Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Dec. 2 — Seismic changes taking effect in 2018 for European Union privacy law will make the scramble for compliance a top 2017 priority for U.S. companies that use EU data.
Gearing up for the EU General Data Protection Regulation (GDPR) “is everything. It’s hard to overstate that,” Lisa Sotto, who chairs Hunton & Williams LLP’s privacy and cybersecurity practice in New York, said. It is “an extraordinary shift” that requires serious and sustained attention from U.S. companies, she told Bloomberg BNA.
Thousands of companies face a new legal scheme that is full of ambiguities. They need to prep for the GDPR now to have even a chance of being ready by the May 2018 deadline, Sotto said.
The stakes are high. The EU and U.S. are each others' largest trading partners, with combined trade reaching $700 billion in 2015, according to the U.S. Census Bureau.
Meanwhile, there is uncertainty in the EU wherever you look, Cam Kerry, senior counsel at Sidley Austin LLP’s Privacy, Data Security and Information Law group in Washington, told Bloomberg BNA. “There are tons of questions facing companies as they put compliance programs in place,” Kerry said.
Personal data is the currency of international commerce.
U.S. multinational companies doing business in Europe will have to spend 2017 figuring out how to implement new requirements for the handling of EU citizens' personal data, such as names, financial and location information and health records.
The GDPR is the first major overhaul of EU data privacy law in over two decades. It includes huge maximum fines and requires organizations to notify privacy regulators of data breaches within 72 hours.
Fines for violating the GDPR can reach 20 million euros ($22.5 million), or up to 4 percent of a company's global revenue, whichever is higher, for violations of data processing consent, individual privacy rights or international data transfer rules, or for ignoring orders from privacy regulators.
To illustrate, Alphabet Inc.'s Google had $60.6 billion in revenues in fiscal year 2015, Bloomberg data show. A fine of 4 percent means Google could get a bill from the EU exceeding $2.4 billion for a single infraction.
Because the GDPR is completely new, “very few people know how to interpret it, let alone comply with it,” Eduardo Ustaran, European head of Privacy and Cyber Security at Hogan Lovells LLP in London, told Bloomberg BNA.
Companies should invest in 2017 in readiness exercises that include finding holes in compliance programs and identifying the data flows around their business, Andrew Dyson, head of the global data protection and privacy group at DLA Piper LLP in London, said.
Some companies already are reviewing their existing EU privacy compliance program and benchmarking it to GDPR standards to see what’s missing and what policies and procedures they will need to put in place, Ustaran said. Benchmarking is the most important action a company can take, he told Bloomberg BNA.
Companies also should assign GDPR compliance responsibilities to different divisions within companies, Monika Kuschewsky, European data protection partner at Squire Patton Boggs LLP in Brussels, said.
For example, legal divisions will need to take stock of existing contracts to determine what needs to be changed in data processor and data controller agreements, she said. Other departments could set up privacy offices.
Sotto said companies should consider the GDPR in small chunks, creating a road map of “module-based” piece-by-piece issues to tackle before the effective date.
U.S. companies that seek compliance protection for data transfers from the EU through the new EU-U.S. Privacy Shield program also need to contemplate GDPR compliance, Kerry told Bloomberg BNA.
The text of GDPR is full of ambiguities and new requirements, and companies will be looking to upcoming guidance for clues on how to best position themselves for the GDPR.
Isabelle Falque-Pierrotin, chairwoman of the Article 29 Working Party and president of the French privacy office, told Bloomberg BNA that the working party plans to release guidance on the data protection officer requirement, enforcement issues and data portability by the end of 2016. Further GDPR guidance on consent and other issues will be released in 2017.
As of now, no one knows what the process will be for resolving issues when the GDPR takes effect, Kerry said. The working party needs to set time tables and get broad input from all parties.
Pragmatic guidance that is technology-neutral, and in some cases possibly tailored to specific industries, will serve companies best, Kuschewsky said. The guidance should also help companies cut compliance with the regulation into different phases and sizable chunks, because coming to grips with the GDPR in one fell swoop is not an effective way to prepare, she said.
Official guidance is particularly needed in areas where new obligations are introduced by the GDPR, Ustaran said.
One of the biggest compliance demands raised by the GDPR is that it expands existing privacy requirements, Ustaran said. Companies that were in full compliance with previous rules must rethink how to comply with new requirements in the same subject area.
Companies already are required to disclose in a privacy notice how they will use customer data, for instance. The GDPR adds to this obligation, Ustaran said. It will also require vendors that contract with companies to secure personal data, a huge, additional obligation and change from current practice. Multinationals routinely work with hundreds, and perhaps even thousands, of vendors and services handling personal data of employees and customers.
Perhaps even more challenging than meeting expanded requirements will be addressing wholly new privacy obligations, Ustaran said.
Some of the requirements introduced by the GDPR include:
Some companies will have to designate a data protection officer (DPO). DPOs will serve as in-house privacy officers for data controllers and data processors that meet certain requirements. Having a DPO in place won't provide a safe harbor from the GDPR, but would be viewed as a plus for privacy regulators undertaking or considering enforcement actions.
These “brand new issues require a lot of thinking about what’s actually involved,” Ustaran said.
To contact the reporter on this story: George R. Lynch in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)