U.S. law firms that deal with EU citizens must get ready to comply with the EU General Data Protection Regulation (GDPR) or will risk incurring potentially huge penalties, speakers told members of the Association of Professional Responsibility Lawyers Feb. 3.
The EU Parliament enacted the “broad and wide-ranging” GDPR three years ago to reconcile and consolidate the privacy laws of all EU member states, said panelist Susan E. Gunter, a partner at Dutton Brock LLP in Toronto. Before its adoption, she said, privacy regulation in the EU differed depending on the country. That will change effective May 25, when GDPR will apply to and be enforceable by any EU member state against any business, anywhere in the world, that holds or processes the personal data of even one citizen of the EU, Gunter told the audience.
The law will extend to all companies doing business in Europe, including law firms and their clients, as well as nonprofits and companies that don’t have a physical location there—“so any company that sells anything on the internet.” GDPR also applies to companies that collect information about EU data subjects and, in Gunter’s opinion, may extend to companies that conduct marketing activities on the internet.
The regulation’s definition of personal data is “incredibly broad,” Gunter said. Referring to an online FAQ contained in the conference materials, she noted “personal data” includes names, email contact information, location data, social media posts, medical information, and any other information that might identify a person, either directly or indirectly.
Additionally, Gunter said, GDPR requires organizations to implement “privacy by design.” This means designing a mechanism that from the outset minimizes collection and retention of personal data and curtails the risk of breach. Fines authorized under GDPR, she noted, are up to four percent of a company’s annual revenue or €20 million.
GDPR “creates new rights,” Gunter said. Unlike citizens of the U.S., EU citizens have the “right to be forgotten.” GDPR “allows [the EU data subject] to say, ‘I want you to erase all the information you ever put out into the world about me.’”
Under GDPR, Gunter said, EU data subjects will have the right to access their personal information held by an organization at any time, and the organization will have a very short response deadline.
Because Gunter’s law firm does work for a German company, she said, one of that client’s employees who previously sent her an email “could contact me and say ‘I want to know what information you have about me,’ and I have to respond.” The employee would also have the right to object to the automated collection of his personal data, ask Gunter’s firm to correct inaccurate data, or ask for all of his personal data, including metadata, to be put onto a device or transmitted to him—and deleted forever from the company’s servers and devices.
Moderator Trisha Rich asked, “Does that company have an affirmative obligation to go to all the people to whom they’ve given that data,” or does the data subject have to make separate inquiries? Rich is a partner at Holland & Knight LLP in Chicago.
Gunter said GDPR would require her to contact those to whom she disclosed the data subject’s personal information “if I disclosed [it] without his express consent.” But a company that’s in compliance with GDPR would only have the subject’s information if it had first explained how it might use it. In the case of a law firm, Gunter said, a GDPR-compliant disclosure might include a statement that it would be disclosing the subject’s personal information to the opposing party, to the court, or any other reasonably foreseeable entities.
Panelist Brian Faughnan, who’s with Lewis Thomason in Memphis, Tenn., noted that under GDPR “consent can no longer be a global consent” but must specify the types of data and uses to which the subject is consenting. “Lawyers are going to have to address this in their engagement letters,” he said. And GDPR doesn’t permit waiving consent, noted Gunter.
Faughnan commented that in the U.S., as a rule, under any state’s rules regarding returning client files, it’s ok to say, “I’m keeping a copy.” But under GDPR, he said, it appears that U.S. lawyers may not keep a copy if the client wants the data returned. Still, Faughnan wondered how an EU member state might enforce a fine against a U.S. business such as his firm in Tennessee unless it holds assets in Europe. “They can say there’s extraterritorial jurisdiction, but you and what army?”
Gunter suggested the U.S. might negotiate an agreement on GDPR enforcement with the EU, but she emphasized U.S. firms must take GDPR seriously. The largest global firms already are in compliance, she said, but she fears midlevel firms may not be aware of GDPR’s reach and will incur fines for noncompliance. She recommended firms not rely on white papers written by consulting companies but rather read the regulation themselves to determine what compliance requires.
Gunter said all EU countries have now appointed privacy commissioners to help enforce GDPR, and any EU citizen may make a complaint to any EU privacy authority. Once that happens, she said, a target firm will be notified of its responsibility to comply with the regulation, and if its compliance is deemed insufficient, that authority can impose a sanction. GDPR also creates a private right of action in the event of noncompliance, so an aggrieved data subject may sue. GDPR permits nonmaterial damages such as loss to reputation and does not require the aggrieved subject to prove them, she said. It also provides for class actions by nonprofit entities created for that purpose. [See Article 80, GDPR.]
“Remember how up in arms we all got about Gramm-Leach-Bliley? We fought back,” said Faughnan. [The Gramm-Leach-Bliley Act contains provisions requiring “financial institutions” to notify customers of their policies of protecting their privacy. In American Bar Ass’n v. Federal Trade Comm’n, D.C. Cir., 430 F.3d 457, 12/6/05, the court ruled against the FTC’s attempt to include lawyers in that definition. 21 Law. Man. Prof. Conduct 616 (2005).]
“This is a global Gramm-Leach-Bliley, on steroids, and we don’t have any say in stopping it.”
The panel, entitled “Privacy and Confidentiality in a Changing World,” convened at APRL’s midyear meeting in Vancouver.
To contact the reporter on this story: Helen Gunnarsson in Chicago at Helen.Gunnarsson@americanbar.org
To contact the editor responsible for this story: S. Ethan Bowers at email@example.com
The full text of GDPR is available at https://gdpr-info.eu/.
Copyright 2018, the American Bar Association and The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)