of international data laws could “blow the lid off global digitally connected trade,” comparing the introduction of GDPR to Chinese and Russian censorship and blocking of certain sites.

Companies penalised for “forced consent” practices

Companies must be wary of efforts to avoid liability by requiring consent from users. Some major firms have already attracted legal challenge for violating the principles of the new legislation.

The European Centre for Digital Rights has filed complaints against Facebook, Google, Instagram and Whatsapp for demanding “forced consent” from users, by requiring them to “delete the[ir] account or hit the agree button.”

Social media companies including Twitter and Instagram deleted the accounts of all European users who had not consented to their latest terms and conditions in time for the deadline.

Campaigners underline that this practice – known as “bundling” of access with consent – is a violation of the GDPR’s Article 7 provisions.

In preliminary GDPR guidelines, lawmakers stated that consent to a company’s data policy must be “freely given” with “real choice and control” on the part of users. They further said explicitly that if a consumer “feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid.”

Small firms given leeway

Small businesses are advised that they will be penalised less strictly for any preliminary failures to align properly with the new data laws in time, after representatives underlined that it was harder for smaller companies with fewer legal resources to ensure complete alignment in time.

The Federation of Small Businesses asked the Information Commissioner’s Office to show understanding in its enforcement of GDPR, stating that many small firms in the UK are still not ready for the regulation.

Information Commissioner Elizabeth Dunham assured that the authority would not be expecting immediate “perfection” from small companies.

Meanwhile, all public authorities, as well as any companies that regularly and systematically collect personal and sensitive consumer data as part of their “core activities” are now required to hire a data protection officer to monitor the organisation’s legislative compliance and data practices.

Proponents welcome GDPR for giving “teeth” to data protections last updated by the 1995 EU Data Protection Directive and in need of modernisation. But legal cases based on the new laws – likely challenging large multinational corporations – are certain to follow.