Practical Results of Enforcing the GDPR

Sooji Lee, MJLST Staffer

After the enforcement of the European Union’s(“EU”) General Data Protection Regulation (“GDPR”), Facebook was sued by one of its shareholders, Fern Helms, because its share price fell more than “20 percent” in July 27, 2018. This fall in stock price occurred because the investors were afraid of the GDPR’s potential negative impact on the company. This case surprised many people around the world and showed us how GDPR is sensational regulation that could result in lawsuits involving tremendous amounts of money. This post will articulate what has occurred after enforcement of this gigantic world-wide impacting regulation.

Under GDPR, regulated entities (data controllers and data processors) must obtain prior “consent” from their users when they request customers’ personal data. Each member country must establish Data Protection Authority (“DPA”) to comply with the GDPR. This regulation has a broad applicable range, from EU corporations to non-EU corporations that deal with EU citizens’ personal data. Therefore, after the announcement of this regulation, many United States based global technology corporations which conduct some of their business in European countries, such as Google and Facebook, commenced processes to comply with the GDPR. For example, Facebook launched its own website which explains its effort to comply with GDPR.

Surprisingly, however, despite the large-scale preparation, Google and Facebook were sued for breach of the GDPR. According to a report authored by IAPP, thousands of claims were filed within one month the GDPR’s enforcement date, May 25, 2018. This fact implies that it is difficult to abide by GDPR for current internet-based service companies. Additionally, some companies that are not big enough to prepare to comply with the GDPR, such as the Chicago Tribune and the LA Times, temporarily blocked EU users from its website and some decided to terminate its service in the EU.

One interesting fact is that no one has been fined under GDPR yet. A spokesperson for the United Kingdom’s Information Commissioner’s Office commented “we are dealing with the first GDPR cases but it’s too early to speculate about fines or processing bans at this stage.” Experts expect that calculating fines and processing bans could take another six months. These experts foresee that once a decision is rendered, it could set a standard for future cases which may be difficult to change.

The GDPR, a new world-wide impacting regulation, just started its journey toward proper consumer data protection. It seems many of the issues involved with the GDPR are yet to be settled. For now, no expert can make an accurate prediction. Some side-effects seem inevitable. So, it is time to assess the results of the regulation, and keep trying to make careful amendments, such as expanding or restricting the scope of its applicable entities, to adjust for arising problems.