Landmark EU privacy law GDPR enters into force, leaving many companies in state of confusion
Andrea Jelinek, Chair of the European Data Protection Board, speaks during a media conference on the occasion of the entry into application of the General Data Protection Regulation in Brussels on Friday, May 25, 2018. (AP Photo)


The EU's flagship new data protection laws came into effect on Friday but hit an early hitch as several major U.S. news websites were blocked to European users.

The Los Angeles Times and Chicago Tribune newspapers were among those inaccessible on the other side of the Atlantic following the entry into force of the General Data Protection Regulation (GDPR).

Separately Facebook and Google already face their first legal cases under the new law after an Austrian privacy campaigner accused them of effectively forcing users to give their consent to the use of their personal information.

The EU has billed the GDPR as the biggest shake-up of data privacy regulations since the birth of the web, saying it sets new standards in the wake of the recent Facebook data harvesting scandal.

But it has also been blamed for a flood of emails and messages in recent weeks as worried firms rush to request the explicit consent of users.

It led to the hashtag #HappyGDPRDay taking off on social media as people sarcastically celebrated the end of the deluge of spam.

Even though the rules were officially adopted two years ago, with a grace period until now to adapt to them, companies have been slow to act, resulting in a last-minute scramble this week.

Companies can be fined up to 20 million euros ($24 million) or four percent of annual global turnover for breaching the strict new data rules for the EU, a market of 500 million people.

'Currently unavailable'

Several firms experienced real-world problems over complying with the EU laws, with U.S. newspapers owned by the Tronc group, formerly known as Tribune Publishing, saying that they were blocked to Europeans for now.

"Unfortunately, our website is currently unavailable in most European countries," said the message carried by the LA Times, Chicago Tribune, New York Daily News, Baltimore Sun and Orlando Sentinel.

"We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism."

Local U.S. newspapers owned by Lee Enterprises, including the St. Louis Post Dispatch and Arizona Daily Sun, were also out of reach, explicitly blaming the GDPR.

The European Commission insisted that it was not responsible for the blackout of some U.S. sites, saying it was "proud to set high data protection standards" for the bloc's 500 million citizens.

"We have seen the press reports, but it is not for the Commission to comment on individual companies' policies in terms of offering services in the EU," a spokesman said in an emailed comment to AFP.

"We expect all companies to fully comply with the General Data Protection Regulation as of today. With the new rules in place, EU data protection authorities will watch over their correct application across the EU and ensure full compliance."

Critics say the new rules are overly burdensome, especially for small businesses, while advertisers and publishers worry it will make it harder for them to find customers.

The GDPR clarifies and strengthens existing individual rights, such as the right to have one's data erased and the right to ask a company for a copy of one's data.

But it also includes entirely new mandates, such as the right to transfer data from one service provider to another and the right to restrict companies from using personal data.

"It's a gradual and not a revolutionary kind of thing ... However for many companies it was a huge wakeup call because they never did their homework. They never took the data protection directive seriously," Patrick Van Eecke, partner at law firm DLA Piper, told Reuters.

Activists are already planning to use the right to access their data to turn the tables on internet platforms whose model relies on processing people's personal information.

That means companies are having to put in place processes for dealing with such requests and educating their workforce because any non-compliance could lead to stiff sanctions.

Studies suggest that many companies are not ready for the new rules. The International Association of Privacy Professionals found that only 40 percent of companies affected by the GDPR expected to be fully compliant by May 25.

'Forced consent'

Meanwhile campaigner Max Schrems said he had launched four court cases on Friday under the new law.

They target Google in France, picture-sharing site Instagram in Belgium, WhatsApp in Germany and Facebook in his native Austria.

The problem with all these sites, he said, is with the pop ups that have been appearing on them in recent weeks, asking users to agree to new terms of use, adding that this amounts to a system of "forced consent" from users.

A previous case brought by Schrems against Facebook triggered the collapse of a previous EU-U.S. data sharing agreement.

Brussels says the new laws put Europeans "back in control" of their data.

"When it comes to personal data today, people are naked in an aquarium," said EU Justice Commissioner Vera Jourova.

The law says individuals must explicitly grant permission for their data to be used. It also establishes their "right to know" who is processing their information and what it will be used for; and gives them the "right to be forgotten".

Parents will decide for children until they reach the age of consent, which member states will set anywhere between 13 and 16 years old.

The case for the new rules has been boosted by the recent scandal over the harvesting of Facebook users' data by Cambridge Analytica, a U.S.-British political research firm, for the 2016 US presidential election.

Facebook chief Mark Zuckerberg said as he apologized to the European Parliament on Tuesday over the scandal that his firm will be "fully compliant" with the EU law.

Data portability

It is unclear how many provisions of GDPR will be interpreted and enforced. European regulatory authorities, many of whom say they are under-funded, will oversee the new law, with a central body to resolve conflicts.

One key provision of GDPR, the right to data portability, is causing particular confusion.

"I think the data portability rights are pretty significant and are going to take a while for people to figure out what the bounds of them are and how to go about complying with them," said David Hoffman, director of security policy and global privacy officer at Intel.

For example, music streaming services such as Spotify create playlists for users based on their music preferences. While a user seeking to exercise the data portability right would be able to move playlists he or she created, the situation becomes fuzzy if the playlists are created by the streaming service using algorithms.

EU data protection authorities said individuals should be able to transfer data provided by them but not "derived data" created by the service provider such as algorithmic results.

"It's not obvious that you can necessarily migrate the data from your system to somebody else's system," Tanguy Van Overstraeten, of Linklaters, said.

On the business side, companies are rushing to renegotiate contracts with suppliers and service providers because GDPR increases their liability if something goes wrong.

Data processors which only process or store the data on behalf of their clients, for example cloud computing providers, will be directly liable for sanctions and could face lawsuits from individuals, and that needs to be reflected in contracts.

"After 20 years of data protection legislation in place, it's only now with the GDPR they (companies) start to think about 'what's my role in the whole story? Am I a data controller or data processor?'" Van Eecke said.