Pandemic discourages regulators from enforcing GDPR

As resources are diverted to fighting the ongoing coronavirus pandemic, Europe’s enthusiasm for protecting consumer rights under the General Data Protection Regulation might be taking a pause, but it’s certainly not rewinding, experts say.

A month after the United Kingdom’s data-regulating Information Commissioner’s Office issued statements indicating that it would be taking a softer touch in enforcing the GDPR, which the region uses to govern how businesses manage their customers’ data, the European Union has given some organizations more breathing room to remedy violations but will continue to enforce the sweeping, privacy-protective law passed in 2016.

Two GDPR fines against international organizations first proposed in 2019 have been delayed since the coronavirus struck. At the end of March, the ICO gave British Airways and Marriott extra time to contest fines of $223 million and $124 million, respectively, or pay up. The ICO also delayed its investigation into alleged widespread abuses in the ad tech industry.

Nevertheless, consumers shouldn’t think that regulators are planning to abandon GDPR in the face of Covid-19, says Annabel Gillham, a London-based privacy expert at law firm Morrison & Foerster.

READ MORE ON COVID-19 AND GDPR

Remember Stasi spying to understand the GDPR
Facebook fails to curb coronavirus misinformation
Secure contact tracing needs more transparent development
Hydroxychloroquine misinformation makes way for political disinformation
Ebola-hacking lessons for coronavirus fighters (Q&A)
How to make your Zoom meetings more secure
CanSecWest, the last tech conference standing in the face of the coronavirus

“I don’t think we can read too much into the pausing,” she said. “It’s pure resourcing issues, rather than moving away from protecting consumers.”

Consumers most likely encounter GDPR in the form of pop-ups asking for their consent to collect data when they visit a site based in Europe or from a European Internet address, though the law goes much deeper than that. GDPR expands the definition of personal information, limits data use and retention, mandates data minimization, and requires faster data breach notifications.

While many expected the GDPR to lead to “mega fines” to punish organizations for data breaches and other failures to protect European consumer data after it first went into effect in 2018, punitive actions thus far haven’t been consistent across country borders.

This story was originally commissioned by Dark Reading. Read the full story here.