The United Kingdom’s Information Commissioner’s Office (ICO) has conduct a review into The Washington Post online subscription options which had discovered that they are not in compliance with the European Union’s General Data Protection Regulation (GDPR).
The online subscription options do not come under the remit of GDPR, however, ICO may issue it with a penalty. The Washington Post has three separate subscription levels but only the most expensive level allows users the options of disabling off trackings cookies. Linking this “consent” to access has raised the eyebrows of privacy activists before, who have queried whether this meets the requirements for consent set out in EU data protection legislation. As per GDPR, The Washington Post should have offered subscribers a free alternative to accepting cookies.
The ICO case manager in charge of the case stated: “I am of the view that the Washington Post has not complied with their Data Protection obligations. This is because they have not given users a genuine choice and control over how their data is used.We have written to the Washington Post about their information rights practices. We have told them they should now ensure that users of the Washington Post website have the option to access all levels of subscription without having to accept cookies. We hope that the Washington Post will heed our advice, but if they choose not to, there is nothing more we can do in relation to this matter.”
This case emphasized that ICO is focused on ensuring that US-based are compliant with GDPR in relation to EU account holders. If companies are discovered to be in breach of the GDPR rule then they are subject to fines of up to a maximum of €20m or 4% of annual global revenue, whichever figure is larger.
As there is some level of uncertainty in relation to GDPR’s extraterritorial applicability and how it can be enforced non-EU based groups, the European Data Protection Board is set to issue public advice around on the GDPR’s extraterritorial applicability soon.
Pat Walshe, Managing Director of Privacy Matters and privacy advocate, said in relation to the case that he believed that controlling the situation may be beyond the scope of the GDPR legislation. He said: “I would respectfully suggest the ICO does not have the resource nor the inclination to pursue cross-border action. Especially when it diverted 70 staff to work on the Facebook/Cambridge Analytica investigation. It seems to be struggling to cope with complaints raised about UK based data controllers.”