EU Privacy Upheaval Demands Urgent U.S. Corporate Game Plan

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

  • EU privacy regime preparation overshadows other international data privacy issues in 2017
  • U.S. companies must use 2017 to get compliance programs in place to sync with new privacy regime

By George R. Lynch

Dec. 2 — Seismic changes taking effect in 2018 for European Union privacy law will make the scramble for compliance a top 2017 priority for U.S. companies that use EU data.

Gearing up for the EU General Data Protection Regulation (GDPR) “is everything. It’s hard to overstate that,” Lisa Sotto, who chairs Hunton & Williams LLP’s privacy and cybersecurity practice in New York, said. It is “an extraordinary shift” that requires serious and sustained attention from U.S. companies, she told Bloomberg BNA.

Thousands of companies face a new legal scheme that is full of ambiguities. They need to prep for the GDPR now to have even a chance of being ready by the May 2018 deadline, Sotto said.

EU Privacy Regulation

The stakes are high. The EU and U.S. are each others' largest trading partners, with combined trade reaching $700 billion in 2015, according to the U.S. Census Bureau.

Meanwhile, there is uncertainty in the EU wherever you look, Cam Kerry, senior counsel at Sidley Austin LLP’s Privacy, Data Security and Information Law group in Washington, told Bloomberg BNA. “There are tons of questions facing companies as they put compliance programs in place,” Kerry said.

Personal data is the currency of international commerce.

U.S. multinational companies doing business in Europe will have to spend 2017 figuring out how to implement new requirements for the handling of EU citizens' personal data, such as names, financial and location information and health records.

The GDPR is the first major overhaul of EU data privacy law in over two decades. It includes huge maximum fines and requires organizations to notify privacy regulators of data breaches within 72 hours.

Fines for violating the GDPR can reach 20 million euros ($22.5 million), or up to 4 percent of a company's global revenue, whichever is higher, for violations of data processing consent, individual privacy rights or international data transfer rules, or for ignoring orders from privacy regulators.

To illustrate, Alphabet Inc.'s Google had $60.6 billion in revenues in fiscal year 2015, Bloomberg data show. A fine of 4 percent means Google could get a bill from the EU exceeding $2.4 billion for a single infraction.

Because the GDPR is completely new, “very few people know how to interpret it, let alone comply with it,” Eduardo Ustaran, European head of Privacy and Cyber Security at Hogan Lovells LLP in London, told Bloomberg BNA.

Divide and Conquer

Companies should invest in 2017 in readiness exercises that include finding holes in compliance programs and identifying the data flows around their business, Andrew Dyson, head of the global data protection and privacy group at DLA Piper LLP in London, said.

Some companies already are reviewing their existing EU privacy compliance program and benchmarking it to GDPR standards to see what’s missing and what policies and procedures they will need to put in place, Ustaran said. Benchmarking is the most important action a company can take, he told Bloomberg BNA.

Companies also should assign GDPR compliance responsibilities to different divisions within companies, Monika Kuschewsky, European data protection partner at Squire Patton Boggs LLP in Brussels, said.

For example, legal divisions will need to take stock of existing contracts to determine what needs to be changed in data processor and data controller agreements, she said. Other departments could set up privacy offices.

Sotto said companies should consider the GDPR in small chunks, creating a road map of “module-based” piece-by-piece issues to tackle before the effective date.

U.S. companies that seek compliance protection for data transfers from the EU through the new EU-U.S. Privacy Shield program also need to contemplate GDPR compliance, Kerry told Bloomberg BNA.

Guidance Can't Come Fast Enough

The text of GDPR is full of ambiguities and new requirements, and companies will be looking to upcoming guidance for clues on how to best position themselves for the GDPR.

Isabelle Falque-Pierrotin, chairwoman of the Article 29 Working Party and president of the French privacy office, told Bloomberg BNA that the working party plans to release guidance on the data protection officer requirement, enforcement issues and data portability by the end of 2016. Further GDPR guidance on consent and other issues will be released in 2017.

As of now, no one knows what the process will be for resolving issues when the GDPR takes effect, Kerry said. The working party needs to set time tables and get broad input from all parties.

Pragmatic guidance that is technology-neutral, and in some cases possibly tailored to specific industries, will serve companies best, Kuschewsky said. The guidance should also help companies cut compliance with the regulation into different phases and sizable chunks, because coming to grips with the GDPR in one fell swoop is not an effective way to prepare, she said.

Official guidance is particularly needed in areas where new obligations are introduced by the GDPR, Ustaran said.

New Rules Added, Old Rules Expanded

One of the biggest compliance demands raised by the GDPR is that it expands existing privacy requirements, Ustaran said. Companies that were in full compliance with previous rules must rethink how to comply with new requirements in the same subject area.

Companies already are required to disclose in a privacy notice how they will use customer data, for instance. The GDPR adds to this obligation, Ustaran said. It will also require vendors that contract with companies to secure personal data, a huge, additional obligation and change from current practice. Multinationals routinely work with hundreds, and perhaps even thousands, of vendors and services handling personal data of employees and customers.

Perhaps even more challenging than meeting expanded requirements will be addressing wholly new privacy obligations, Ustaran said.

Some of the requirements introduced by the GDPR include:

  •  privacy impact assessments for major projects;
  •  data breach notification to national privacy regulators within 72 hours of discovery of a breach;
  •  implementation of privacy by design principles in new projects;
  •  individuals control portability of personal data from one company to another; and
  •  pseudonymization of personal information used in big data applications.

Some companies will have to designate a data protection officer (DPO). DPOs will serve as in-house privacy officers for data controllers and data processors that meet certain requirements. Having a DPO in place won't provide a safe harbor from the GDPR, but would be viewed as a plus for privacy regulators undertaking or considering enforcement actions.

These “brand new issues require a lot of thinking about what’s actually involved,” Ustaran said.

To contact the reporter on this story: George R. Lynch in Washington at

To contact the editor responsible for this story: Donald G. Aplin at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security