Patchy GDPR implementation puts the ball in national regulators' court

2 July 2018 9:05am

29 June 2018. By Vesela Gladicheva, Cynthia Kroet and Sam Wilkin

More than a month after the General Data Protection Regulation took effect, compliance is patchy, meaning national regulators may soon need to think about how they will enforce the new EU privacy rules.

The threat of big sanctions — up to 20 million euros ($23 million) or 4 percent of global sales, whichever is greater — wasn’t enough to get everyone into shape by May 25, even though businesses have had ample time to prepare since the regulation was adopted in April 2016.

Businesses across a wide range of industries have yet to reach full compliance with the GDPR, it is understood. And while a cottage industry has sprung up to offer “compliance solutions,” regulators privately doubt whether such tools can capture the nuance of individual companies’ obligations, MLex understands.

The GDPR is deliberately not prescriptive about the exact steps companies need to take to comply, particularly with regard to seeking consent — one of six possible justifications to process people’s data, and the hardest to define.

This vagueness allows the regulation to govern all sectors of the economy, and to some extent future-proofs it against technological advances. But it also leaves businesses without clarity on how to be compliant.

Guidance notes issued by the Article 29 Working Party — the umbrella group of EU national regulators, which has since reconfigured as the European Data Protection Board — offer a bit more clarity but no specific instructions.

The response in industry has been mixed. Some companies have implemented more protections than they probably need to, erring on the side of caution. Others have looked sideways to make sure they’re broadly in line with their competitors, MLex understands — a practice that could lead to whole business sectors being in breach of the rules.

And it’s possible that some are looking at the letter of the law and wondering how little they can get away with.

— Consumer websites —


To see the range of responses to the GDPR, it’s instructive to look at a group of companies that often sell their users’ data to advertisers: Consumer-facing websites, whether news providers, online-shopping sites, or information providers such as online dictionaries.

These sites gather data from users through tracking devices known as cookies. Some of these are essential for the sites to run smoothly — by saving language preferences or a shopping cart, for example — but others process data for non-essential purposes or pass data to advertisers or other third parties.

While cookies are governed specifically by another EU law, the e-Privacy directive, website operators must also make sure their use of cookies is compliant with the GDPR. A planned update to the e-Privacy directive, which is working its way through the EU bureaucracy, may give operators more guidance on how to do so.

Under the GDPR, websites have to seek permission from users before using their data for non-essential analytics or passing it to advertising partners. They must accompany this request with clear information, make it as easy to withdraw consent as to give it, and not collect any non-essential data by default.

A quick browse of the Internet reveals a wide range of approaches. Many of these risk being in breach of the GDPR.

Most sites display a banner at the top or bottom of the screen the first time a user visits, outlining the site’s cookie policy and asking the user to make a decision.

Some sites make users click through to a screen which gives them more information and asks them to make a choice. In some cases this choice is generic, allowing options for all analytics use and all advertising, with further options for more granular permissions. In other cases the user is taken straight to a list of partners to make individual choices.

Other sites give users an option on the banner to immediately accept a default set of conditions, without seeing what they are. In some cases the default is to opt out of all permissions, but in others it is to opt in to everything. This is often accompanied by “nudges” to accept the default: The button to do so may be big and green, while the one to see further options is small and grey.

That could give companies with an opt-in default a significant competitive advantage. With such banners appearing on nearly all consumer-facing websites, a user can quickly tire of the process and seek the path of least resistance. If it takes one click to opt in and four to opt out, many users will be nudged into doing the former.

And in most cases, despite the obligation to make it as easy to withdraw consent as to give it, websites often make it very difficult to find where to open the options again, once a user has made their initial choice.

— Regulators’ choice —

Where to draw the line on what is legal and what is not will come down to national regulators in EU countries or, if it’s a cross-border matter, the European Data Protection Board.

Most regulators would rather guide companies toward compliance rather than immediately use their multimillion-euro enforcement powers, MLex understands. But that doesn’t mean they’ll be idle.

“Independent of the cases which have been driven by complaints, we are going to be active,” Andrea Jelinek, the EDPB chair and head of the Austrian authority, said this week.

The softest approach for regulators would be to identify which companies are non-compliant, and tell them to make changes and run the process again of seeking consent wherever it was incorrectly applied. For Internet users, that would mean more procedures to click through, but they would in the end have been given a fair chance to give or withhold their consent.

But eventually regulators’ patience may run out, or they may decide that a company is so flagrantly in breach of the rules that an example needs to be set. If they do, the GDPR has given them some very big guns to wheel out.

Global Privacy in 2018