What happened?

Today the EU General Data Protection Regulation (GDPR) goes into effect, ending the data protection landscape as we know it. This comprehensive privacy law applies directly to the 28 EU countries and companies established in or doing business in those countries. Unlike its predecessor, the GDPR applies to companies established outside of the EU that offer goods or services to individuals in the EU or monitor the behavior of individuals in the EU, such as through the use of cookies. The GDPR imposes a number new of requirements on companies and raises the stakes by imposing potential maximum fines up to 4% of worldwide revenue.

It’s the end of the data protection world as we know it, and we (don’t) feel fine…

The law’s broad scope and stringent requirements have left many companies—particularly small- to medium-sized U.S. businesses with no physical presence in the EU—scrambling to implement the required privacy protections. According to surveys, the majority of companies, both within and outside the EU, are not compliant today. One April 2018 survey indicated that only 15% of companies surveyed are fully compliant. Non-compliance with the GDPR’s requirements carries particularly high risk, given the two-tiered fine structure of the GDPR, which allows regulators to fine companies the greater of up to 4 percent of their annual global revenue or 20 million euros for violations of the GDPR.

What do the regulators say?

While the potential to be assessed such massive fines has been a motivating factor for many companies, data protection authorities have sent mixed messages with regards to whether we can expect to see such high fines assessed right away. Some have indicated that should a company be subject to enforcement, if it made good faith efforts towards compliance, this would be a mitigating factor. The French data protection authority has reportedly stated that companies that have not achieved full compliance “can expect to be treated leniently initially provided that they have acted in good faith.” The Dutch data protection authority has similarly stated that while “no provision has been made in law for a grace period from compliance with the GDPR,” “an organisation can minimise and mitigate against the potential consequences and sanctions that they could face . . . [with a healthy] GDPR compliance programme. . . [and] a genuine commitment and best efforts to meeting their GDPR obligations.” On the other hand, Austrian data protection authority Andrea Jelinek, who is now the president of the newly formed European Data Protection Board (EDPB), held a press conference today and reportedly warned that “If there are reasons to warn we will warn; if there are reasons to reprimand we will do that; and if we have reasons to fine, we are going to fine.”

It’s not the end, it’s just the end of the beginning.

While statements from data protection authorities give us some insight into the enforcement approach that data protection authorities may take, a lot of open enforcement questions remain, including:

  • What will be the enforcement priorities?
  • What kinds of activities will trigger what level of fines?
  • Which EU regulators will be the most aggressive in enforcing the GDPR?
  • Will EU regulators train their attention on specific industries, and if so which ones?
  • What damages are plaintiffs entitled to in judicial actions arising out of GDPR violations?
  • How can an EU regulator claim jurisdiction over a U.S. company with no physical presence in the EU and no local representative?

U.S. companies should also pay careful attention to future EDPB guidance, rulings from the Court of Justice of the European Union, and enforcement actions that may help answer numerous substantive questions that have bedeviled companies trying to comply with vague provisions of the GDPR. Such questions include:

  • What does “large scale processing” mean?
  • How to reconcile conflicting requirements under the GDPR and the ePrivacy Directive?
  • Will courts require a de minimis threshold to trigger the GDPR’s territorial scope?
  • Are dynamic IP addresses considered personal data?
  • What constitutes a “legal effect” in the context of automated decision-making?
  • Do the data breach notification requirements cover personal data of EU residents collected while they were in the U.S.?

Now that the GDPR is in effect, we may finally get answers to these questions. At the same time, how EU regulators enforce the GDPR may create new privacy headaches for U.S. companies. For U.S. companies struggling to understand the GDPR, one thing remains certain: today marks the beginning, not the end of GDPR compliance.