Well, THAT escalated quickly. Europe’s new GDPR law took effect on May 25. That same day, a number of influential companies in the U.S. announced their rejection of GDPR compliance.
Many earlier assumed those companies would go all-in to achieve GDPR compliance.
But no. They instead moved to block access to their online properties by everyone from European Union member states.
GDPR, as you may already know, requires companies to do more to protect data privacy and security. The law applies to companies doing business in the EU or that collect data on people living there.
Just about every company in America with a website or blog manages to acquire data from EU residents. This collection occurs both intentionally and unintentionally. Either way, it makes those U.S. companies potentially liable for violations of GDPR, according to legal scholars.
GDPR Compliance Exacts a Toll
Some observers suggest that behind the flouting of GDPR compliance rules lies exasperation. After all, complying with GDPR isn’t easy. It exacts a potentially hefty toll on an organization’s resources. Indeed, the bigger the company, the bigger the job of getting in sync with GDPR.
Gizmodo estimates between 70 percent and 85 percent of American companies failed to achieve GDPR compliance on Day One. The tech site attributes their non-compliance to missteps that left them unready for May 25.
Meanwhile, some scofflaws in the U.S. apparently see GDPR as extra-jurisdictional interference with their business practices. They contend the EU lacks authority to enforce its law against American-based companies. They argue that this holds particularly true for U.S. firms not deliberately soliciting the online patronage of EU residents.
Gizmodo alludes to a coming tough response from EU authorities. However, Gizmodo offered no clear indication of what that response might entail. Leniency? A grace period? Or the iron rod of terrible and swift justice? Perhaps the latter: GDPR allows for criminal penalties and civil damages that amount to much more than a wrist-slap.
They Say No to GDPR Compliance
Dozens of American news sites chose to thumb their noses at GDPR by blocking users who hail from the EU.
Want the names of those sites? Try these: New York Daily News, Los Angeles Times, Chicago Tribune. Also: Orlando Sentinel, St. Louis Dispatch, Arizona Daily Sun. Even Pinterest’s Instapaper bookmarking app shut out EU residents.
Gizmodo said many of the news sites used a VPN service that routed internet traffic through the EU. That partly explained how they became subject to GDPR in the first place.
EU residents who attempted to access the online edition of the L.A. Times received this message:
“Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue….[We are] looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism.”
Visitors to the Arizona Daily Sun saw something similar:
“We recognise you are attempting to access this website from a country belonging to the [European Union] and therefore cannot grant you access at this time.”
Google and Facebook also numbered among the companies balking at GDPR compliance. However, unlike the others, they blocked no one. Instead, they compelled users from the EU to consent to new terms of service. Critics contend this amounted to forced consent—a violation of GDPR.
GDPR Lawsuit Names Facebook
The Austrian-based nonprofit advocacy group NOYB stands out as a vocal opponent of forced consent (NOYB stands for “none of your business”). On the day GDPR took effect, NOYB issued the following statement:
“[GDPR gives] users a free choice, whether they agree to data usage or not. The opposite feeling spread on the screens of many users. Tons of ‘consent boxes’ popped up online or in applications. Often [they were] combined with a threat, that the service cannot longer be used if users do not consent. On the first day of GDPR, noyb.eu has therefore filed four complaints. [The complaints are] against Google (Android), Facebook, WhatsApp and Instagram over ‘forced consent’.”
Attorney Max Schrems heads NOYB. In a May 25 press release, he slapped Facebook across the face with this:
“Facebook has even blocked accounts of users who have not given consent. In the end, users only had the choice to delete the account or hit the ‘agree’ button. That’s not a free choice, it more reminds of a North Korean election process.”
Ouch. Schrems added that Facebook and the others risk a big payout if he proves his case in court. Schrems predicted the four companies could ultimately owe nearly $8.2 billion for their GDPR compliance revolt.
Ironically, Facebook’s Mark Zuckerberg three days before GDPR debuted assured the European Parliament his company intended to comply. Hmmm.
Gizmodo proposed that U.S. companies alleged to be running afoul of GDPR need to undergo an audit. A GDPR audit would reveal the truth about their ability to comply, the news site said.
Speaking of GDPR audits, you can get one from Valet. Just drop us a line here.