GDPR is now live and effective, and Austrian lawyer and privacy advocate Max Schrems has already brought suit, claiming the policies of Google and Facebook do not meet the new standard set up in the regulation. His three total lawsuits against the companies total a reported €7.6 billion (U.S. $8.8 billion).
His legal filings highlight an interesting aspect of GDPR: its private right of action. The ultimate effectiveness of the law will probably turn on the enforcement by member states in the European Union and the United Kingdom, under its GDPR-like law.
The law highlights a fundamental difference in the rights of individuals in the European Union, United Kingdom, and the United States around data privacy. In the United States, that right has very little legal protection. Given the history of Europe in the past century, it is not surprising there is a greater desire for privacy. Already, commentators in the United States are claiming that GDPR will make chasing criminals more difficult, but even the venerable pro-business Financial Times (FT) editorialized that GDPR “will put just and straightforward principals into place.” Imagine the U.S. Congress actually saying something like that about individual privacy rights.
Yet, the FT asks several questions about enforcement that, at this point, are still open. What unintended consequences might this new law bring to light? What will be the burden on each company to comply with the law, most specifically the right of Subject Access Requests (SARs)? Equally important is the costs of having a Data Protection Officer, performing a Data Protection Impact Assessment (DPIA), and implementing the required policies and procedures, attendant training, and other requirements. Will national data protection authorities take on large corporations? What about cross-border investigations and enforcement actions? Will there be one pie of enforcement penalties or a host of them?
The answers to these and many other questions are still unknown.