Euro Security Watch with Mathew J. Schwartz

General Data Protection Regulation (GDPR) , Governance & Risk Management , Privacy

GDPR a Litmus Test for Cross-Border Privacy Attitudes

Rather Than Honor Europeans' Data Privacy Rights, Some Organizations Exit EU
GDPR a Litmus Test for Cross-Border Privacy Attitudes
Life after GDPR enforcement begins: European visitors to the Los Angeles Times website see a notice saying they're being blocked.

To judge by the quantity of GDPR-themed email hitting inboxes, Europe's General Data Protection Regulation has been designed to ensure that you say "yes" to companies that monetize the buying and selling of your personal details, regardless of whether you remember ever having done business with them before (see Europe's Strong GDPR Privacy Rules Go Into Full Effect).

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

The ubiquity of these "please opt in" messages in inboxes - a collective privacy rights panic reaction on the part of so many organizations - has reached near-galactic proportions, as encapsulated by a tweet from Rian Johnson, director of last year's "Star Wars: The Last Jedi."

In fact, data protection regulators and experts say the flood of emails may not be necessary, especially if organizations have kept track of how and when an individual has consented to work with them. In some cases, these messages may also be illegal.

"We've heard stories of email inboxes bursting with long emails from organizations asking people if they're still happy to hear from them," U.K. Deputy Information Commissioner Steve Wood writes in a guide for businesses to the GDPR concept of consent. "So think about whether you actually need to refresh consent before you send that email, and don't forget to put in place mechanisms for people to withdraw their consent easily."

If organizations don't know how they may have first obtained consent - and that it was done in a manner that complied with previous data protection laws - then contacting individuals to request that they opt in could also be illegal, Wood warns.

All or Nothing Approaches

Beyond the rush to get users to agree to continue to receive their communications, different organizations have begun approaching GDPR compliance in different ways.

Both Twitter and Facebook, for example, have taken an "all or nothing" approach. They require users to agree to their privacy policies, or else see their accounts get deleted, as Berlin-based journalist David Meyer has found.

Messaging app WhatsApp, owned by Facebook, has also begun requiring European users to click a box saying they're at least 16 years old. But the implementation appears to not have been thought through, says Sean Sullivan, a security adviser at Finnish security firm F-Secure.

"I agreed to WhatsApp terms on my child's behalf earlier today," Sullivan says via Twitter on Friday. "Nowhere was there a place to indicate I was doing so."

Those "take it or leave it" approaches to privacy are already being tested. At midnight on Friday, Austrian privacy advocate Max Schrems filed complaints potentially worth $9 billion against Facebook - plus its WhatsApp and Instagram subsidiaries - as well as Google's Android, alleging that they were forcing users to accept "coercive" new terms in violation of GPDR.

Temporary Blocks

Some organizations have begun "complying" with GDPR's requirements by blocking users in Europe, at least temporarily.

Cleveland's Fox News affiliate Fox 8, for example, now appears to be blocking users with a European IP address.

Other publishers have taken similar steps, including Tronc, the publisher the Los Angeles Times, the New York Daily News, the Chicago Tribune and other U.S. newspapers. "We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market," the company says in a notice displayed to EU-based users.

But not all publishers are temporarily blocking European users. The Washington Post, for example, launched a "Premium EU Subscription" that costs 50 percent more than its U.S. online subscription option and which includes "no on-site advertising or third-party tracking."

Exit Europe, Stage Left

Some organizations have simply closed up shop in Europe. Ragnarok Online, a long-running online role-playing video game, announced in April that it would be shutting down its European servers on May 25 due to GDPR.

Targeted advertising provider Drawbridge also announced it would be suspending European operations, as did mobile marketing platform Verve, just two years after it entered Europe.

"We have decided that the regulatory environment is not favorable to our particular business model," Julie Bernard, Verve's chief marketing officer, told AdExchanger last month, saying the company would instead be focusing on the U.S.

Email inbox management tool Unroll.me, saying that "unfortunately, our service is intended to serve users in the U.S.," notes that because it does not comply with GDPR, it would eliminate all accounts for Europeans by May 24.

Privacy Rights Litmus Test

Mikko Hypponen, chief research officer at F-Secure, says GDPR has already become a litmus test for cross-border privacy attitudes and assumptions, as he observed after studying reactions on Twitter to stories he's posted about how companies are altering their European operations.

"There's a big split in reactions and replies based on whether the commenter is from Europe, or from outside of it," Hypponen says via Twitter.

Data protection expert Brian Honan, who heads Dublin-based cybersecurity consultancy BH Consulting, says anti-GDPR attitudes demonstrated by some businesses reveal what they really think of privacy and will be a bad business move.

"Two thoughts: obviously these companies don't care about the privacy of their customers, and these [organizations] are happy to ignore [the] second largest consumer market in the world," Honan says via Twitter.

Phishing Campaigns Tap GDPR

Unfortunately, one type of business has seized on GDPR and its business potential. "Dozens of phishing campaigns are socially engineering individuals and organizations to update their own PII [personally identifying information] or the PII of their customers either by filling out questionnaires or by transferring files of personal data," says Avivah Litan, an analyst at Gartner Research, in a blog post.

Phishing email namedrops GDPR. (Source: Gartner)

"These phishing campaigns commonly disguise the criminals as legitimate organizations who are updating their systems for GDPR compliance and as such are reaching out to consumers to refresh and update their PII records," Litan says.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.