How the GDPR Affects American-Based Tech Giants
The General Data Protection Regulation (“GDPR”) continues to be an important topic of conversation for U.S. companies. Since its inception, the GDPR has raised a number of questions as to whether businesses are properly prepared to comply. The GDPR was adopted on April 27th, 2016 and allotted a two-year post-adoption grace period for businesses to strategize and implement their compliant approach. With less than two months left, it has been reported that an estimated 61% of U.S. businesses are not ready for the regulation, and that only 67% of European-based businesses have begun moving into the implementation phase of their GDPR compliance program. The potential fines have many concerned about compliance as the May 25th, 2018 date of enforcement approaches, but businesses struggle with fully understanding the regulation and thus fail to launch a comprehensive plan.
Turning our focus to the technology industry, several internet-based social websites and applications have displayed international influence and presence through international platform expansion and marketing efforts. One recent example includes the popular web-based platform Facebook and its acquisition of the messaging application “WhatsApp.” WhatsApp announced in August of 2016 that it would share user data with Facebook to improve its service, as well as to provide statistics and patterns to the social media giant. Facebook has significantly increased their marketing efforts in years past with suggestion capabilities to inform users about products or services that may be of interest based on data collection for that individual. Since the acquisition, WhatsApp has expanded its application reach internationally to Brazil, India, and Europe- making the app at the forefront of data protection regulations. As of March 15, 2018, WhatsApp announced that they will no longer share user data with Facebook until they can assure UK users that they are compliant with the GDPR.
The GDPR places Facebook’s acquired WhatsApp partnership under scope for not only its presence in the United Kingdom, but also due to its monitoring of European Union (“EU”) data subjects, and attempt to offer them goods and/or services based on that collected data. Facebook’s practices most likely include the use of automated individual decision making against EU data subjects, requiring a lawful basis such as explicit consent under the GDPR. Processing is broadly defined in the regulation to include most actions that can be performed with data and can specifically refer to collection and storage, which Facebook in this case would be doing. The website must therefore have processes in place to honor nine distinct rights awarded to EU data subjects, and be able to operate under the guiding privacy principles, defined within the GDPR. The regulation further dictates appropriate security efforts around the protection of personal data, establishes breach-reporting requirements, and increases the risk associated with vendors processing this data. These expansive requirements will make the process of marketing much more complex for the two tech companies.