GDPR Arrival Sees Certain US Websites Blocked

Friday, 25 May, 2018

Europe's tough new privacy law, the General Data Protection Regulation (GDPR), came into force today. For some companies, it's a last-minute scramble, working long hours as the deadline looms. "This will tell us a lot regarding whether the recent flurry of privacy policy modifications demonstrates a honest change in the privacy stance of those companies or is more about paying lip service to the new regulation".

Many companies have not managed to comply with the rules in time.

Although Google made sweeping changes to its privacy policy (as did Facebook, Instagram, and WhatsApp), Schrems argues that the company is violating the GDPR in that the acceptance of that policy is "all-or-nothing".

The move has renewed fears that the law, and others like it, could "Balkanise" the internet and lead to the creation of a two-tier system, with EU-based web users excluded from services and sites offered elsewhere in the world.

Companies must keep evidence or documentation of having done such assessments and mitigate data breach risks.

"You have to have a "yes or no" option", Austrian Max Schrems said before filing complaints in European jurisdictions.

"The companies are realizing that it is not enough to get people to just click through", said Lorrie Cranor, director of the CyLab Usable Privacy and Security Laboratory at Carnegie Mellon University and the U.S. Federal Trade Commission's former chief technologist. Lots of companies have been misusing your data in smaller ways, like selling it on to third party advertising companies.

Some designers decided to have fun with their GDP RRRRRRR emails
Some designers decided to have fun with their GDP RRRRRRR emails

In a customer support email that we reviewed, the company also told one European user: "We've been advised to undergo an assessment of the Instapaper service to determine what, if any, changes may be appropriate but to restrict access to IP addresses in the EU as the best course of action". The GDPR explicitly allows any data processing that is strictly necessary for the service - but using the data additionally for advertisement or to sell it on needs the users' free opt-in consent. "I have everything from regulated professional colleges, right through to construction companies", Ms. Thompson said. European regulatory authorities, many of whom say they are under-funded, will oversee the new law, with a central body to resolve conflicts. Violators face fines of up to 20 million euros ($24 million) or 4 percent of annual global revenue, whichever is greater. Most of the time we never noticed them or what they did. In addition 55% believe brands already have too much information on individuals.

Businesses must make all efforts to protect and securely manage all private and personal data of any European Union citizen or customer that they hold, according to the ruling.

There's another reason some companies are expanding GDPR standards beyond Europe.

On the business side, companies are rushing to renegotiate contracts with suppliers and service providers because GDPR increases their liability if something goes wrong.

What's more, the effects of the GDPR do not stop at Europe's borders.

"Similarly, those Israeli companies that process EU-resident personal data on behalf of others will need to comply with the GDPR requirements for data processors". Local news outlets, like North Carolina TV station WRAL (screenshot courtesy of Robert Socha) and all Tronc properties have blocked access to visitors from the European Union. "The ongoing interpretation of the detailed aspects of this regulation will determine the steps that we all will need to take to maintain compliance".