U.S. Websites Go Dark in Europe as GDPR Data Rules Kick In
U.S. Websites Go Dark in Europe as GDPR Data Rules Kick In
New European law foresees steep fines for companies that don’t comply with rules
By Natalia Drozdiak and Sam Schechner Updated May 25, 2018 8:29 a.m. ET
BRUSSELS—Europe’s new privacy law took effect Friday, causing major U.S. news websites to suspend access across the region as data-protection regulators prepare to brandish their new enforcement powers.
Tronc Inc., publisher of the Los Angeles Times, New York Daily News and other U.S. newspapers, was among those that blocked readers in the European Union from accessing sites, as they scrambled to comply with the sweeping regulation.
“We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market,” the company said in notices it displayed when users attempted to access its news sites from the EU on Friday morning.
Others U.S. regional newspapers owned by Lee Enterprises Inc., as well as bookmarking app Instapaper, owned by Pinterest. Inc., were also blocking access in the EU.
The EU’s General Data Protection Regulation foresees steep fines for companies that don’t comply with the new rules, aimed at giving Europe-based users more control over the data companies hold on them.
Businesses have raced to comply with the new law, but surveys indicate that a majority may not be ready.
Companies are unlikely to be blindsided with harsh penalties Friday, because the rules don’t apply retroactively—but some companies are deciding it is safer to suspend access in Europe rather than risk sanctions—which the EU’s top privacy regulator Thursday warned could come soon.
“I’m sure you won’t have to wait for a couple of months,” said Andrea Jelinek, about when the first fines could land. On Friday, Ms. Jelinek is expected to be voted in as the head of a new European Data Protection Board, which includes national data-protection regulators from each of the EU’s member countries.
As of Friday, firms that violate the EU’s privacy rules risk fines as high as 4% of their global revenue.
Companies will be required under the GDPR to report data breaches within several days. In addition, companies will often need to obtain users’ consent to process their personal information. Customers will have the right to see what data companies hold on them and can request for some to be deleted. Companies are responsible for showing they are complying with obligations.
Firms of all sizes have been racing to overhaul their systems in time for the deadline to show that the way they gather and handle information about Europeans follows the rules.
Speaking at a press briefing, Ms. Jelinek said companies should have had plenty of time to comply with the new law, given that the regulation was adopted in 2016. Lawmakers delayed the law’s implementation by two years to give the companies that time. “The situation isn’t new,” she said.
Aggressive potential penalties are likely to affect some business decisions. Large enterprises acquiring small startups that use personal data might decide against launching a service in Europe, out of concern that the startup could expose the parent to a fine based on the entire enterprise’s revenue.
“If I could choose between [launching a data-related business] in Paris and in New York…I’m going to at least advise the business people to do it in New York,” said David Hoffman, global privacy officer at Intel Corp.
GDPR arrives as Facebook Inc. is still struggling to contain the fallout from revelations that data-analytics firm Cambridge Analytica improperly obtained the personal information of as many as 87 million users of the social network.
Facebook CEO Mark Zuckerberg visited European Parliament on May 22 to answer questions about the scandal, which EU officials say only reconfirmed the need for the new privacy rules and helped promote the legislation to the broader public.
The EU’s national privacy regulators, who are each also in charge of tasks like authorizing firms’ data transfers abroad, are unlikely to have the bandwidth to crack down on large numbers of companies across different sectors. Tech companies that profit from users’ data are therefore likely to be prime targets, said EU Justice Commissioner Vera Jourova. The data-protection authority of Ireland has said it would prioritize cases where large numbers of users’ data is processed, which it considers higher-risk.
One still-unsettled question is exactly what data companies can collect. Companies are arguing that certain types of information are necessary to fulfill a contract with the user; meanwhile, activists are planning to challenge some large companies over that question.
Dale Sunderland, deputy commissioner at Ireland’s privacy regulator, said the agency was leading a group of data-protection authorities who are investigating that particular issue. He said he expects the EU’s privacy regulators to publish a paper on the topic in the fall.
“We believe that we collectively need to look into and address this matter to provide clarity for the use of contractual necessity for free online services,” Mr. Sunderland said.
To Read New GDPR Privacy Policies You'll Need a Football Field
Those updated privacy policies flooding your inbox due to Europe's GDPR compliance deadline on May 25 are so long that if you print out the ones from 30-some most-used apps, you could span a football field. Really.
On Thursday, Facebook’s Mr. Zuckerberg told a tech conference that his company has worked hard to comply with the GDPR, including by asking users to opt-in to see targeted ads on Facebook based on their use of other websites and apps.
“The vast majority of people choose to opt in,” Mr. Zuckerberg said, “because the reality is, if you’re going to see ads on a service, you want them to be relevant and good ads.”
Companies aren’t the only ones scrambling to get into shape with the new law. The European Commission, the bloc’s executive body, said eight countries including Belgium, Bulgaria and Hungary were late in implementing the necessary national legislation for GDPR. The commission can launch court proceedings against any member state that fails to implement EU legislation.
Regulatory agencies in other countries worry they are under-resourced for the workload expected to come down the pipeline, Ms. Jourova, the justice commissioner, said.
Asked about the issue of resources, the data-protection board’s Ms. Jelinek said, “We will try to do our best and we will act in a very professional way.”
Write to Natalia Drozdiak at email@example.com and Sam Schechner at firstname.lastname@example.org