EU Law

Practical Results of Enforcing the GDPR

Sooji Lee, MJLST Staffer

After the enforcement of the European Union’s(“EU”) General Data Protection Regulation (“GDPR”), Facebook was sued by one of its shareholders, Fern Helms, because its share price fell more than “20 percent” in July 27, 2018. This fall in stock price occurred because the investors were afraid of the GDPR’s potential negative impact on the company. This case surprised many people around the world and showed us how GDPR is sensational regulation that could result in lawsuits involving tremendous amounts of money. This post will articulate what has occurred after enforcement of this gigantic world-wide impacting regulation.

Under GDPR, regulated entities (data controllers and data processors) must obtain prior “consent” from their users when they request customers’ personal data. Each member country must establish Data Protection Authority (“DPA”) to comply with the GDPR. This regulation has a broad applicable range, from EU corporations to non-EU corporations that deal with EU citizens’ personal data. Therefore, after the announcement of this regulation, many United States based global technology corporations which conduct some of their business in European countries, such as Google and Facebook, commenced processes to comply with the GDPR. For example, Facebook launched its own website which explains its effort to comply with GDPR.

Surprisingly, however, despite the large-scale preparation, Google and Facebook were sued for breach of the GDPR. According to a report authored by IAPP, thousands of claims were filed within one month the GDPR’s enforcement date, May 25, 2018. This fact implies that it is difficult to abide by GDPR for current internet-based service companies. Additionally, some companies that are not big enough to prepare to comply with the GDPR, such as the Chicago Tribune and the LA Times, temporarily blocked EU users from its website and some decided to terminate its service in the EU.

One interesting fact is that no one has been fined under GDPR yet. A spokesperson for the United Kingdom’s Information Commissioner’s Office commented “we are dealing with the first GDPR cases but it’s too early to speculate about fines or processing bans at this stage.” Experts expect that calculating fines and processing bans could take another six months. These experts foresee that once a decision is rendered, it could set a standard for future cases which may be difficult to change.

The GDPR, a new world-wide impacting regulation, just started its journey toward proper consumer data protection. It seems many of the issues involved with the GDPR are yet to be settled. For now, no expert can make an accurate prediction. Some side-effects seem inevitable. So, it is time to assess the results of the regulation, and keep trying to make careful amendments, such as expanding or restricting the scope of its applicable entities, to adjust for arising problems.


Permissionless Innovation or Precautionary Principle: The Policy Menu of the Future

Ethan Konschuh, MJLST Staffer

In their recent paper, Guns, Limbs, and Toys: What Future for 3D Printing?, published in the Minnesota Journal of Law, Science, and Technology Volume 17, Issue 2, Adam Thierer and Adam Marcus discussed the potential regulatory frameworks for technological innovations that could spur what they call “the next great industrial revolution.”  They believe that 3D printing, one such innovation, could offer such great benefits that it could significantly enhance global welfare.  However, they worry that preemptive regulations on the technology could undermine these benefits before giving them a chance to be realized.  The paper advocates for a method of regulation called “permissionless innovation,” as opposed to regulations following the “precautionary principle.”  While there are many pros to the former, it could leave unchecked the risks curtailed by the latter.

“Permissionless innovation refers to the notion that experimentation with new technologies and business models should generally be permitted by default.”  It follows from the idea that unless a compelling case can be made that a new invention will bring serious harm to society, innovation should be allowed to continue unabated, and problems, should they arise, can be addressed later.  The authors point to numerous benefits of this approach with respect to emerging technologies.  One of the most obvious benefits is that this type of regulatory framework does not prematurely inhibit potential benefits.  “Regulatory systems based on precautionary thinking focus on preemptive remedies that aim to predict the future and its hypothetical problems. But if public policy is rooted in fear of hypothetical worst-case scenarios, it means that best-case scenarios will never come about.”  It would also preserve the modern startup culture where “just about anyone can afford to launch a business.”  Implementing a framework based on the precautionary principle will create barriers to entry and raise the cost of innovation.  This would also reduce the ability to maximize competitive advantage through trial and error, which refines the technology and efficient allocation of resources for development.  As an example of the potential detriments to competitive advantage from preemptive regulation, the authors point to the different policies of the Europe and the U.S. in the mid-nineties internet explosion where the former preemptively regulated and the latter allowed for permissionless innovation, resulting in the U.S. being a global leader in information technologies and Europe lagging far behind.

