On July 18, an announcement flashed across the internet that the European Union (EU) slapped Google with a $5 billion antitrust fine for bundling its products into its popular Android phones. Although this may not seem relevant to small business owners who have European customers, this penalty incorporates two valuable lessons as the new era of General Data Protection Regulation (GDPR) enforcement unfolds.
Here’s why your business should be paying attention.
The EU Means Business
The EU takes regulatory compliance seriously. The EU's main problem enforcing policies lies in how it was formed. Unlike the US, the EU is an association of states who all agree to follow the same laws. With that in mind, the governmental authorities traditionally left enforcement in the hands of the individual nations. Unfortunately for modern businesses, too many member states remained rogue. When one of the member states continually violates EU law, others play the "monkey see-monkey do" game. This attitude takes all the venom out of the regulations.
Therefore, the EU expanded the number of EU enforcement authorities (EEAs) over the last 15 years in an attempt to take control of compliance. By increasing the number of regulatory enforcement agencies, the EU hoped to create a more cohesive set of laws and penalties across all the member states.
The fine against Google represents a major step in flexing these EEA sanctioning muscles.
What This Means for GDPR Compliance
In May 2018, GDPR enforcement became reality. Despite ongoing warnings, many businesses aren't taking compliance seriously – or as seriously as they should. As recently as April, industry reports showed that 60 percent of companies wouldn't meet the enforcement deadline. In some cases, the choice to remain non-compliant was a matter of costs being too high.
On the other hand, many businesses may feel that their market lies outside the EU's jurisdiction. After all, an MSP in the US may not realize that they must still follow the new regulations if they have EU customers, or they might think they are exempt from enforcement.
The fine against Google shows that the EU plans to hold technology companies accountable and hit them where it hurts. According to one report, the Google antitrust fine directly impacts its advertising since Google's mobile products collect more advertising revenue than its desktop software. Given their focus on protecting individual data, is it any wonder the EU would be interested in how and where businesses collect data?
What This Means for US Based Businesses
Ignoring the GDPR is going to cost businesses money. How much money depends on how far, physically and administratively, the EU wants to go. Within the GDPR, the EU commission set out several objectives that require all businesses, regardless of location, to focus their attention on compliance.
Expanding into a Universal Protection Law
The GDPR gives supervisory authorities a lot of power. They not only have the power to investigate but also the power to enforce. The EU's moves in the last 15 years show its commitment to international enforcement.
For US-based businesses, the increased sanctioning means the EU will be willing to allow supervisory authorities leeway when they look at companies' data collection and retention. Within the GDPR, the Commission focuses specifically on its goal of creating a unified approach to collecting, retaining, and removing data. Many US-based businesses that assume the GDPR doesn't apply to them may find themselves surprised.
Today’s Google fine indicates the EU's willingness to whip technology companies into line – whether on antitrust grounds or a lack of GDPR compliance.
Figuring out whether your US-based business will be tagged as a data collector, processor, or both is tricky. However, the EU's regulation defined goals and the new Google fine indicate that the supervisory authorities are going to try to push their enforcement capabilities as far as possible. The first step towards compliance lies in having the right data solutions.
Acronis is committed to helping business partners meet their GDPR compliance needs. Our data protection products and services include a global network of data centers to help meet "local storage" requirements, yet we have no visibility into the data stored there. Additionally, we've instituted best practices so our partners and customers know how to handle backups while maintaining a customer’s right to be forgotten.
EU is making digital enforcement a priority, so businesses need to start finding the right solutions to ensure their GDPR compliance. You need to be prepared. Acronis can help.