EU Regulations Are Clamping Down On US Big Tech

In May 2018, the EU General Data Protection Regulation (GDPR) surfaced as the “most important change in data privacy regulation in 20 years.” Now, the implications are starting to trickle over to the U.S., forcing big tech companies to follow suit or face the consequences.

Cyber Security Legal Expert and CNN Commentator Dr. Adriana Sanford, joined Monday night’s episode #70 of Task Force 7 Radio, with host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies. She discussed how EU countries are passing and aggressively enforcing regulatory laws that are affecting the way U.S. big tech companies are doing business there.

Dr. Sanford is an internationally respected cyber security expert, educator, keynote, and international television commentator. She appears regularly as a CNN analyst/contributor to 49 million households in the United States and Latin America.

She has distinguished herself by educating executives, thousands of college students, and the public on global threats. The former counsel of a Fortune 50 company warns that legal ethics rules are varied in foreign territories, and executives are sometimes forced to decide which laws and ethical rules to follow and which to break. She focuses on laws at the international level and how foreign regulations can create corporate exposure, criminal liability, and physical safety concerns.

Sanford and Rettas kicked off the show by discussing the legality of simply posting a photo of your children on social media in some European countries. They also compared EU laws to the privacy laws in the United States and they discussed France's tough approach to U.S. tech companies doing business in their country.

EU Privacy Laws Compared To The US

Sanford first benchmarked the state of privacy issues across countries, starting with France. “They have more stringent rules than we do in the U.S.,” she said noting that this has caused issues for big companies.

Privacy is not defined in France under the French law. And although France is in the EU, the definition of privacy is not the same. “It’s your personal life, your professional life, your health and your property (what you own),” said Sanford.

Privacy to them is very important, which is apparent with a new law that came out covering social media platforms and posting photos of children – it’s illegal in France. So, a child could sue his or her parents if they post a picture in Instagram. Whereas in the U.S. “parents think their children could become famous,” by posting pictures of them in social media, according to Sanford. There is a big cultural difference when it comes to privacy.

Further, there can be a criminal penalty in France if picture of a child is posted. Social media platforms are rapidly changing; therefor the child has no control over what’s out there and how it can affect them later.

Sanford shared that on Instagram, “you can pick who you follow, but if you look closely people are added in. So, there’s something quirky going on there.” She cautioned that everyone take a look at their lists – “you don’t know what’s out there. The French culture wants to protect their children.”

To make things more complicated, let’s say the child has dual citizenship – one parent is American and one is a French citizen. The child is protected, so if the American grandparents are posting pictures of that child and have no knowledge of the laws in France, there is an issue.

This complication is also how it’s impacting big technology companies in the U.S. While the France is in the EU and under the EU laws, it still has the authority to tweak and make these laws more stringent than overall legislation. So, in France, there are a lot of fines and lawsuits coming up at these big tech companies — civil and criminal — which could mean jail time for some of executives within these companies. “This is serious and for big companies like Apple and Google and Facebook – it’s a concern,” Sanford added.

Rettas then asked about the implications of violating regulatory roles, where Sanford offered an Apple example of slowing down iPhones. There are no laws that prohibit planned obsolescence in the U.S., but it’s “big out there and in France and the reason is they don’t want waste and overconsumption,” said Sanford.

Some companies want you to buy the newest product and this is the way of doing it. The government can impose mandated warranties if they want, or laws – or take steps, but the U.S. doesn’t have a law that prohibits planned obsolescence right now.

There is a case against Apple in France, however while there’s no case under planned obsolescence right now in the U.S. per se, it’s still an issue. In December 2017, there were suits filed in California, New York and Illinois seeking a class action suit on this issue. Apple says it’s written in the fine print. And the other side says under contract law, Apple was deceptive.

Sanford explained that in the U.S. case, it really has to be proven that Apple wants consumers to get rid of phones prematurely. However, Apple made the argument that they were concerned that their phones could end quickly without their knowledge, so the updates are to slow that process down. “So, you have to look at both sides,” she said, adding that we have a different way of handling this in the U.S. versus French law.

Rettas wondered if there are “other areas where we’re experiencing a gap?”

Sanford said that there are a few of them: First, with regards to search ad policies, and policies and procedures for blocking certain ads. In the U.S., Google said that they do this because “their policy prohibits ads for services that can be obtained for free for low cost by the government or other public sources.” Whereas, French regulators are saying no, Google is engaging in anti-competitive behavior.

There are also gaps with regards to terms and conditions (Facebook got into trouble in the EU). And with regards to gadgets, there are gaps in abusive app developer practices. Right now they are looking at Google and Apple and whether or not they’ll impose many penalties for conditions they think are onerous, against startups. They said that if these companies want developers to sell apps with Google or Apple, they have to pay fees. “These are areas where companies might want to take another look and see if they’re doing this, how big are the penalties, and is there a better way to handle it in these countries,” said Sanford.   

The GDPR Struggle

The second segment started off with Rettas noting that “there are many listeners out there right now that are struggling with GDPR for different reasons. Do you have advice to comply?”

Sanford said that it really depends on industry, and which countries they’re in overseas. This is a concern for big tech because we’re seeing violations of GDPR, but we don’t know how strong enforcement will be. “Just because one country considers it a strong violation, another might not.”

