125 days into GDPR: Five early experiences

27 September 2018

In the weeks right before GDPR went into force, it appeared as if the Internet was approaching its final days. Let’s start with the good news: You can still read this article without any problems. What are the first trends that are emerging in the way GDPR is handled?

Inboxes and websites flooded with warnings

The most obvious change lies in the fact that the countless number of banners and messages regarding data protection has increased yet again. Some of these notices came as a surprise since one would not have expected a particular service provider to store data.

Unfortunately, many popups and emails were awful misinterpretations of GDPR. Quite often these annoying messages do not really leave the user a choice. Instead of asking for consent (“opt-in”), many service providers are using the American “notice and choice” principle which simply displays a notice together with an “Okay” option. This hardly constitutes legal permission to use data.

The highs and lows of implementation

Businesses should see GDPR as an opportunity to change their way of thinking and leave “fishing for consent” behind: In business practice, most processing activities are “necessary to fulfil the contract” and do not require explicit consent. Checkboxes asking the users to do so should therefore be a thing of the past.

If a website does provide additional functionality which is not essential for a particular product, “inline consent” can for example be used to offer customers a real choice. In this case, a “Yes/No” choice is placed at a logical position within the text. It perfectly meets the requirements of GDPR and also allows to adjust products to the demands of customers.

A barrage of complaints with authorities

In the course of the implementation of GDPR, a barrage of complaints set on precisely because many businesses had been informing their customers. The Austrian authority, for example, received more than 720 complaints. It remains to be seen whether this hype will be a permanent one or is only a surge. There are strong indications that the situation will soon get back to normal.

The first cases have started their journey through the legislative system

It didn’t take long for the first legal proceedings to start their journey through the Austrian legislative system. Via Ireland, a complaint against Facebook regarding “forced consent” lies with the European Data Protection Board, a complaint regarding the right of access in connection with banking data lies with the Federal Administrative Court following a decision against the bank, and a first financial penalty of € 4,800 has been taken out against a betting shop in Styria for illegal video surveillance.

A radical approach adopted by international providers

Several international providers, in particular US media, have chosen a particularly radical approach. They quite simply closed their services to the European market. From a business perspective it makes sense that local US media see no use in adapting their products to EU data protection for a very limited number of users from Europe. In this matter, European legislation reaches its limit. But within Europe, this is not an option.