Understand the GDPR legitimate interest vs. consent dilemma

GDPR: Here’s What’s Happened So Far

Diana Candela, Associate Director Security and Privacy

After four years of preparations and numerous revisions, the General Data Protection Regulation (GDPR), the most-lobbied piece of legislation in the history of the European Union, was finally approved by the EU Parliament in April 2016. Following a two-year transitional period, the GDPR became enforceable on May 25, 2018.

Within hours of the regulation taking affect, popular U.S. news sites were blocked for European readers. Those owned by Tronc, Inc. (including the Chicago Tribune, the Los Angeles Times, the Baltimore Sun and others) and Lee Enterprises (which operates in 21 states and owns 46 newspapers) appeared unavailable to most European site visitors.


Meanwhile, Twitter even blocked users who were underage when they had signed up for the service even though they are well over 18 now. The company suspended multiple accounts of users whose declared date of birth reflected that they were underage when they had signed up for the account.


Max Schrems, an Austrian privacy campaigner, filed multibillion-dollar lawsuits against Facebook (and its subsidiaries) and Google. Three separate complaints worth 3.9 billion euros in all were filed against Facebook, Instagram and WhatsApp on May 25 in Austria, Germany and Belgium. A lawsuit seeking 3.7 billion euros in damages was separately filed against Google’s Android platform with CNIL, the French privacy regulator. The basis of the complaints is that these companies are forcing the users to agree to their policies using a take-it-or-leave-it approach.

The companies have disputed the charges, claiming that they have taken appropriate measures to comply with the regulation. Google said, “We build privacy and security into our products from the very earliest stages and are committed to complying with the EU GDPR.” Facebook responded to the complaints in a similar vein, saying the company had prepared for the past 18 months to ensure it meets the requirements of the GDPR.

The series of lawsuits against tech companies didn’t stop there. On May 28, La Quadrature du Net, a French digital rights group, filed seven lawsuits with CNIL against Google, Facebook, Apple, Amazon and LinkedIn. La Quad had begun its complaint collection efforts around six weeks before the GDPR enforcement date. In that short amount of time they were able to get over 12,000 people to join the collective complaints biased on the general concept of “forced consent.”

Other Developments

  • Marc Benioff, CEO of Salesforce, called for a law similar to the GDPR in the United States. “What we need is a national privacy law, and that will really not just protect the tech industry; it’s going to protect all the consumers,” he said. “Ultimately, it’s going to protect our kids, which is really what this is all about, because we know that all these companies are looking to bring kids into their social networks as well.” On the other hand, IBM has been vocal about lighter regulation on privacy. Christopher Padilla, IBM’s vice president of government and regulatory affairs, recently said in an interview that “GDPR may work for Europe, but that doesn’t mean it should become a global standard.”
  • While the GDPR was settling in, California’s “mini-GDPR” was enacted in June – proclaiming itself a “gamechanger for the United States.” Meanwhile, although very limited by comparison to California, Vermont passed a new law that requires data brokers to register with the state to ensure that security measures are updated and to inform relevant authorities in the event of a data breach.
  • Adding to the avalanche of events, Members of the European Parliament’s civil liberties committee (MEPs) questioned the EU-U.S. Privacy Shield (the framework that controls the exchange of privacy data between the two entities for commercial purposes), urging full compliance with the GDPR by September 1, 2018. Apparently for these MEPs, that Facebook-Cambridge Analytica data breach was the last drop. Whether the resolution, which is legally nonbinding, will affect the regulation is unclear but it adds pressure to EU regulators dealing with the U.S. and certainly does not take away from the GDPR drama unfolding around the globe.
  • Finally, the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which was enacted into law in the U.S. on March 23, 2018, allows U.S. law enforcement orders issued under the Stored Communications Act (SCA) to reach certain cloud data located in other countries under certain circumstances, such as foreign governments entering into bilateral agreements with the U.S. (within limits and restrictions). How such agreements will be structured in the context of the GDPR is unclear.

It’s difficult to say at this time how the flurry of GDPR-inspired privacy regulations will sort itself out. However, one thing we can state with confidence is that the time for privacy and security to make a grand entrance from the backroom to the Board room has arrived. The various legislation that is being passed, considered and under way is likely to impact the known data protection landscape for decades to come. The exposure to fines and penalties for noncompliance is too severe to ignore. Accordingly, organizations should be following developments closely with an eye toward anticipating and preparing for a lot more scrutiny of their data security practices than many are used to.

We have covered, and will continue to cover, data privacy issues on our blog. Also check out the Data Privacy resources page on our website. Your questions and comments are welcome.

Add comment