Sept. 16 — U.S. companies that are preparing for the upcoming General Data Protection Regulation and the European Union-U.S. Privacy Shield may see increased regulatory scrutiny and potentially high implementation costs, privacy professionals said Sept. 15.
Companies may face increased regulatory scrutiny and implementation costs associated with the GDPR and the Privacy Shield because of the uncertainty behind the programs, Phil Lee, privacy partner at Fieldfisher and head of the firm's Palo Alto, Calif. office, said at an International Association of Privacy Professionals conference in San Jose, Calif.
For example, the GDPR's 72-hour breach notification window, which takes affect May 25, 2018, doesn't explicitly outline when the window kicks in. It remains to be seen whether the 72-hour window kicks in when the company thinks that a breach occurred or is it when the company can confirm the data breach, Lee said
Failure to comply with the standard can bring reputational and monetary damage. Companies that don't comply could face fines up to 10 million euros ($11.29 million) or 2 percent of a company's worldwide revenue, whichever is higher.
Lothar Determann, privacy partner at Baker & McKenzie LLP, said that as more and more companies trade in a global market they will face various data privacy regulations each with their own rules and fines.
To help alleviate fears and costs associated with the patchwork of regulations, companies should “build global programs that have the highest standards,” Determann said. A global data plan should include mechanisms from the GDPR, Privacy Shield and other data privacy regimes, he said.
Both European regulators and U.S. agencies are expected to increase the amount of data privacy enforcement actions, the privacy professionals said.
Todd Hinnen, privacy partner at Perkins Coie LLP in Seattle, said that the Federal Trade Commission was highly criticized for not bringing more actions against U.S. companies that weren't in compliance with the U.S.-EU Safe Harbor program or lacked another adequate data transfer mechanism. Other U.S. agencies that have recently increased their data security enforcement action may see increased pressure to bring more regulatory actions, such as the Consumer Finance Protection Bureau, the Federal Communications Commission and the U.S. Securities and Exchange Commission, he said.
Additionally, companies that haven't used the Privacy Shield, binding contractual clauses or another privacy certification may face the brunt of enforcement actions, Hinnen said.
Time will tell if U.S. regulators will feel the pressure from critics to bring more regulatory enforcement actions for the lack of an adequate data transfer mechanism.
Although the Privacy Shield is main data transfer certification for U.S. companies that do business in the EU or transfer data to the EU, it may also have a major impact as a marketing mechanism.
Large U.S. tech companies have already certified under the Privacy Shield, including Microsoft Corp. and Salesforce Inc. Microsoft is the third largest technology company in the world with a market capitalization of $451.5 billion and Salesforce is the eighth largest application software company with a market capitalization of $55.3 billion, Bloomberg data show.
Lee said that companies may look to the larger U.S. tech companies as a reason to sign up for the Privacy Shield and wear the certification “as a badge of honor.” As more and more large tech companies join the program, there will be a rush of smaller tech companies who will feel the need to sign up, he said.
Ultimately, companies shouldn't panic when deciding to sign up for the Privacy Shield, Lee said. Companies just need to do their due diligence and decide what is the best data transfer mechanism under their circumstances, he said.
To contact the reporter on this story: Daniel R. Stoller in Washington at email@example.com
Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)