A Nasty Shock


A number of companies, big and small, appear far from ready for the GDPR

A great revamp of data protection rules in the EU are now only months away. The General Data Protection Regulation (GDPR), which will provide a more robust and aggressive framework than the current Data Protection Directive, is set to come into force on May 25th. According to the UK’s Information Commissioner, the GDPR is “the biggest change to data protection law for a generation.”

But despite the emphasis that various legal experts have put on the Regulation, the attitude by companies, who will no doubt be affected, has appeared to be worryingly lax. It was reported by The Federation of Small Businesses (FSB) that under a fifth small businesses were unaware of the upcoming laws. A third of those who knew of them only did so vaguely. Furthermore, over two-thirds have either not taken the initial steps to prepare or are still in the beginning stages of compliance.

It is not just small companies which may be in trouble. An examination of Facebook’s advertising model, according to academics at the Charles III University of Madrid, shows that the social media giant would be falling short of the GDPR’s standards too. In a recent paper, it was determined that the site contravened the Regulation in a number of ways. This includes Article 9, which declares that the processing of data which reveal certain aspects of the data subject, such as race or political opinions, is prohibited. There are exceptions to this though, but Facebook would seem to not meet any of them.

One way around the prohibition is by gaining the consent of the data subject to process such information. Currently, such consent is merely inferred by users liking a page or clicking on an ad, which hardly satisfies the requirements of the Regulation. Consent needs to be explicit.

Another exemption from Article 9 is where “processing relates to personal data which are manifestly made public by the data subject.” However, it is typically the case that the activity of users on Facebook is not intended to made public in the way suggested in this provision, and thus this exception would not apply to Facebook either.

It would therefore seem that companies on both sides of the Atlantic, big and small, are putting little energy into their GDPR-compliance plans. The reasons for this may be twofold, one relating to companies in America and other to those in the UK. With regard to the likes of Facebook and other US-based tech firms, the approach to the GDPR seems to be a continuation of the overall struggle to follow EU rules on data protection. The divergence in regulatory approaches to this area results in a notable clash. In America, there appears to be a more sporadic and rather unclear legal framework concerning data protection. The source of the right to privacy is fragmented across the laws of individual states, federal law and some international treaties.

Contrastingly, EU embodies a far clearer and uniform approach to data protection. The GDPR essentially instructs data controllers and processors to protect the fundamental right to data protection under Article 8 of the EU Charter. Consequently, many of these American technologies set up subsidiaries in Europe invoking privacy policies predominantly designed for a jurisdiction which is less stringent and demanding. Thus, the Regulation will be an interesting test for these companies when it eventually becomes law.

While UK companies may already be accustomed to a more rigorous data protection framework, some may think that the GDPR is a just a technical update of the Directive. They would be mistaken. The Regulation is more detailed and goes much further than the Directive in numerous aspects, many of which will require companies to change the way they collect, process and store data.

Luckily, the Information Commissioner’s Office has been willing to lend a helping hand. As well as providing advice to businesses currently on how to prepare for the GDPR, the regulator has also suggested implementing a so-called ‘safe harbour’ scheme. This would allow businesses to admit themselves when they are in breach of the Regulation from which the Office would offer further advice on how to become compliant rather than imposing fines, which would be a last resort.

But the Office will only help to a certain extent; persistent breaches will face fines of £17 million or 4 per cent of annual global turnover (whichever is higher). This should be enough of an incentive for companies in the UK to do what they can to be ready for May. Also, Brexit would not make a difference; the Regulation comes into force before the UK leaves the EU next year and a Bill is currently going through Parliament to give effect to its provisions. But the FSB’s findings show a rather unconcerned approach to the new laws so far. If this continues up to and beyond the activation of the Regulation, then some companies may be in for a nasty shock.


Asunción Esteve, ‘The Business of Personal Data: Google, Facebook, and Privacy Issues in the EU and the USA’ (2017) 7 International Data Privacy Law 36