The fallout from the U.S. crackdown on Huawei intensified this week, as trade negotiations between Washington and Beijing reportedly hit a roadblock.Asia Marketsread more
The issue of corporate debt has surfaced as companies continue to use the low rates the Fed has provided to lever up their balance sheets.The Fedread more
Google has decided to stop licensing its Android operating system to Huawei, in order to comply with a U.S. trade blacklist.Technologyread more
Most U.S. hedge funds aren't expecting another big stock market sell-off as more firms curb bets on volatility, according to Nomura.Marketsread more
Mall owners are increasingly building out food halls with local chef-driven eateries, sushi bars and premium coffee shops.Retailread more
While Trump's lawyers had argued that the committee's subpoena did not have a legitimate legislative purpose — and was therefore invalid — Mehta took a broader view.Politicsread more
See which stocks are posting big moves after the bell on Monday, May 20.Market Insiderread more
Silicon Valley argues that Wall Street focuses too much on near-term profits — but investors have embraced money-losing biotech IPOs.Marketsread more
Iran has quadrupled its output of nuclear material amid rising tension with the U.S. and dangerous escalations in the Middle East.Energyread more
The announcement comes amid a wave of store closures across the country this year.Retailread more
"Unlike Bernie Sanders or Elizabeth Warren or Kamala Harris, Biden's against 'Medicare for All,'" the "Mad Money" host says.Mad Money with Jim Cramerread more
The European Union's General Data Protection Regulation was celebrated as a revolution in how internet privacy could be legislated. It was a reaction to long-term concerns in the EU about information collection by tech giants like Facebook, Alphabet and Apple.
Known as GDPR, the regulation gave sweeping new powers to individuals in how they can control their data, including the right to demand that companies tell them how their data is used, and to ask corporations to destroy their data, a tenet of the law known as "the right to be forgotten."
The law also imposed the world's stiffest potential privacy fines: Up to 20 million euros or 4% of a company's global annual revenue for the previous year for the most egregious violations. For Facebook, such an upper-level fine could therefore feasibly reach $1.6 billion.
But one year later, GDPR hasn't lived up to its potential.
Among some consumers, GDPR is perhaps best known as a bothersome series of rapid-fire, pop-up privacy notices. Those astronomical fines have failed to materialize. The law has created new bureaucracies within corporations, and with those, tension and confusion. And it's unclear if the EU data authority that oversees the law is adequately staffed to handle its demands.
"It's offloading too much responsibility to the individual," to understand the notices and take action on them.
The notices were meant as a jumping-off point where people could begin the journey of understanding how each of their applications and the websites they visit use their data. But, they have probably had the opposite effect, Jehl said. "If you have a job, or kids, or hobbies, or a life, you can't do that, keeping track of all that. It would be a full-time job to protect your privacy in a notice and consent model."
Consumers are often confused as to how they can actually take advantage of GDPR's privacy powers.
"I think it has given consumers a greater awareness of what data is being collected about them, and a greater ability to control that data," said Scott Pink, special counsel in the data security and privacy practice at law firm O'Melveny & Myers. "But now, I think there's still some lack of clarity from consumers on exactly what they need to do."
"Consent fatigue" may be an unfortunate adverse side effect, said Odia Kagan, chair of the GDPR compliance program at law firm Fox Rothschild.
"I think that the importance of people understanding what is going on with their data, and not having a surprised reaction that somebody has their information. When you need to click 329 toggles, that is also a problem, because you won't want to do it. The actual process is something we still need to work on so we don't get consent fatigue. "
Google was hit with a $57 million fine in January over how it uses data for ad-targeting, but the company is fighting it. Facebook was fined about $645,000 fine over the Cambridge Analytica scandal, which involved the alleged misuse of customers' personal information for election research conducted by Donald Trump's presidential campaign.
"In the beginning, a number of [EU] regulators informally said 'we know you guys aren't ready for GDPR, and to be honest, we're not really ready either,'" said Jehl. That informal grace period is, however, likely coming to an end, she said.
"The enforcement is just getting started," said Kagan. "The higher fines are very likely going to be in connection with very large companies with very complex structures. We haven't seen them because they aren't done yet."
The data protection authorities have other tools as well, which might be even costlier than fines, Kagan said.
In some cases, EU regulators can tell companies, "You have 90 days to rectify the thing you are doing wrong with the data, or after 90 days you cannot use the data." Sometimes, even the big fines won't make or break them, but the data will if it is a core component of their business.
GDPR introduced something new to many corporations that do business with European clients: a data protection officer.
To be compliant with GDPR rules, companies had to hire (or outsource) someone to lead a data protection office. This is a tricky proposition at many companies, especially the biggest ones, where this new role -- and the bureaucracy that goes with it -- often overlaps with existing executive functions, such as cybersecurity, privacy, legal, audit and technology risk, among others.
"They have a lot of special protections that regular [executives] don't have," explained Jehl. The data protection officer's duty is to protect customers' data, even if that protection goes against other business objectives, meaning there are often different rules on how the executive can be disciplined or dismissed, she said.
The new role is a positive step in terms of "increasing the importance of data and privacy management, and privacy professionals," said Pink.
"But there is still somewhat of a tension between serving those requirements and making sure the business can make a profit, and also ensuring that the expense of complying is adequately funded but not too expensive."
GDPR instituted a new 72-hour breach reporting guideline -- a far tighter reporting timeline than other regulations. It apparently panicked so many companies that they flooded -- and completely overwhelmed -- the U.K. data privacy regulator by September 2018.
"The U.K. commission office basically issued an SOS saying 'you're overreporting, we're drowning here,'" recalled Jehl.
The issue highlights another potential problem with GDPR: Most regulatory agencies in the EU are not staffed deal with the legislation and its sweeping new requirements. The total budget of Ireland's Data Protection Commission, which oversees implementing GDPR, was about $18 million for 2019, and that's a 30% increase from 2018.
"I still feel like unless there is a very significant increase in staffing, they are probably going to have to pick and choose the enforcement actions that they bring," said Kagan.
EU regulators have also found themselves dealing with a huge influx of GDPR "rumors," or large-scale panics spreading across social media, misinterpreting how the law applies to everyday life events.
For instance, one recent blog entry from the Irish Data Protection Commission discussing events at schools borders on the absurd:
"Take the scenario whereby a school wants to take and publish photos at a sports day – schools could inform parents in advance that photographs are going to be taken at this event and could provide different-coloured stickers for the children to wear to signify whether or not they can be photographed," the Commission suggested. The post goes on to discuss the possibility of schools banning photographs at a high school musical, but suggests that might be unwieldy.
Kagan said, "a lot of things that are said about what GDPR is doing are myths. There are tons of misconceptions."
As a result, regulators have had to spend a great deal of time undoing myths, explaining the law's broad language and providing guidance. She predicts they will eventually shift this time investigating and enforcing the law.
"In the end, GDPR is all about consent and it's an approach to privacy that is very European," said Kagan. "That's not a mistake. It's a values statement."