IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

GDPR in the USA: What’s Next?

GDPR-mania has arrived. With the new European Union (EU) law taking effect on May 25, 2018, the Internet will never be quite the same. Opinions on GDPR are all over the map, and lawsuits have already been filed. Here’s a media roundup on what organizations in the USA and around the world are saying, and doing and planning regarding GDPR.

GDPR is here
Most privacy advocates are ecstatic. But many others say the sky is about to fall because of the new privacy regulations.

The big day for General Data Protection Regulation (GDPR) finally arrived this week, and global reactions are all over the map.

What is clear is that the World Wide Web is becoming more segmented, with different rules in different countries and regions that go far beyond the Chinese firewall or Iranian Internet isolation.

Here are some of the diverse media headlines from the past few days on GDPR:

More Background on GDPR

General Data Protection Regulation (GDPR) is a regulation in EU law (2016/679) on data protection and privacy for all individuals within the European Union. It also addresses the exportation of personal data outside the EU.

This video clip from CNBC is supportive of the new EU privacy rules, saying that it is about time to give users control of their data back.

However, there are many other perspectives expressed, which makes the case that the biggest companies are well-equipped to deal with GDPR, but the small companies will be harmed the most. Gina Sanchez, CEO of Chantico Global, said, “The right to your digital footprint is a human right in Europe but not in the US. This is the biggest difference between the US and Europe now.”

The BBC reported that some high-profile US news websites are temporarily unavailable in Europe after new EU data protection rules came into effect.

“The Chicago Tribune and LA Times were among those saying they were currently unavailable in most European countries.

CNN and The New York Times were among those not affected. The Washington Post and Time were among those requiring EU users to agree to new terms.

In the UK, which is due to leave the EU in 2019, a new Data Protection Act will incorporate the provisions of the GDPR, with some minor changes. …”

Lawsuits? Already?

As many experts predicted, it didn’t take long for high-profile lawsuits to be filed. reported: “That didn’t take long.”

“Regulation (GDPR) going into effect today, a privacy group accused Facebook (FB), Alphabet (GOOGL)'s Google, WhatsApp, and Instagram of violating Europe's strict new data-protection law.

Austrian lawyer Max Schrems, a frequent critic of Facebook's privacy policies, on Friday filed complaints that claim the companies forced members to consent to terms of service with a "take it or leave it" threat.

"Tons of 'consent boxes' popped up online or in applications, often combined with a threat, that the service cannot longer be used if user(s) do not consent," Schrems’ nonprofit organization, NOYB, said in a statement. …”

Fortune magazine discussed the major GDPR impact by describing our new “Balkanized Internet.”

“A little Balkanization of the web, in the other words, can be a healthy exercise of democratic power and pluralism. The trouble is deciding where to stop. In the near future, will there be one Internet for Americans who live in blue states and another for those in red states? (Alas, this is already the case in many respects given how sites like Facebook and Twitter create so-called “filter bubbles” that serve up news and opinions we already agree with). …

The disappearance of U.S. websites may be a victory for E.U. regulators, but it’s also a further blow to diversity and freedom online. …”

U.S. Federal, State and Local Government Reactions to GDPR

While the focus on GDPR is on Europe, some companies have declared that they will offer the same privacy protections to all customers — no matter where you live. Nevertheless, this approach to privacy is not the general rule or approach taken by organizations outside Europe.

There are several helpful articles that examine how the new EU legislation will impact U.S. governments.

During a recent webcast regarding GDPR and the states that was held by the National Association of State CIOs (NASCIO), the privacy experts from several states expressed the view that state governments that market to Europeans need to take special notice of GDPR-required actions. For example, travel and tourism agencies that try to get Europeans to come to states like Florida or Tennessee need to understand and prepare for GDPR in their emailing lists and uses of data collected.

However, the majority of the government discussions focused on how most state and local government functions that address U.S. citizens will not be impacted directly by GDPR.

A 'Dark Side' to GDPR — or Not?

It is clear to me that heated discussions on GDPR are just ramping up, and the disagreements will not be going away anytime soon.

One example of this came from reactions to a posting on LinkedIn. When I posted the PC Magazine commentary article entitled: “The Obvious Consequences of GDPR” the feedback was mostly harsh.

The viewpoint expressed in the article is summarized by these quotes: “This law is going to make a mess sooner rather than later. ... GDPR is tough and the punishment for non-compliance is draconian. For example, a breach of record-keeping obligations incurs a fine of 10 million euros or 2 percent of global income, whichever is more. Infringing people's data rights or any sort of unlawful transfers of data out of the EU results in a fine of 20 million euros or 4 percent of global income, whichever is higher. …

The way I see it, GDPR is going to make a mess sooner rather than later. I also suspect that Google, Amazon, and Facebook are primary targets so the EU can soak them with big fines.”

LinkedIn comments came from industry pros like Jason A. Powell from the Cincinnati, Ohio Area:

“This article is absolutely filled with inaccuracies and wild conjecture. Fear, uncertainty, and doubt (FUD) is neither appropriate nor effective in the face of material business or societal change. Let’s instead have a cogent, objective, and factual conversation about legitimate concerns. …”

Mark Lomas, a senior consultant at Capgemini in St Albans, United Kingdom, wrote (UK spelling):

“The article suggests that processing requires explicit consent. Consent is one of several mechanisms to authorise processing, not the only mechanism. Here in the UK the Information Commissioner's Office has already issued guidance explaining several circumstances under which it is inadvisable to rely upon consent as the legal basis for processing.

The article also mentions fines for non-compliance. I predict that regulators and courts will distinguish between willful non-compliance and accidental non-compliance, and the impact to data subjects, when deciding whether to prosecute and the magnitude of fines.

Regulators are pragmatic. They have limited resources so they will prioritise investigation and prosecution of the most serious offences. However, they might also consider whether an organisation belongs to an industry where non-compliance is widespread.”

My Final Thoughts

I cannot do justice to the GDPR ramifications in one blog post. No doubt, I will certainly be returning to this GDPR topic in the months and years ahead, along with the wider privacy regulation topic.

Nevertheless, I think it is very important, even necessary, for readers in the USA to understand GDPR and the impacts to security and privacy and our global online business and activities and our personal lives.  

Chris Roberts, a respected security industry expert who has hacked everything from planes to cow-milking machines, said that the criminals are just laughing at this GDPRmania. According to Chris, the criminals couldn’t care less about any of this, because they just ignore all of these laws anyway. In fact, the bad actors are liking the extra attention and resources going to other places as they hack away.

While Chris’ point may seem obvious, and GDPR is intended to impact how businesses use data and not criminal behavior, the question remains open as to whether this new normal regarding privacy will make things “better” online or not. Also, who decides?

Only time will tell what twists and turns and impacts are ahead for GDPR. But as Albert Einstein once said: “The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it."

Now we will find out if those in the EU who did “something big” about privacy were on the right track. However, specific answers are still a bit away due to the courts cases and rulings on fines that will probably take years to resolve.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.