The following is a message posted to the IAJGS Public Records Access Monitoring Committee’s mailing list by Jan Meisels Allen:
It’s just past one month since the General Data Protection Regulation went into effect in the European Union. These are some of the things that occurred as a result of the GDPR:
1. The cessation of some genealogical data bases from being on the Internet:
- 450,000 Records Removed From Online Access at Dutch Archives—such as the Tilburg Regional Archive online family cards collection dating from 1920-1940; other branches including Amsterdam, Alkmaar, Eemland and more have removed data from the Internet.
- World Famous Network Y-DNA project ceased operation
- Y-Search and Mitosearch projects of FamilyTree DNA were closed the end of May. While the announcement did not state they were closing due to the GDPR, the timing is at least “curious.”
2. Major litigation against multinationals allegedly not following the GDPR – the litigation was filed within hours of the GDPR becoming effective by privacy advocates, especially Max Schrems and his firm None of Your Business. According to Politico, in Austria there are 128 complaints and 500 questions; 50 data breach notifications- the same number that occurred previously in a span of eight months. In France complaints are up by over 50 percent compared to the same time period last year, There are 29 cross-border cases under investigation.
3. Facebook and Google are two dominant multinationals which have been the focus of many lawsuits and investigations. With the GDPR it appears their dominance is increasing especially in advertising as smaller publishers and advertisers may have problems meeting the new GDPR standards-exemplified by some companies pulling back from Europe.
4. We are seeing other countries, such as Canada, look at the GDPR and consider adopting similar or partial legislation following some of the GDPR rules. Japan and Argentina have overhauled their domestic rules to comply with the GDPR. South Korea and Columbia are tweaking their legislation looking at the GDPR standards.
5. The United States is looking at different privacy aspects, both federally and by state legislation (see California). The White House Special Assistant to President Trump for Technology, Telecom and Cyber Policy, Gail Slater, met with the CEO of the Information Technology Industry Council as well as the technology committee of the Business Roundtable. One of the items that was discussed as a possibility is an executive order directing the Department of Commerce’s National Institute of Standards and Technology to develop privacy guidelines. Another possibility is a public-private partnership laying out voluntary privacy best practices, which could become de-facto standards. It is recognized that some parts of the GDPR, such as the “right to be forgotten” may not work under US law, yet there is a bill in the New York Assembly that would adopt it in New York State-although there has been no action taken and it sits in the committee it was referred to last year and re-referred to this year…
6. Some companies have adopted GDPR to their global markets: Microsoft announced that on May 21st. Facebook said they essentially would treat the GDPR globally, but are moving their non-EU data collection not already in the US or Canada to the United States to avoid any possible fines if they are found not in compliance. The fines for non-compliance are substantial– 4%of worldwide annual revenue of the prior financial year or up to €20 million, whichever is higher (https://www.gdpreu.org/compliance/fines-and-penalties)
7. Some US Newspapers stopped selling their newspapers in Europe—i.e. the publisher Tronc: publisher of The Los Angeles Times, Chicago Tribune, New York Daily News. Other publications are being found to deactivate their site for people who opt out of advertising cookies-or are running separate versions that are stripped of tracking , for example USA Today.
There are multiple court cases that may change the focus as we see it- and time will tell. The GDPR is being touted by some privacy advocates as the “gold standard” but we won’t know what standard, if any, will become dominant until more time passes and various countries look as to what is best for their individual country’s residents’ privacy.
To read the previous IAJGS Records Access Alert postings about the European Union’s GDPR, right to be forgotten, privacy issues, US privacy legislation, California’s privacy legislation and potential ballot initiative, Canada’s Privacy proposals and more, go to: http://lists.iajgs.org/mailman/private/records-access-alerts/. You must be registered to access the archives. To register go to: http://lists.iajgs.org/mailman/listinfo/records-access-alerts and follow the instructions to enter your email address, full name and which genealogical organization with whom you are affiliated You will receive an email response that you have to reply to or the subscription will not be finalized.
Jan Meisels Allen
Chairperson, IAJGS Public Records Access Monitoring Committee