Tuesday 23rd July 2019

The Balkanisation of the Internet Blog Series Part II – The inconsistent application of GDPR

In this series, we examine how this process of balkanisation is shaping different parts of the world. This post focuses on the contribution of the General Data Protection Regulation (GDPR) in the EU. The first part of the series can be found here.

In our previous blog post, we defined the Balkanisation of the Internet as the fragmentation of the global, open Internet into a series of smaller, less cooperative networks. This is a process that was initiated by the 2013 Snowden Leaks, which eroded the world’s trust in large companies and the US government’s respect for online privacy.

We argue that GDPR is another contributing factor to the current Balkanisation of the Internet because of its inconsistent application of the law resulting in a de facto plethora of different data protection regimes within the EU, each with their own enforcement of the law.

The Rise of GDPR

News emerged of a massive data breach at Equifax in March 2017, with the firm only revealing in September 2018 that 145 million US customers (as well as 15.2 million UK citizens) were affected. A host of Personally Identifiable Information (PII) was exposed including names, birth dates, addresses, social security numbers, and driver’s license numbers. It remains one of the largest breaches on record, and the company has received criticism due to the delay in notifying authorities and users of the breach. On July 23rd, Equifax announced that it had agreed to pay £561m to a US regulator following the breach, despite the UK regulator previously issuing a fine of only £500,000.

Both the 2017 Equifax breach and the more recent British Airways and Marriott breaches reaffirm the need for EU regulation of large businesses’ handling of consumer data. This was already being implemented in the form of the EU’s General Data Protection Regulation (GDPR), the deadline for which came into play in May 2018. GDPR’s stated objective was to protect EU consumers and hold companies accountable for data breaches. You can find our analysis of the British Airways breach in our previous blog post on the subject.

More than a year on from this deadline, we can now assess GDPR’s impact on the private sector and whether the EU’s attempt at data localization laws has contributed to the Balkanisation of the internet. Despite the fact that GDPR outlines enforcement mechanisms that would have a positive effect on the cyber security of private organisations, such as the timely disclosure of breaches, the implementation of these measures in practice reveals the difficulty of regulating a Balkanised internet.

There are two main factors to the EU’s inconsistent enforcement of GDPR thus far which contribute to this phenomenon. First, breach notifications are still being disclosed long after the initial incident by companies, despite the GDPR’s 72-hour disclosure policy. Second, enforcement of GDPR penalties remains inconsistent across national bodies, which de facto maintain different data regimes- further contributing to a Balkanisation of the Internet.

Breach notifications

GDPR has introduced a range of new enforcement measures for companies handling consumer data in bulk. Article 33 states that data controllers have a 72-hour window to disclose breaches and a duty to notify all affected individuals. This aims to prevent delay from companies such as Equifax, who announced its breach nearly sixteen months after the fact, and situations where the company in question issues random data breach notifications to victims.

British Airways, breached in August by the Magecart technique, only took 16 days to disclose the breach to the Information Commissioner’s Office (ICO), the UK’s national body in charge of enforcing GDPR. However, the ICO’s announcement of enforcement measures only came 321 days later. Despite British Airways swiftly disclosing the breach to the ICO, it still exceeded the 72-hour policy.

Marriott Hotels took 83 days to disclose their incident to the ICO following the initial breach on September 8th by a group allegedly affiliated with the Chinese government. Following the disclosure to the ICO, the body announced enforcement measures on July 9th, 2019, 309 days after being notified. Nearly 10 months after the incident, the ICO finally announced a £99m fine for the hotel chain.

This significant delay raises questions over the effectiveness of GDPR in enforcing transparency for non-EU companies suffering data breaches and the timeliness of their enforcement procedure, even if the companies’ disclosure times improve, as demonstrated by the British Airways case.

Disparate fines

The second instance of this inconsistent enforcement of GDPR legislation resides in the role played by national bodies as enforcers. While certain bodies such as the UK’s ICO or France’s CNIL have played a proactive role in enforcing GDPR consistently and proportionately, bodies from other states have been less consistent. Our data analysis of GDPR fines issued by national bodies thus far demonstrates that there are different data regimes being enforced in the EU. For example, only 17 EU data commissioners have issued fines out of 28 EU member states.

Furthermore, the size of fines that have been issued has also varied dramatically – albeit as have the size of the breaches.[1] For instance, while the German, Hungarian and Czech national bodies have issued the most public GDPR fines in the EU thus far with nine each, the total amount of the fines issued by these bodies totals only €179,000, €149,000 and €17,000 respectively. In contrast, the UK’s ICO has only issued two public GDPR fines so far, amounting to €314,000,000, more than all other EU members combined.

The disparity in enforcement procedures amongst national bodies demonstrates an urgent need for harmonisation in order to make the regulatory environment more predictable and navigable for companies wishing to protect consumers and respect GDPR measures. Furthermore, the presence of different tiers of enforcement according to each national body and member state means that compliance to GDPR is made increasingly difficult for companies implanted across different EU member states, having to interact with each individual regulatory body separately.

What can you do about it?

Despite its clear benefits for businesses and consumers, the in-practice application of GDPR is accelerating the balkanisation of the internet with a de-facto two-tier enforcement system of its rules. Until the EU provides quantified reports of a consistent enforcement of GDPR rules, and conducts harmonisation policies amongst national bodies enforcing these rules, many non-EU firms may block EU consumers altogether, as demonstrated by the actions of US media firms. The best way to avoid such issues remains adopting a proactive and threat-led approach to both reduce the prospect of being breached in the first place, and to enable you to quickly detect and respond to a breach in the event that it does occur, which in turn should reduce the extent of any regulatory action.

[1] Data from enforcementtracker.com

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.