General Data Protection Regulation (GDPR) , Governance & Risk Management , Privacy
GDPR a Litmus Test for Cross-Border Privacy AttitudesRather Than Honor Europeans' Data Privacy Rights, Some Organizations Exit EU
To judge by the quantity of GDPR-themed email hitting inboxes, Europe's General Data Protection Regulation has been designed to ensure that you say "yes" to companies that monetize the buying and selling of your personal details, regardless of whether you remember ever having done business with them before (see Europe's Strong GDPR Privacy Rules Go Into Full Effect).
See Also: Attack Surface Management: Improve Your Attack Surface Visibility
The ubiquity of these "please opt in" messages in inboxes - a collective privacy rights panic reaction on the part of so many organizations - has reached near-galactic proportions, as encapsulated by a tweet from Rian Johnson, director of last year's "Star Wars: The Last Jedi."
May 24, 2018
In fact, data protection regulators and experts say the flood of emails may not be necessary, especially if organizations have kept track of how and when an individual has consented to work with them. In some cases, these messages may also be illegal.
"We've heard stories of email inboxes bursting with long emails from organizations asking people if they're still happy to hear from them," U.K. Deputy Information Commissioner Steve Wood writes in a guide for businesses to the GDPR concept of consent. "So think about whether you actually need to refresh consent before you send that email, and don't forget to put in place mechanisms for people to withdraw their consent easily."
If organizations don't know how they may have first obtained consent - and that it was done in a manner that complied with previous data protection laws - then contacting individuals to request that they opt in could also be illegal, Wood warns.
All or Nothing Approaches
Beyond the rush to get users to agree to continue to receive their communications, different organizations have begun approaching GDPR compliance in different ways.
Both Twitter and Facebook, for example, have taken an "all or nothing" approach. They require users to agree to their privacy policies, or else see their accounts get deleted, as Berlin-based journalist David Meyer has found.
Uh... #GDPR pic.twitter.com/gN3BBFRPQX— David "Action Required" Meyer (@superglaze) May 25, 2018
Messaging app WhatsApp, owned by Facebook, has also begun requiring European users to click a box saying they're at least 16 years old. But the implementation appears to not have been thought through, says Sean Sullivan, a security adviser at Finnish security firm F-Secure.
"I agreed to WhatsApp terms on my child's behalf earlier today," Sullivan says via Twitter on Friday. "Nowhere was there a place to indicate I was doing so."
Those "take it or leave it" approaches to privacy are already being tested. At midnight on Friday, Austrian privacy advocate Max Schrems filed complaints potentially worth $9 billion against Facebook - plus its WhatsApp and Instagram subsidiaries - as well as Google's Android, alleging that they were forcing users to accept "coercive" new terms in violation of GPDR.
Some organizations have begun "complying" with GDPR's requirements by blocking users in Europe, at least temporarily.
Cleveland's Fox News affiliate Fox 8, for example, now appears to be blocking users with a European IP address.
Fox affiliate in Cleveland is blocking European visitors to its site as of May 25, 2018, seemingly "because #GDPR." But still accessible via VPN. pic.twitter.com/VZBhAF7UWq— Mathew J Schwartz (@euroinfosec) May 25, 2018
Other publishers have taken similar steps, including Tronc, the publisher the Los Angeles Times, the New York Daily News, the Chicago Tribune and other U.S. newspapers. "We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market," the company says in a notice displayed to EU-based users.
But not all publishers are temporarily blocking European users. The Washington Post, for example, launched a "Premium EU Subscription" that costs 50 percent more than its U.S. online subscription option and which includes "no on-site advertising or third-party tracking."
Exit Europe, Stage Left
Some organizations have simply closed up shop in Europe. Ragnarok Online, a long-running online role-playing video game, announced in April that it would be shutting down its European servers on May 25 due to GDPR.
Targeted advertising provider Drawbridge also announced it would be suspending European operations, as did mobile marketing platform Verve, just two years after it entered Europe.
"We have decided that the regulatory environment is not favorable to our particular business model," Julie Bernard, Verve's chief marketing officer, told AdExchanger last month, saying the company would instead be focusing on the U.S.
Email inbox management tool Unroll.me, saying that "unfortunately, our service is intended to serve users in the U.S.," notes that because it does not comply with GDPR, it would eliminate all accounts for Europeans by May 24.
Privacy Rights Litmus Test
Mikko Hypponen, chief research officer at F-Secure, says GDPR has already become a litmus test for cross-border privacy attitudes and assumptions, as he observed after studying reactions on Twitter to stories he's posted about how companies are altering their European operations.
"There's a big split in reactions and replies based on whether the commenter is from Europe, or from outside of it," Hypponen says via Twitter.
Typical reactions from the USA:— Mikko Hypponen (@mikko) May 6, 2018
* This should teach those smug EU regulators a lesson
* You can't tell us what to do
* These regulations were designed to hurt US tech companies
* Blocking EU users serves the EU right
* Just ban the whole continent
Data protection expert Brian Honan, who heads Dublin-based cybersecurity consultancy BH Consulting, says anti-GDPR attitudes demonstrated by some businesses reveal what they really think of privacy and will be a bad business move.
"Two thoughts: obviously these companies don't care about the privacy of their customers, and these [organizations] are happy to ignore [the] second largest consumer market in the world," Honan says via Twitter.
Phishing Campaigns Tap GDPR
Unfortunately, one type of business has seized on GDPR and its business potential. "Dozens of phishing campaigns are socially engineering individuals and organizations to update their own PII [personally identifying information] or the PII of their customers either by filling out questionnaires or by transferring files of personal data," says Avivah Litan, an analyst at Gartner Research, in a blog post.
"These phishing campaigns commonly disguise the criminals as legitimate organizations who are updating their systems for GDPR compliance and as such are reaching out to consumers to refresh and update their PII records," Litan says.