From technology giant Facebook to libraries and schools, organisations are now subject to the world’s most far-reaching data privacy regulation in a crackdown aimed at protecting people from losing control over their personal information.
It’s occupied thousands of lawyers, taken years of planning and triggered billions of e-mails.
Mess up now and you can expect very little tolerance, warns Andrea Jelinek, the Austrian in charge of policing the European Union’s General Data Protection Regulation, or GDPR, which took effect on 25 May.
“If there are reasons to warn we will warn; if there are reasons to reprimand we will do that; and if we have reasons to fine, we are going to fine,” Jelinek, 57, told reporters ahead of the big day. Asked about criticism that some regulators are more lenient than others, she said that “it was like that in the past, but it should not continue in the future”.
Privacy has moved from a niche topic to one of the biggest headaches for top bosses such as Facebook founder Mark Zuckerberg, who this week was grilled by EU lawmakers about how the data of some 87m users and their friends may have been shared with a consulting firm with links to Donald Trump’s US presidential campaign.
The pressure has been increasing on firms using or processing EU personal data in the run-up to the deadline. Privacy regulators across Europe will for the first time get equal rights and responsibilities, and the same powers to mete out fines of as much as 4% of worldwide annual sales for serious violations.
EU nations will have to apply the same rules across the bloc, and give their data regulators complete independence. “We don’t like to see any deviations which will go beyond the rules and spirit” of the rules, EU justice commissioner Vera Jourova said last week.
Facebook would dodge the tough new sanctions under the updated EU rules if any violations in the Cambridge Analytica case are proven because the rules don’t apply retroactively.
‘We can get them’
Still, if companies “don’t stop on Friday, we can get them”, said Jelinek who leads Austria’s data privacy agency as well as a panel of regulators drawn from across the EU’s 28 nations. She said she’s expecting a big pile of complaints to be filed from day one of the new rules.
Regulators will “try to do our best” to deal with all complaints. She expects it won’t even be two months until the first probes will be opened, but there won’t be any fines right away.
Officials won’t just be “popping in” to companies to slap a fine on them, she said. “We are talking to the businesses, we have legal procedures to fulfil, we have to give them the opportunity to talk with us, too.”
It will be the start of a new era for everyone: “We are at the beginning of a journey, which we’re going to make together through the field of data protection.”
The last few years have seen a “paradigm shift in awareness of data protection issues”, said Andrew Dyson, a lawyer at DLA Piper in London.
“You can’t open a newspaper without reading about the latest data breach, social media scandal or unethical marketing campaign. There is regulation, but it’s from a different era and increasingly looking toothless and out of date. The GDPR will reset the balance.”
Companies “that get this right will establish high ethical standards, enhanced levels of consumer trust and be able to unlock the value of data”, he said. “Those who get it wrong face wrath of regulators, disgruntled customers and big constraints on digital innovation.” — Reported by Stephanie Bodoni, (c) 2018 Bloomberg LP