GDPR still has ripple effects, several months after its debut — and the ripple effects extend from Europe to U.S. shores.
News came over the weekend that “smart cities” based outside the U.S. may be on the hook for GDPR-related fines if it is found they misuse EU citizens’ data, as reported by the Telegraph.
The warning comes from Dr. Jacqui Taylor, who serves as strategic advisor to the U.K. on smart cities. She said that the fines could run into the millions of pounds. She pointed to the mandates tied to GDPR (General Data Protection Regulation) that state that fines could be 4 percent of revenues of £17.4 million, whichever is greater.
The smart cities, of course, collect data, and U.K. citizens have the right to complain if they suspect their data has been misused. The data that is tied to smart cities spans public transport and transactions for services.
Taylor has been advising cities in the Middle East on GDPR. “They took it very seriously because they understood that as a European citizen, if I'm out there, they'll be called to account if something goes wrong, or if I decided that I want a change to how they're managing what their trust model is, because I have that backing of the regulations,” she said in an interview with the Sunday Telegraph.
The Telegraph reported in its coverage that “an example could be where a visitor from an EU country downloads a smart city’s app ahead of visiting in order to access perks such as parking, free WiFi and information about local events.” The law is still a bit nebulous on smart cities and how they may be touched by GDPR, reported the Telegraph.
Rafi Azim-Khan, who is quoted by the Telegraph in an interview and who serves as partner at Pillsbury Law and head of data protection and privacy Europe at the firm, told the publication that regulators mull any number of factors when considering GDPR’s reach. They could consider the residence status of an individual when considering whether they are indeed protected by the law. They could consider other factors, too, such as where their children went to school.
“If you go right back to the basics, there is a decent argument to say that the lawmakers intended that genuine EU citizens who might be travelling in other parts of the world, if their data is being captured and processed, you do run that risk if you don’t look after that data in the way that is mandated under the new rules,” he said.
Can it Happen Here?
As for the ripple effects that course beyond the EU and touch the U.S., breaches have been enough to spur some advocacy on Capitol Hill for GDPR-like legislation rendered domestically. Representative Will Hurd, a Republican from Texas, told the Aspen Cyber Summit late last week in California that such legislation may be on the agenda when a new Congress takes shape beginning in January 2019.
“One of the things we will be looking at is GDPR. Is it working, is it not working, is it something that we may be moving to?” Hurd said at the conference, as quoted by sites such as theregister.com.
“A year ago, the answer would have been not 'no,' but 'hell no.' I think more people are open to that now because of some of the breaches.”
Hurd serves as chairman of the Information Technology Subcommittee of the House Committee on Oversight and Government Reform. He told The Register that no legislation is in the planning stages right now.