Sanford said that GDPR looks for three things:

1. Transparency
2. Content (right information to provide to consumers and users)
3. Informed Consent (give the option to say yes or no)

Right before GDPR came about in May 2018, some of these countries were given a heads up saying “we’re not going to tolerate online breaches of privacy rules.”

Sanford revealed that “One of those cases was actually a case against Google in France,” which was hit with a $5.7 million fine because they failed to obtain consent for personalized ads. And there was not a lot of clarity in the way they were informing their users on how to handle the personal data.

“Now keep in mind at that time this was actually one of the biggest fines towards a U.S. tech company in this realm. Today, it can be a heck of a lot larger because right now a violation under GDPR can cost up to 4% of the annual gross revenue. So this was a little snapshot of what was about to happen,” explained Sanford.  

See Related: "Cyber Security Hub Survey Reveals GDPR Effects, Purchase Power & More"

And while Rettas said that GDPR itself is not all that new, it is still a hot topic because the consequences of GDPR are new. Sanford added, “GDPR is evolving. It’s branching out into areas where people had no idea.” Everyone out there understands the basics, “but areas that they really didn’t plan on exploring or thinking were going to be a problem are now emerging.” And that’s really what’s concerning these tech companies.

For example, in Australia, in 2018 they were looking at the autocomplete feature from Google. Google said that they don’t control it (it’s produced by algorithms). However in this case, a man would type in his name and it would autofill him as a criminal, so the courts ruled saying he could sue Google.

In the U.S. defamation is hard to prove and websites are not liable for comments made by their users. They claim they’re not responsible for the content links because it is out of their control. In the U.S. the law is much less friendly towards a plaintiff because of the First Amendment.

“There are not a lot of stringent rules in the U.S. Therefor, it’s really hard to bring a case here, but not so in other countries (France, Belgium, Australia). If you put something out there and it links to defamatory content, even if you don’t have control over it – in Australia you can be held accountable for defamation,” explained Sanford.  

Rettas added that it’s a hot topic because “the hammer can drop at any time, which is why it’s getting so much attention.”

Consequences for non-compliance are huge. Now, we’re in time where there is fake-news. In Europe you have the right to be forgotten – as long as the content is 10 years old, or older. In Germany in 2008, two people under the right to be forgotten sued, but Google was not held responsible — so it depends on the country.

In the UK – they basically said with regards to an individual, after 10 years he showed remorse for his actions, so his information had the right to be deleted. Thereafter, “between France, Germany and the UK, Google had over 2.4 million requests for deletions and if you do case-by-case analysis, it’ll tie up a lot of people,” Sanford said.

There are competing rules from country to country, continent to continent, and even state to state, which is a huge cost for big tech companies. Additionally, there is no uniformity now.

Rettas asked Sanford if there are “productive discussion happening for uniformity?” She said that while the private sector has a lot of power, (no one wants our executives to go to jail), it’s in the best interest for big tech companies to protect themselves.

There are a lot of complaints coming from France, Belgium and Australia. They want to make sure that companies are handling their faults and being responsible. With all the lawsuits popping up, Sanford said, “we may start to see some changes.”

The Big Picture

Sanford also discussed how privacy professionals should prioritize their efforts to compliance, what the effort to establish some regulatory uniformity and harmony looks like, what countries are seeing the highest rate of enforcement actions. Finally, she talked about what companies in the U.S. need to be aware of moving into 2019.

Rettas asked about how big tech companies are addressing their issues. Is it on a country by country basis, or are they addressing these issues as one global company?

Sanford said that it depends on the company, but with some of the multi-nationals it would be difficult to be country-specific. For example, Facebook has to focus on all of its users versus country by country. “I suspect they have someone looking at the big picture,” she said. “If you have a GDPR framework, you need people internally to be focused on this issue.” It requires an extensive amount of monitoring and taking a close look at terms and conditions.

Any time you’re working in this space, you need to take a look at your cookies. Do you have invisible pixels and cookies to third-party sites? Any time you use third-parties you need to be sure you’re informing individuals. If you’re a big company, you’ll want to do this for everybody noted Sanford. “U.S. citizens will reap the benefits of more privacy because other countries are stepping up their laws.”

Rettas asked: “Is the situation getting better since GDPR? How long will it take for this law to have an impact on breaches?”

Sanford revealed that it has already has an impact – for example, right now with newest breach that occurred in the UK, the company needed to give notice within 72 hours. “If there is a hack, immediately you have to come forward – that’s making a major difference for us.”

It is also impacting the U.S. by forcing big tech to have higher security standards. Are they strong enough to deter breaches? If not, they’ll get hit with lawsuits.

Similarly, the U.S. is feeling pressure to up their game to match its EU counterparts (and the rest of the world).

“More companies will have training for their employees so they understand implications,” Sanford said. There will be more stringent rules and regulations. These companies have to take the proper safeguards so even their own employees don’t turn on them even after they leave. They’ll also look at who needs to be seated at the upper management table to deal with these issues. All of this will have a strong affect on these companies going forward for 2019.

See Related: "5 Quick Tips To Strengthen Enterprise Security Advocacy"

As for advice, “I would say that you need be very careful. What we’re seeing right now – this jungle of laws, regulations we have, also exist with regards to corruption [not just cyber]. Laws are being amended and changed with corruption and fraud.  

There are also issues with conflicting laws. Sanford advises, “Step back and do house cleaning and look at these other areas as well.”

The ‘Task Force 7 Radio’ recap is a weekly feature on Cyber Security Hub.

To listen to this and past episodes, click here.