An alternative regulatory approach discussed in the article is based on the precautionary principle, which generally refers to the belief that new innovations should be curtailed or disallowed until it can be proven that they will not cause harm.  This approach, while posing problems of its own discussed above, would solve some of the problems arising under permissionless innovation.  While there are many economic and social benefits to permissionless innovation as the bedrock on which policy rests, it inherently allows for the “error” half of “trial and error.”  The whole concept is rooted in the idea of ex post regulation, creating policy to correct for problems that have already occurred.  While traditionally, as shown through the internet regulation difference and outcome between Europe and the U.S., the risk of error has not outweighed the benefits that result, new technologies pose new risks.

For example, in the realm of 3D printing, one of the hot topics is 3D printed firearms.  Current laws would not make 3D printed guns illegal, as most regulations focus on the sale and distribution of firearms, not creation for personal use.  The reasons why it might be more prudent to adopt a precautionary principle approach to regulating this technology are obvious.  To adopt an ex post approach to something that could have such dire consequences could be disastrous, especially considering the amount of time required to adopt policy and implement regulations.  Permissionless innovation could thus become a sort of self-fulfilling prophecy in that major tragedies resulting from 3D printing could result in exactly what advocates of permissionless innovation seek to prevent in the first place: strict regulation that undermines the development of the technology.

The debate will likely heat up as technology continues to develop.  In the era of self-driving cars, private drones, big data, and other technologies that continue to change the way that humans interact with the world around them, 3D printing is not the only area in which this discussion will arise.  The policy decisions that will be made in the next few years will have far reaching consequences that are difficult to predict.  Do the economic and social benefits of being able to manufacture goods at home outweigh the risks of legal, discrete self-armament and its consequences?  The proverbial pill may be too large for some to swallow.


E.C.J Leaves U.S. Organizations to Search for Alternative Data Transfer Channels

J. Adam Sorenson, MJLST Staffer

The Court of Justice of the European Union (E.C.J.), the European’s top court, immediately invalidated a 15-year-old U.S. EU Safe Harbor Program Oct. 6th (Schrems v. Data Prot. Comm’r, E.C.J., No. C-362/14, 10/6/15). This left the thousands of businesses which use this program without a reliable and lawful way to transfer personal data from the European Economic Area to the United States.

The Safe Harbor Program was developed by the U.S. Department of Commerce in consultation with the European Commission. It was designed to provide a streamlined and cost-effective means for U.S. organizations to comply with the European Commission’s Directive on Data Protection (Data Protection Directive) which went into effect October of 1998. The program allowed U.S. organizations to voluntarily join and freely transfer personal data out of all 28 member states if they self-certify and comply with the programs 7 Safe Harbor Privacy Principles. The program was enforced by the U.S. Federal Trade Commission. Schrems v. Data Prot. Comm’r, however, brought a swift halt to the program.

This case revolves around Mr. Schrems, an Australian Facbook user since 2008 living in Austria. Some or all of the data collected by the social networking site Facebook is transferred to servers in the United States where it undergoes processing. Mr. Schrems brought suit against the Data Protection Commissioner after he did not exercise his statutory authority to prohibit this transfer. The case applied to a 2000 decision by the European Commission which found the program provided adequate privacy protection and was in line with the Data Protection Directive. The directive prohibits “transfers of personal data to a third country not ensuring an adequate level of protection.”(Schrems) The directive goes on to say that adequate levels may be inferred if a third country ensures an adequate level of protection.

The E.C.J. found that the current Safe Harbor Program did not ensure an adequate level of protection, and therefore found the 2000 decision and the program itself as invalid. This means all U.S. organizations currently transferring personal data out of the EEA are doing so in violation of the Data Protection Directive. This case requires U.S. organizations to find alternative methods of approved data transfer, which generally means seeking the approval of data protection authorities in the EU, which can be a long process.

Although the EU national data protection authorities may allow for some time before cracking down on these U.S. organization, this decision signals a massive shift in the way personal data is transferred between the U.S. and Europe, and will most likely have ripple effects throughout the data privacy and data transfer worlds.