Day 1 of GDPR Brings a Slew of Activity
May 25, 2018
The European Union’s General Data Protection Regulation (GDPR) went into effect today, and has sparked a wave of activity. While the GDPR has sweeping scope, and touches any industry involved in data collection, the initial wave of activity is most likely to raise concerns among U.S.-based Internet companies. Moreover, while the law tightens restrictions on how companies can collect and use consumer data in Europe, there are significant extra-territorial effects on U.S. companies. The law raises concerns both because of its wide scope and steep fines.
GDPR’s first day has been marked by activity from various groups, including consumer and privacy groups, industry, and U.S. legislators, to name a few.
- Noyb, a European privacy group, filed four complaints over “forced consent” against social media and other Internet companies. The complaints were filed with authorities in France, Belgium, Germany, and Austria
- U.S. consumer and privacy groups published a letter to large companies ranging from Internet companies to digital advertisers calling on those companies to adopt the GDPR data protection rules, claiming that “U.S. consumers and citizens do not currently enjoy effective privacy protection.”
- Microsoft announced earlier this week that it will honor GDPR rights not just in the EU, but globally, explaining that it will “extend the rights that are at the heart of GDPR to all of our consumer customers worldwide.”
- Senator Markey introduced a Resolution to encourage entities by GDPR to extend the law’s privacy protections to people in the United States.
In the United States, FTC Commissioners have been weighing in. Commissioner Chopra is urging the U.S. to emulate European regulation, while Commissioner Phillips touts U.S. efforts to develop approaches that will help U.S. companies address global regulatory challenges.
And that’s only day one! As companies grapple with the new law, and as enforcers provide more guidance, we expect that there will continue to be substantial GDPR activity.