Constitutional Democracy and Legal Expert Sujit Choudhry Provides an Exclusive Interview for Status Labs on Europe’s General Data Protection Regulations

Status Labs: With GDPR having gone into effect in May 2018, in your expert opinion, was this a long time coming?

Sujit Choudhry: That is all relative. With the arrival of social media and the use of the internet becoming so widespread only over the past two decades, one could say that GPDR was a long time coming. However, the European Commission only set out plans for data protection reform across the European Union in January of 2012. Four years later, agreement was reached and the GDPR came into effect in May of this year, so one can say that yes, this was not a long time coming.

Status Labs: What major changes do you see in this new legislation in contrast to the state of affairs after the European Court of Justice’s ruling in the Google Spain judgment?

Sujit Choudhry: While GDPR may seem complex, it essentially consolidates principles that currently form part of the UK’s Data Protection Act. There are, however, organizations must address elements of GDPR – such as breach notification, as well as making sure that someone is responsible for data protection – in order to avoid being fined. In addition, I believe that regulators will apply regulatory frameworks more strictly than before. The Google Spain judgment created the right to be forgotten and adjusted how search engines will offer links. This new legislation extends to the data of all EU citizens, and it is affects all businesses and other entities in how they handle data.

Status Labs: Are these regulations in place solely to protect consumers’ data, or can they help companies as well?

Sujit Choudhry: The aim of GDPR is to simplify the regulatory ecosystem for businesses so that citizens as well as businesses in the EU can benefit from the digital economy.  With the standardization of data protection, individuals are ensured that they are in control of their personal information. But while these regulations are primarily in place to protect individuals’ personal data, businesses benefit as well because they ensure that their clients’ sensitive information is protected. This builds trust, and also creates a regulated environment in which citizens know their information is safe, and the businesses adhere to guidelines.

Status Labs: Do you anticipate that countries outside of the EU will adopt similar data protection regimes?

Sujit Choudhry: I anticipate companies who are marketing their products to and conducting business with EU-based enterprises would have to adopt similar data protection regimes in order to maintain those relationships. The immediate results of GDPR coming into force was an increase in the number of US websites denying or restricting access to EU visitors. I believe that that many of these companies – not just in the US but globally – will implement GDPR-compliant policies  to prevent the loss of relationships with EU-based clients.

Status Labs: What are the legal consequences for companies that aren’t GDPR compliant?

Sujit Choudhry: GDPR compliance means that all organizations are obliged to report certain types of data breaches revolving around unauthorized access to or loss of personal data within 72 hours of the organization first becoming aware of it. Failure to do so may result in fines that range from 10 million Euros to four percent of the company’s annual global turnover. For some companies, this figure could run into the billions of Euros. Furthermore, infringements of the rights of the data subjects, unauthorized international transfer of personal data, as well as failure to put procedures in place for, or ignoring subject access requests for, their data results in a maximum fine of 20 million euros or four percent of global turnover, whichever is greater. Companies that mishandle data in other ways, such as failing to report a data breach, to build in privacy by design may be subject to lower fines.

Status Labs: Which parties were the most concerned with the lack of data regulations prior to GDPR being implemented?

Sujit Choudhry: I believe those parties were the individuals whose privacy was compromised. Unfortunately, the sheer number of data breaches and hacks that have happened over the years have resulted in the sad reality that some of this personal information has been exposed to the internet. This includes email addresses, passwords, social security numbers, or confidential health records. The biggest change that the GDPR brings is that consumers now have the right to know when their data has been hacked so that they can take appropriate measures to prevent their information from being abused.

Status Labs: Is it a valid concern for business that when complying with GDPR, cookies and other tracking methods will skew their web analytics data?

Sujit Choudhry: That depends on how the companies use web analytics. If they are taking advantage of web analytics which utilize the collected data simply to examine the performance of their websites, their concerns are much lower. However, if companies pass on their analytics data to secondary platforms, or if they are using remarketing pixels and tracking codes or even personalizing their website content based on patterns of user behavior, they will need to make sure they have consent from their users. In the latter case, concerns that compliance with GDPR will skew web analytics data are valid and ought to be addressed appropriately.

Status Labs: Facebook has come under increased scrutiny this past year. Do you think being GDPR compliant is enough for a massive data company like Facebook to protect its users?

Sujit Choudhry: I believe it is a good start. Implementation of GDPR rules and guidelines would be a good initial step toward data protection. However, social media is evolving constantly and rapidly, always adding new features and ways for users to interact and share data, in ways we cannot always predict. Compliance will have to evolve and adjust depending on how the social media ecosystem changes and evolves in an ever-shifting landscape.

Status Labs: How does this affect companies with headquarters in the US (or other countries not bound by GDPR regulations) but servicing clients that reside in the EU? What is the potential impact of GDPR on the regulatory landscape in the US?

Sujit Choudhry: US companies that specifically target EU residents are certainly affected. If they are collecting personal information from EU residents and deciding how that information is used, they are de facto a “controller” under GDPR.  As such, US-based companies can expect to be bound by GDPR if they wish to maintain EU-based clients.

Status Labs: With GDPR in full swing for the past three months, do you believe EU citizens are better off?

Sujit Choudhry: Overall, I believe they are. They have a sense of security in knowing that should data be compromised, they will be notified immediately, assuming all companies are compliant. Some companies have already taken measures in the right direction by sending customers emails with information on how their data is used as well as giving them the option to opt-out should they desire that their content is not part of it. However, three months is not enough long time to make a firm assessment. As with any good thing, there will surely be consequences, negative and positive, that we are yet to be aware of. At the moment, GDPR does seem to be a promising move in the right direction.

Status Labs: Do you believe the rights protected by GDPR should be held by citizens of all countries?

Sujit Choudhry: I do believe that we will have to move in that direction. Protection of individuals’ data ought to be guaranteed all over the world and not just in certain places. The standardization of data protection will ensure that sensitive information remains private everywhere. Data privacy is not regarded as equally important across the world, and I believe that GDPR will usher in the perception that private information is to be treated as such.

Status Labs: What would you recommend as a good path forward or resource to the average small business owner who isn’t familiar with GDPR?

Sujit Choudhry: Each business will need to look at what it is exactly they need to achieve to comply with GDPR and pick their data controller who has taken responsibility for ensuring compliance happens. Businesses have to enact comprehensive but proportionate governance measures that will ultimately minimize the risk of breaches while ensuring personal data is protected. This essentially means more policies and procedures for those who have not yet put them in place.