Whilst firms have had since 14th April 2016 to get themselves ready for the General Data Protection Regulation (GDPR) rules from the EU, many have struggled to hit the deadline, with a wide range of services currently unavailable in Europe.
Pinterest's news-clipping service Instapaper is one of the most high-profile examples. EU users have been banned from accessing its platform since last Friday. Pinterest has emailed users to say that this is a temporary measure and that it intends to "restore access as soon as possible".
"I know that it was too short notice," tweeted the service's chief Brian Donohue. "I underestimated the scope of work and it was not possible to complete by the deadline, this was the required alternative."
Unfortunately true. We are working very hard to resolve it and restore service for EU users as soon as possible. https://t.co/phwVR5MqEJ
— Brian Donohue (@bthdonohue) May 24, 2018
Donohue has not detailed in what ways the service would have been non-compliant.
Unroll.me - a service that promises to declutter users' email inboxes of unwanted messages - is another product to have temporarily halted its service to EU customers, and has also deleted accounts.
The movie and TV review app Stardust has gone even further, permanently removing its product from EU versions of Google Play and Apple's App Store, and deleting all EU residents' records. "Without deleting EU accounts entirely, we would be storing data about EU residents and therefore would be required to adhere to GDPR laws. So unfortunately, we cannot simply block access or freeze EU accounts for the time being" the company claimed.
As a startup, Stardust simply does not have the financial and labor resources to meet these: Our small team of five would have to stop everything we do on a daily basis– customer support, managing the app's stability, overseeing and upholding our community standards, developing the product, and marketing for growth in order to survive as a start up.
In addition, GDPR comes with steep financial penalties if requirements are not met.
At our size, the combination of these would be detrimental to our community and potentially fatal to our company.
As Stardust points out, one issue for many firms is that the fines for non-compliance of GDPR are considerable; up to four percent of turnover. Interpreting the rules has also proved challenging for many firms, and as Anne Currie argued on the InfoQ podcast, this combination has meant that many firms have been reluctant to share information. "I think and I fear that it might be a discouraging discussion rather than encouraging discussion because everyone is too frightened they might be infringing," she stated.
Meanwhile, Europe-based privacy campaign group noyb.eu, led by Austrian privacy activist Max Schrems, filed four complaints on Friday against Facebook, WhatsApp and Instagram (which are owned by Facebook) and Google. The lawsuits seek to fine Facebook 3.9 billion and Google 3.7 billion euro (roughly $8.8 billion in dollars). Both Google and Facebook have rolled out new policies and products to comply with GDPR, but Schrems' complaint argues those policies don't really give consumers a choice; you can either agree to let Facebook and Google collect enormous amounts of data on you, or you can delete their services.
The GDPR explicitly allows any data processing that is strictly necessary for the service – but using the data additionally for advertisement or to sell it on needs the users' free opt-in consent.
Max Schrems: "It's simple: Anything strictly necessary for a service does not need consent boxes anymore. For everything else users must have a real choice to say 'yes' or 'no'."
InfoQ has published an eMag exploring GDPR in more detail.