On 25th May 2018, the EU’s General Data Protection Regulation (GDPR) took full effect across Europe, and all companies in the EU and those handling the personal data of EU data subjects now must meet the new privacy standards. Two months later, public authorities, businesses and the public are still getting to grips with the new rules, with guidance on certain aspects of the GDPR still to be issued, and data protection authorities (DPAs) still to publish their decisions on the numerous complaints lodged by data protection activists.

Multiple complaints filed

• Following the entry into force of the GDPR, companies started receiving a high number of complaints, most of them targeting large tech companies like Google and Facebook. Max Schrems, whose successful complaint led to the annulment of the EU-US Safe Harbour decision in 2015, filed a complaint on 25 May targeted at Facebook and Google which claimed that mandatory consent to use their services was not genuine consent. A collective action on the same issue has been launched by French NGO La Quadrature du Net.
• The European Data Protection Board (EDPB), the grouping of data protection authorities responsible for enforcing the GDPR, has registered an increase in complaints since 25 May. Technology companies, media groups, retailers and banks have been among those most targeted because of the large amounts of personal data they hold for their users and customers. In Austria, 128 complaints and almost 500 questions have been filed to the local data protection authority under the GDPR. In France, complaints are up by more than 50% compared to the same period last year.
• The EPDB revealed that, at European level, there are currently about 100 cross-border cases under investigation. These cases are for the first time using the ‘one stop shop’ mechanism introduced by GDPR, and DPAs are therefore sharing their experiences and learning from each other. The first decisions on the current cases are expected to be delivered after the summer.

Compliance hurdles benefitting large companies?

• The new rules are reportedly making it harder for companies – especially publishers and news organisations – to make money from targeted advertising.
• Smaller advertising players and publishers have run into difficulties in complying with the GDPR, with several US companies, such as the Los Angeles Times and the Chicago tribune, suspending their activities in Europe because of the new standards.
• In response, Facebook and Google, which have understandably committed significant resources to prepare for the GDPR, have reportedly expanded their online advertising footprint. This raises the question of whether privacy rules hinder online competition.

International impact

• The response in the US to the GDPR has been mixed. Whilst the recent Facebook/Cambridge Analytica controversy has sharpened attention on privacy standards – and the EU’s new regime – there remains resistance to adopting similar rules.
• Willbur Ross, the US commerce secretary, has argued that Europe’s privacy standards would likely reduce global trade and create barriers for international law enforcement to share data. Nevertheless, California has recently adopted its own strict privacy rules which will come into effect in 2020. Meanwhile, other countries have started reviewing their rules, including Japan, Argentina & India soon.

Impact on data flows

• Members of the European Parliament have claimed that the current EU-US Privacy Shield no longer provides adequate protection for EU data subjects, calling for the scheme to be suspended in September if no improvements are made.
• Whilst this may indicate a toughening of conditions for reaching adequacy status, it is notable that the EU and Japan this month reached an agreement on data flows, the first such agreement since the introduction of the GDPR.

Finally, it should be noted that the EPDB is still to publish its guidelines on certification, almost two months since the new rules came into effect. A public consultation on draft certification guidelines closed on 12 July, with the final text published shortly. Once appropriate certification schemes are in place, businesses will have an additional option for demonstrating compliance and thus facilitating data flows.