The wave of receiving dozens of policy change emails for almost every digital account your emails are tied to, is finally over. As soon as GDPR officially came into effect on May 25th 2018, it was like the internet had instantly transformed. It only makes sense. After all, the rules and repercussions of this highly-anticipated regulation has caused stress and attention to organizations large and small. The internet users who have noticed the biggest difference are citizens in European Union member countries. From instantly losing access to certain websites, to having significantly faster loading times on others, this is truly an interesting and impactful change. Let’s recap what we have seen in the first month of a world with GDPR.
Fewer Services Available for EU Visitors
Multiple sites have blocked access to European users until they iron out their GDPR compliance, if that is even in their plans. A huge swath of these are news sites including the LA Times and Chicago Tribune who have both committed to changing this limited access in the future. Other sites remain available but ask for consent for user data. NPR allows you to decline their new data protection rules by offering an option to browse the plain-text version of their website instead. Pinterest-owned Instapaper and email unsubscribing service Unroll.me are among the list of web services that have halted availability to EU residents indefinitely. Not all websites and services have properly prepared for GDPR yet. After the line is clearer as to how heavily and when GDPR will be enforced, we will probably see a lot of these types of safety measures being taken until organizations feel comfortable with the regulation. Meanwhile, Twitter is blocking any users that it believes were under 13 years old when the signed up even if they are older than that now, in an effort to be compliant.
A longtime critic of Facebook and Google’s data collection practices filed lawsuits against both companies within a few hours of GDPR coming into effect. Google received separate complaints for Gmail, Youtube, and its Search from a different group in France. Apple, Amazon, and LinkedIn are also facing lawsuits within the first week from the same French digital rights group. To avoid lawsuits companies are requiring visitors to consent to having their data exploited in ways that do not align with the “use data for core service delivery only” requirement within GDPR. ICANN, the non-profit that runs WHOIS filed a lawsuit because one of their main European DNS registrars,EPAG, who has decided to no longer collect WHOIS information in fear of getting fined due to GDPR requirements. The contract between ICANN and EPAG requires them to collect this information and pass it along. This suit will hopefully clear up this grey area within GDPR and how data is collected and shared between organizations.
GDPR and Blockchain Clash on a Fundamental Level
Article 17 of GDPR mandates that a data subject should have the “Right to be forgotten.” Basically, it says that data subjects have the right to erase their personal data without delay. This is designed for scenarios where data is centrally stored and processed. A fundamental part of blockchains is decentralized data storage that is tamper-proof. This makes GDPR and blockchain incompatible at first glance. GDPR and blockchains aim to do the same thing - give control back to individuals, but immutability and the right of erasure cannot co-exist as things stand today. Although GDPR is widely agreed upon to be a step in the right direction, is it worth the risk of harming innovative technology?
California Comes Next
California passed a law very similar to GDPR about one month after GDPR was released. This new law grants consumers the rights to know what information companies are collecting about them and how it is used. It also gives consumers the right to request companies delete their data and not share it with anybody. Businesses also must give consumers the same quality of service even if they opt out of allowing their data to be shared. It will be easier for consumers to sue companies and it will be harder to share or sell data on anybody under the age of 16. This legislation goes into effect in January 2020 and gives state attorney generals the authority to fine companies that breach the regulation.
Organizations all over the world have prepared heavily for GDPR compliance. A lot of people are comparing the entire process to preparing for Y2K. Many organizations are still figuring it out while being extra cautious - probably waiting to see a few examples of non-compliance. The whole world is waiting to see what GDPR enforcement looks like with it’s potentially detrimental fines. With a handful of lawsuits and GDPR complaints already filed against them, tech giants are already at bat to defend themselves from multi-million dollar fines. California is following suite and brought a bunch of the same mandates as GDPR to the United States that won’t take effect until 2020.