The EU General Data Protection Regulation (GDPR) entered into force on the 25th of May 2018. Since that time, companies have spent billions of dollars to ensure compliance with the new law. Just the top 500 U.S. companies spent about $7.8 billion to comply with the strict requirements of the GDPR. Despite the extensive media coverage of the GDPR, many myths still surround this rather new EU law. In this article, we discuss five of them.
Myth 1: GDPR is an EU law that does not apply to non-EU companies.
The principle of territoriality often applies to the field of law. It means that legal instruments adopted in one country are valid only in that country. For example, a U.S. patent provides patent protection in the United States only. However, the authors of the GDPR decided to take a different approach in order to ensure that the personal data of EU residents will not be used by unscrupulous foreign companies. The GDPR applies to non-EU companies:
- Offering goods/services to EU residents,
- Monitoring the behavior of EU residents, or
- Having branches in the EU (if the activities of the branches include data processing).
(For more on this, read GDPR: Do You Know if Your Organization Needs to Comply?)
Myth 2: GDPR just scares people, but no actual fines are imposed.
The World Wide Web consists of more than 1.5 billion websites. Many of those websites sell goods and/or services to EU residents and fall within the scope of the GDPR. It is unrealistic to expect that all of them will comply with the requirements of the GDPR, including, but not limited to, identification of data flows, conclusion of data processing agreements, and preparation of comprehensive privacy policies.
Certainly, not all e-commerce businesses have the financial and human resources to meet the high standards imposed by the new EU privacy law. However, the EU data protection authorities follow the legal principle “Ignorantia juris non excusat or ignorantia legis neminem excusat” which comes from Roman times. In English, it can be translated as “Ignorance of law is not an excuse.” Despite the fact that the GDPR has recently entered into force, more and more data protection authorities impose hefty fines on privacy violators. For example, in January 2019, the French data protection authority imposed a 50 million euro fine on Google for violating the GDPR. The authority reasoned its decision to fine Google as follows: “The amount and the publicity of the fine are first justified by the seriousness of the deficiencies identified concerning the basic principles of the GDPR: transparency, information and consent.” Germany, a neighbor of France, sanctioned a social media company for infringing the GDPR with a much lower fine (20,000 euros). However, even that amount can have severe consequences on startups and small companies.
- Installing a cookie pop-up banner
- Conducting data mapping
- Appointing a data protection officer
- Implementing a process for notifying the relevant data protection authorities in case of a data breach
- Concluding data processing agreements with data processors
- Ensuring that data processors in non-EU countries have adequate levels of data protection
Myth 4: If I am fined for violating the GDPR, I will need to pay a few hundred euros.
The sanctions for GDPR offenses should not be compared with parking offenses, as the former can have a much more serious impact on society than the latter. For instance, a company that sells personal data of its customers to data brokers may put the private lives of millions of individuals at risk. Such data brokers may sell the personal data to spammers who will bombard the email platforms of the data subjects with unsolicited messages, thus forcing them to waste their valuable time in reading and deleting spam. GDPR infringements may also lead to the unauthorized publication of personal information. Nowadays, any publicly available personal information about an individual may have negative consequences on the career of that individual. This is because employers often “Google” the name of their prospective employees and personal information, such as a photo taken at a student party, may make the wrong impression to employers.
Therefore, the EU data protection authorities will likely impose serious fines to infringers of the GDPR. The fines of 50 million euros and 20,000 euros mentioned above clearly indicate that the fines imposed on non-compliant entities will range between thousands and millions of euros. (Not being compliant can also make you the target of cybercrime. Learn more in How Cybercriminals Use GDPR as Leverage to Extort Companies.)
Myth 5: If I comply with the GDPR, I will automatically be compliant with all EU privacy laws.
One of the goals of the GDPR was to create a harmonized EU legal framework that will apply directly in all EU countries. Although this goal was achieved to some extent, individual EU countries still have discretion with regard to certain aspects of the law. Consequently, each EU country is authorized to have separate supplemental rules regarding the GDPR. At present, at least 70 such rules exist. Many of them relate to the processing of employee data. Hence, companies willing to comply with the GDPR need to comply not only with it, but also with the supplemental rules adopted by individual EU countries.
Self-help books may be very helpful with regard to various domains, such as psychology, managing of personal finances, and starting a business. However, one needs to be cautioned about any publications that offer an easy way to comply with the GDPR. Such publications often spread myths and put their readers at a risk of getting a solid fine. Few people will try to become compliant with the U.S. securities legislation and the comprehensive rules of the U.S. Financial Industry Regulatory Authority without using the services of securities experts. However, many people still naively believe that they can comply with the GDPR (a law not less complex than the U.S. securities laws) by purchasing a template for $20 and posting it on their website.