Companies and their lawyers brace for wide-ranging EU data-privacy law
A pending European Union law has companies across the globe reviewing how they collect and protect user data.
The General Data Protection Regulation “is without a doubt, the biggest, most wide-impacting regulation in the area of data protection in the history of the world,” says Joshua Lenon, lawyer in residence at Clio, a practice management software company in Vancouver, British Columbia. The regulation goes into effect on May 25.
Over the past two years, the Clio team has conducted a top-to-bottom review of its products to be compliant with the GDPR, which affects the collection, storage, transfer and deletion of personal data. Clio’s process tweaked “client-facing” features on the platform, revamped its privacy policy, and updated contractual relationships with vendors.
All Clio’s customers throughout the world, regardless of whether they reside in the EU, will have access to these heightened privacy protections. That’s because, Lenon says, Clio sees the GDPR as the new floor for data privacy worldwide.
Clio is not alone. With the May deadline looming, companies big and small are turning to their lawyers for guidance as they seek to comply with the new regulations. Additionally, European regulators, called data-protection authorities, are preparing for the post-GDPR era, in which they expect their enforcement authority to be significantly strengthened and expanded.
The GDPR replaces a 1995 EU directive with old and new provisions that cover topics as diverse as a right to be forgotten and an individual’s ability to confront automated decision-making systems.
For those previously compliant with European privacy law, the GDPR should not be a big concern, says Linda Priebe, a partner at Culhane Meadows in Washington, D.C. However, she adds, “a lot of folks were caught asleep at the switch.”
RACING TOWARD COMPLIANCE
Even with a two-year compliance period, a 2017 survey by the International Association of Privacy Professionals, a nonprofit industry group, reported that about 60 percent of firms that think the GDPR applies to them “will be only partially compliant by the deadline.”
Priebe says the GDPR applies to “any entity that has customers, employees or potential customers in the EU” or the European Economic Area. With 99 articles, the breadth and depth of the regulation is immense.
In the United States, companies have struggled to adequately inform users of what data is collected and how it is used. Under the GDPR, a company must gain a user’s consent to collect their data through “a clear, affirmative act that is freely given, specific and informed,” Priebe says.
In one example, the Dutch Data Protection Authority stated Microsoft Windows 10 was noncompliant because the operating system didn’t “clearly inform users about the type of data it uses,” which meant “people cannot provide valid consent.” Microsoft challenged some aspects of the complaint but resolved “to cooperate with the DPA to find appropriate solutions,” according to the company blog.
Compliance can come at a cost, says Lokke Moerel, senior of counsel at Morrison & Foerster in Berlin. For example, businesses must create a register of their data-processing activities, but this step alone “takes much more time than they anticipated” and is not feasible for many, she says.
Further, some companies will need a data-protection officer, business-level leadership that oversees GDPR compliance. Others will require new technology, which will cost some Fortune 500 companies up to $1 million, according to a report by the law firm Paul Hastings. Failure to comply could be devastating—a company could be fined up to 4 percent of its global annual revenue.
To understand the potential impact, consider the 2014 and 2015 hacks on Hilton Worldwide, which exposed the credit-card information of 350,000-plus customers. Because of the breach, New York Attorney General Eric Schneiderman fined it $700,000—about $2 per record. In 2015, the hotel chain reported $11.2 billion in revenue worldwide. Under the GDPR, the fine for the same breach could be as much as $448 million, or $1,280 per record.
As companies race toward compliance, data-protection authorities are ramping up.
In late 2016, many of Germany’s state-level officials sent surveys to 500 companies to collect information about international data-transfer practices. In December 2017, French regulators threatened to sanction WhatsApp for its data-sharing agreement with Facebook. And U.K. authorities launched an investigation into Uber after it was reported that the company covered up a 2016 breach that affected 57 million people. This all primes the pump for May 25.
As far as what to expect from authorities then, Moerel at MoFo says regulators could take various directions. And regardless of direction, expect them to act forcefully. “The data-protection authorities will need to make a statement,” she says.
This article was published in the March 2018 issue of the