The Balkanisation of the Internet Blog Series Part II – The inconsistent application of GDPR
In this series, we examine how this process of
balkanisation is shaping different parts of the world. This post focuses on the
contribution of the General Data Protection Regulation (GDPR) in the EU. The
first part of the series can be found here.
In our
previous blog post, we defined the Balkanisation of the Internet as the
fragmentation of the global, open Internet into a series of smaller, less cooperative
networks. This is a process that was initiated by the 2013 Snowden Leaks, which
eroded the world’s trust in large companies and the US government’s respect for
online privacy.
We argue that GDPR is another contributing factor to the current Balkanisation of the Internet because of its inconsistent application of the law resulting in a de facto plethora of different data protection regimes within the EU, each with their own enforcement of the law.
The Rise of GDPR
News emerged of a massive data breach at Equifax in March 2017, with the firm only revealing in September 2018 that 145 million US customers (as well as 15.2 million UK citizens) were affected. A host of Personally Identifiable Information (PII) was exposed including names, birth dates, addresses, social security numbers, and driver’s license numbers. It remains one of the largest breaches on record, and the company has received criticism due to the delay in notifying authorities and users of the breach. On July 23rd, Equifax announced that it had agreed to pay £561m to a US regulator following the breach, despite the UK regulator previously issuing a fine of only £500,000.
Both the 2017 Equifax breach and the more recent
British Airways and Marriott breaches reaffirm the need for EU regulation of
large businesses’ handling of consumer data. This was already being implemented
in the form of the EU’s General Data Protection Regulation (GDPR), the deadline
for which came into play in May 2018. GDPR’s stated objective was to protect EU
consumers and hold companies accountable for data breaches. You can find our
analysis of the British Airways breach in our
previous blog post on the subject.
More than a year on from this deadline, we can now assess GDPR’s impact on the private sector and whether the EU’s attempt at data localization laws has contributed to the Balkanisation of the internet. Despite the fact that GDPR outlines enforcement mechanisms that would have a positive effect on the cyber security of private organisations, such as the timely disclosure of breaches, the implementation of these measures in practice reveals the difficulty of regulating a Balkanised internet.
There are two main factors to the EU’s inconsistent enforcement of GDPR thus far which contribute to this phenomenon. First, breach notifications are still being disclosed long after the initial incident by companies, despite the GDPR’s 72-hour disclosure policy. Second, enforcement of GDPR penalties remains inconsistent across national bodies, which de facto maintain different data regimes- further contributing to a Balkanisation of the Internet.
Breach notifications
GDPR has introduced a range of new enforcement measures
for companies handling consumer data in bulk. Article 33 states that data controllers have a 72-hour window to disclose
breaches and a duty to notify all affected individuals. This aims to prevent delay
from companies such as Equifax, who announced its breach nearly sixteen months
after the fact, and situations where the company in question issues random
data breach notifications to victims.
British Airways, breached in August by the Magecart technique, only took 16 days to disclose the breach to the Information Commissioner’s Office (ICO), the UK’s national body in charge of enforcing GDPR. However, the ICO’s announcement of enforcement measures only came 321 days later. Despite British Airways swiftly disclosing the breach to the ICO, it still exceeded the 72-hour policy.
Marriott Hotels took 83 days to disclose their incident to the ICO following the initial breach on September 8th by a group allegedly affiliated with the Chinese government. Following the disclosure to the ICO, the body announced enforcement measures on July 9th, 2019, 309 days after being notified. Nearly 10 months after the incident, the ICO finally announced a £99m fine for the hotel chain.
This significant delay raises questions over the effectiveness of GDPR in enforcing transparency for non-EU companies suffering data breaches and the timeliness of their enforcement procedure, even if the companies’ disclosure times improve, as demonstrated by the British Airways case.
Disparate fines
The second instance of this inconsistent enforcement of GDPR legislation resides in the role played by national bodies as enforcers. While certain bodies such as the UK’s ICO or France’s CNIL have played a proactive role in enforcing GDPR consistently and proportionately, bodies from other states have been less consistent. Our data analysis of GDPR fines issued by national bodies thus far demonstrates that there are different data regimes being enforced in the EU. For example, only 17 EU data commissioners have issued fines out of 28 EU member states.
Furthermore, the size of fines that have been issued has also varied dramatically – albeit as have the size of the breaches.[1] For instance, while the German, Hungarian and Czech national bodies have issued the most public GDPR fines in the EU thus far with nine each, the total amount of the fines issued by these bodies totals only €179,000, €149,000 and €17,000 respectively. In contrast, the UK’s ICO has only issued two public GDPR fines so far, amounting to €314,000,000, more than all other EU members combined.
The disparity in enforcement procedures amongst national bodies demonstrates an urgent need for harmonisation in order to make the regulatory environment more predictable and navigable for companies wishing to protect consumers and respect GDPR measures. Furthermore, the presence of different tiers of enforcement according to each national body and member state means that compliance to GDPR is made increasingly difficult for companies implanted across different EU member states, having to interact with each individual regulatory body separately.
What can you do about it?
Despite its clear benefits for businesses and consumers,
the in-practice application of GDPR is accelerating the balkanisation of the
internet with a de-facto two-tier enforcement system of its rules. Until the EU
provides quantified reports of a consistent enforcement of GDPR rules, and
conducts harmonisation policies amongst national bodies enforcing these rules,
many non-EU firms may block EU consumers altogether, as demonstrated by the
actions of US
media firms. The best way to avoid such issues remains adopting a proactive
and threat-led approach to both reduce the prospect of being breached in the
first place, and to enable you to quickly detect and respond to a breach in the
event that it does occur, which in turn should reduce the extent of any
regulatory action.
Get our latest cyber intelligence insights straight into your inbox every week
Fill out the short form below to subscribe to our newsletter so that you never miss out on
our cyber intelligence insights and news.
Privacy Overview
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
Strictly Necessary Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features. These must be enabled at all times, so that we can save your preferences.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
If you do not enable Strictly Necessary Cookies, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
Request Demo Access
Fill out your details below and we'll be in touch to arrange demo access for you as soon as
possible.