Something big happens this week.  The GDPR (General Data Protection Regulation) goes into effect in Europe.  It provides strict regulations on privacy and how online companies can use consumer data.  It can also enforce significant fines – up to 4% of gross revenues or $20 million.

Even though it’s not in place in the United States, it will have a huge impact on U.S. companies that do business globally.  Despite a year to get things ready, it appears companies still do not have everything in place to be compliant.  A study by KMPG Global Legal Services found that 54% of the 448 companies it studied aren’t ready.  Only 10% of the companies surveyed said they believes their employees are even fully aware of the data protection obligations.

A study done by CompTIA of U.S. companies reported that only 20% of business that needed to meet GDPR guidelines have completed the necessary adjustments.  22% had developed a compliance plan and only 21% had audited their systems to make sure they were doing so.

41% of companies say they’ll need another year to be ready.  25% say it could take up to four years. – Crowd Research Partners

Two big provisions of the GDPR are the requirement to delete data from European Union residents when they ask – the so-called “Right to Be Forgotten” – and to make a public notification of data breaches to affected parties within 72 hours of discovery.  Only a third of companies appear to have a system in place to meet notification guidelines, and 20% report no mechanism to delete user data upon request.

One of the companies most under the microscope is Facebook.  “We comply with current EU data protection law, and will comply with GDPR,” Facebook posted.

Not everyone is convinced.  In fact, a number of industry experts have suggested that Facebook’s new terms and conditions which users must accept violated the spirit, if not the actual legal requirements, of the law.  If you fail to accept the user agreement, you are asked to delete your account.  Accepting obligates you to accept how Facebook wants to use your data.  The GDPR forbids companies from forcing users to turn over personal information as a condition of using their services.

“We will also ask people to agree to our updated terms of service and data policy, which include more detail in response to questions about how our services work. We’re not asking for new rights to collect, use or share your data on Facebook, and we continue to commit that we do not sell information about you to advertisers or other partners. While the substance of our data policy is the same globally, people in the EU will see specific details relevant only to people who live there, like how to contact our Data Protection Officer under GDPR.” – By Erin Egan, VP and Chief Privacy Officer, Policy and Ashlie Beringer, VP and Deputy General Counsel, Facebook Newsroom

Here’s the screen Facebook says EU users will see when they log in once GDPR goes into effect.


Your options if you don’t accept the terms, are limited to downloading a copy of your data and then deleting your account.

So is Facebook forcing users to turn over the info?  Accept our terms or delete your account seems to be an end-around, according to some legal experts.  It may very well wind up in court.  Facebook, obviously disagrees saying they can’t provide the core services it does without access to the data.

“There are certain elements of the service which are core to providing it and which people can’t opt out of entirely, like ads,” Stephen Deadman, Facebook’s global deputy chief privacy officer, told the Wall Street Journal. “There’s no point in buying a car and then saying you want it without the wheels. You can choose different kinds of wheels, but you need wheels.”

More to come.

H/T KMG Global, ESG Global, CompTIA, Wall Street Journal, Legal 500, Ad Contrarian