GDPR: It’s Still a Thing!
Below is an internal email that went out to our Unbounce team earlier this week highlighting that even though the deadline for GDPR has passed, there is always work to be done. GDPR was a resource intensive, company wide initiative; we continue to prioritize the privacy and security of your data. For this reason we’re lifting the curtain on how we continue to engage our team on this important topic.
We want to be up front that nothing in here is legal advice, and if you have questions about your compliance obligations, please reach out to a lawyer.
As you all probably know, on May 25, the General Data Protection Regulation went into effect, updating Europe’s data protection laws for the first time in 20 years. It’s easy to think of May 26 and onward as “post-GDPR” but the truth is, May 25 was simply the implementation deadline — we are now living in a GDPR world, and compliance is an ongoing effort.
First of all, GREAT JOB to everyone whose work has been, and continues to be, impacted by GDPR (which is basically everyone). We should all be proud of our increased privacy and security awareness, flexibility surrounding new processes, and focus on due diligence. Compliance ain’t easy, but it’s worth it.
So what’s been happening since GDPR went into effect? What’s been going on in the world of data privacy? Is all of our hard work still relevant? I’m glad you asked. As there has been SO MUCH in the news lately about GDPR, and data protection generally, I wanted to send out an update for anyone interested in the topic, or in non-medicinal sleep aids.
Below are a few articles from just the past week. (I plan to send out sporadic updates like this on an ad hoc basis — they come in waves.)
Tl;dr there’s been a lot of movement, enforcement is happening, Privacy Shield is being enforced but is also at risk, investigations are ongoing, and we’re still waiting to see how it’ll all play out in the end. Also, and this is really, really important, hence the bolded font, if you have a project that might touch personal data, please reach out before starting so we can perform a legally required risk assessment.
Now for the news:
- Companies have begun using “GDPR” as a shield when when courts subpoena documents, citing the “burden” caused by data protection requirements. However, it’s going to be challenging for big companies like Microsoft to prove that the burden of GDPR compliance overrides their discovery obligations. While this is currently only happening in the US, no one has yet been able to claim, successfully, that heavy personal data obligations in Europe prevent them from providing documents in court. This is one of the few areas where smaller companies may actually have an advantage over larger companies, as it’ll be easier for them to prove a significant burden. https://biglawbusiness.com/microsoft-cant-use-eu-privacy-regime-to-escape-document-request/
- The US Federal Trade Commission (FTC) is enforcing Privacy Shield against companies that claim certification but have actually let it expire, or have failed to complete the certification process. Privacy Shield is the EU-US treaty that allows FTC-regulated, US companies to self-certify that they adhere to personal data protection principles substantially equivalent to what the EU requires. The EU Parliament recently called for Privacy Shield to be suspended due to US non-compliance, so greater enforcement here is good. (Plus, a lot of our vendors rely on Privacy Shield as their data transfer mechanism, so the longer this lasts, the better for Unbounce…) https://www.lexology.com/library/detail.aspx?g=af754c89-3ea4-4a6c-ac47-5e65ef733879
- Since GDPR went into force, there’s been a dramatic increase in the number of complaints filed against companies; EU data supervisory authorities believe fines and other penalties could be levied in earnest by the end of this year. http://www.itpro.co.uk/general-data-protection-regulation-gdpr/32082/eu-expects-first-gdpr-fines-to-be-levied-before-year Related, Austria issued its first GDPR fine to a business owner whose security camera monitored too much of the sidewalk. The fine of EUR 4,800 was for “large scale monitoring of public spaces” and for failing in his “transparency” duty (meaning, it was not made clear that surveillance was taking place). http://digital.freshfields.com/post/102f39w/first-gdpr-fine-issued-by-austrian-data-protection-regulator
- The EU’s civil liberties committee has recommended reviewing and updating Europe’s competition laws to apply to big tech, in light of Facebook’s recent breaches. They also issued proposals to reduce the risk of social media being used for election interference. Related, the EU Commission released a voluntary Code of Practice aimed at tackling online disinformation, and the civil liberties committee renewed its call to suspend Privacy Shield. https://techcrunch.com/2018/10/11/audit-facebook-and-overhaul-competition-law-say-meps-responding-to-breach-scandals/
- A new protocol (essentially an amendment) to the Council of Europe’s Convention 108, the world’s only treaty to address data protection, was signed by 21 countries. https://www.coe.int/en/web/portal/-/council-of-europe-treaty-bolstering-data-protection-opened-for-signature
- The EU data protection board is investigating Twitter for refusing to disclose the data it collects when an individual clicks on a t.co shortened URL. http://fortune.com/2018/10/12/twitter-gdpr-investigation-tco-tracking/
So what does all this mean for Unbounce? It means we need to continue prioritizing data protection, and keeping track of when, how, and why we use personal data.