Gazing Into GDPR's Crystal Ball
Originally Published at EvolveTheLaw.Com
The world entered a “new age” of data privacy last month when the General Data Protection Regulation (“GDPR”) became law.
Or did it?
This question, among others, remains unanswered in the foggy aftermath of GDPR’s long awaited arrival. It’s still unclear who the biggest winners are in the new GDPR reality. Consumers with personal data? Consumers of personal data? Or, the newly empowered European regulators, vowing to protect both?
We also cannot yet see the specific grounds on which GDPR cases will be filed and if EU courts will succeed in overcoming the jurisdictional “long arm” hurdles required to enforce a 20MM or 4% of global revenue fine against U.S. companies.
With all this yet to unfold, we invite you to gaze into our GDPR crystal ball.
Ireland Becomes GDPR’s Ground Zero
As our crystal ball swirls, one name emerges from a green mist. Helen Dixon.
Privacy law experts are already familiar with Ireland’s chief Data Protection Commissioner. She’s the official responsible for overseeing the data processing activities of U.S. tech giants operating overseas. Apple, Facebook and Google all maintain offshore offices in Ireland for a variety reasons, including favorable tax status and a well-educated, tech-savvy Irish workforce.
Significant U.S. corporate presence will make the Emerald Isle the Ground Zero of GDPR. Studies completed after the recent Irish recession show U.S. companies continued to invest in Ireland despite tough economic times, benefiting Ireland to the tune of almost $300 billion over the past two decades, and nearly 700 companies with names like Intel, Dell, Pfizer and Hewlett Packard.
Extremely deep coffers aside, the Irish DPA also enjoys a critical strategic advantage: suing companies with well-established physical offices inside her country. This will help overcome the inevitable jurisdictional challenges to enforcing significant EU fines against those based across the Atlantic.
Claims of Fake and Forced Consent
The early slew of GDPR cases will be based on the doctrines of “fake” or “forced” consent. These have been recently articulated by the Austrian activist, Max Schrems, in his most recent cases filed on Day 1 of the GDPR.
Schrems, and others, will go after what he calls the “North Korean” style of internet consent options – tactics by tech companies that do not offer legitimate choice when it comes to processing personal data. Calling out Facebook in this regard, Schrems observes “…in the end users had the choice to delete the account or hit the agree button – that’s not a free choice.”
We are now seeing the lexicon upon which future GDPR cases will be built. Schrems plans to fight “fictitious” consent, occurring when companies obtain consent for one data purpose, but process it for another. He is also going after “bundling,” or pushing people to consent as a requirement to a service.
Giants Weather the Storm
As court battles wage, the intended targets of GDPR (hint: large U.S. tech companies) may, in fact, weather the storm.
To start, the Apples, Googles and Facebooks of the world have been hyper-focused on GDPR for two years. They have already hired armies of legal experts and now C-Level “Data Protection Officers” to avoid the penalties and political blow back of potential breaches.
More importantly, the largest tech giants operate closest to the end user. They are best positioned to establish the “lawful basis” required under GDPR for data processing: consent. They do this by building out, or integrating with, consent-management-platforms (called “CMPs”) that procure user consent to processing. There are also more advanced machine learning (or “MI”) systems that analyze log files and unstructured data sets to rapidly locate and delete personal information.
The irony of GDPR is shaping up to be that its end result is the strengthening of its intended targets. Unintended targets, like SMEs, or those that require integration with larger players but cannot meet GDPR’s high standards, will suffer or face “market exit.”
The United States Follows Suit
Back in the U.S, we see more tech CEOs being hauled before Congress. We also see U.S. Federal and State regulators learning more about the hazards of unregulated data collection and processing. In the aftermath of Cambridge Analytica, the U.S. follows the EU’s lead in enacting new legislation to protect consumers.
We are already seeing movement like this in states like California, which recently announced the California Consumer Privacy Act ballot initiative. If enacted, this new law would bring far reaching changes. It would drastically increase liability for any company collecting data from Californians, require an explicit opt-out label (“do not sell my personal information”) and prohibit businesses from offering different prices or services to those who opt-out.
The Lawyers Always Win!
Before we put away our GDPR crystal ball, and return to the present, we ask one last question. Who are the ultimate winners and losers of GDPR?
To quote a favorite CFO friend of mine, “the lawyers always win.”