Look at this way, even if it’s probably far too optimistic: The post-GDPR world is providing chances for companies to engage their customers a little bit more.
Reports are surfacing that, since the European Union’s General Data Protection Regulation took effect on May 25, customers exercising their rights under the law are contacting companies with questions about how their online data is being handled, and to request copies of that data.
Apps designed by privacy activists have reportedly made it easier for consumers to contact companies with questions and requests related to the GDPR. However, according to reports, retailers and other organizations have been reluctant to respond to those app-based inquiries.
“Technology companies, media groups, retailers and banks are among those most targeted because of the vast amounts of information they hold on customers,” said the Financial Times earlier this week. “Some financial institutions, which are required to collect detailed customer information for anti-money laundering, tax and accounting reasons, say the rules have proved onerous to implement alongside these other regulations.”
Facebook reported a “manyfold” increase in such queries, though the “spike” of such requests that took place right after May 25 continues to decrease, said a company official. Marriott stands as another example of a company that has experienced a flood of consumer questions about their data.
The newspaper offered this example of a consumer request under the new GPDR regime: “I anticipate [a] reply to my request within one month, as required under Article 12, failing which I will be forwarding my inquiry with a letter of complaint to [the data protection authority].” That request came with a nine-point list of demands, which were not included in the article.
Corporate employees are not the only people feeling the heat from GDPR. Regulators around the world continue to seek breathing room, asking for exemptions from the rule because, they say, it stymies cross-border law enforcement actions that focus on fraud and manipulations of markets. The privacy rule, which essentially applies to the rest of the world because of the economic power of the EU, places restrictions on the data that can be shared internationally in the “public interest.” The language is open to interpretation, giving regulators an opening to request exemptions.
In related news from the post-GDPR world, Brazil is reportedly the latest jurisdiction to seek its own online data protections in the wake of the EU rule. A bill, that observers said was inspired by the GDPR, won preliminary approval from national lawmakers in that country this week, though it faces analysis and markups from various groups in the Federal Senate. As it stood this week, the bill would levy fines of 4 percent of revenue for companies that fail to properly secure digital data or protect the privacy of online consumers.
California recently passed its own GDPR-inspired bill, with lawmakers fending off a November referendum widely seen as less open to future changes than the proposal that made it through the state legislature. Much like the case with the tech firms contending with post-GDPR consumer requests, businesses in that state are trying to figure out how best to comply with the new law while preparing to lobby for changes before the new rules take effect in 2020.