Over the past six months or so I’ve written about privacy regulations that affect many of my clients. The General Data Protection Regulation (GDPR) took effect in May 2018, and while it looked like regulators were slow to enforce the new regulations, recently, enforcement has taken off, and a number of companies – primarily outside of the United States – have been hit with enforcement actions. In the UK and France, companies accused of violating the GDPR were ordered to purge data and change their consent practices after they were determined to have obtained and retained data in violation of the regulations. In Austria, Portugal, and Germany, companies have been fined as a result of inadequate security practices – one of which resulted in a data breach. Last month, France’s privacy regulator hit Google with a €50 million fine for violating the transparency and consent rules of the GDPR. Ireland’s Data Protection Commission is currently investigating Twitter for that company’s data protection measures and a recent data breach. Other major e-commerce companies are also being investigated.
I understand that at least 100 proceedings or investigations are now pending against American companies. So, after what seemed to be a slow start, regulators are watching and taking action. Many of my clients have updated their privacy policies and conducted reviews of their data handling procedures, although most are still taking a wait-and-see approach. I recommend that all companies, but particularly those that obtain or process data of EU citizens, take stronger compliance initiatives by appointing a data protection officer, analyzing the data held or processed by the company, and implementing new compliance systems that fit within the GDPR framework.