VIDEO: Outlook on EU Privacy Changes, Data Transfers

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

U.S. companies doing business in the European Union face uncertainty under a strict new privacy framework and an EU-U.S. data transfer program that is under attack, a panel of privacy professionals said at Bloomberg Law’s 2017 Privacy Outlook.

Although the EU is known for already strong privacy protections, the EU General Data Protection Regulation (GDPR) brings its laws into the digital age, Kendall C. Burman, cybersecurity and data privacy counsel at Mayer Brown LLP in Washington, said. The rise in cybercrime, internet of things (IoT) web-connected devices and other digital innovations caused the need for the EU to update privacy protections for its citizens, she said.

The GDPR is “more sensible for companies” to deal with as one, overarching harmonized framework rather than a patchwork of privacy laws from the 28 EU countries, Burman, who served in the Commerce Department during the Obama administration, said.

But Cameron Kerry, senior counsel at Sidley Austin LLP and former general counsel and acting secretary at Commerce, said companies still face uncertainty. The GDPR will take effect in May 2018, but there is still substantial guidance that needs to be released by EU privacy officials before companies will have sufficient clarity about the impending regulation, he said.

Under the GDPR, companies will face requirements that they report certain data breaches within 72 hours of discovering a breach. Companies could face fines of as much as 4 percent of their global annual revenue for any violation. For example, Alphabet Inc.'s Google had $60.6 billion in revenues in fiscal year 2015, Bloomberg data show. A fine of 4 percent means that, under the GDPR formula, Google could get a bill from the EU exceeding $2.4 billion for a single infraction.

Privacy Shield

The panel, moderated by Bloomberg Law Privacy & Data Security News Managing Editor Donald Aplin, also delved into the benefits and risks of the Privacy Shield data transfer program, given the uncertain political environment in the U.S. and court challenges across the Atlantic.

The Privacy Shield allows U.S. companies that self-certify their compliance with EU-approved privacy and security principles with Commerce to legally transfer personal data from the EU to the U.S. The Privacy Shield is relied upon by over 1,800 U.S. companies, including Google, Microsoft Corp. and Facebook Inc., as well as tens of thousands of EU companies.

There is a “tremendous amount of uncertainty going forward” due to multiple EU court challenges to the Privacy Shield, and concerns from EU regulators that President Donald Trump might not be fully supportive of the program, Kirk Nahra, privacy partner at Wiley Rein LLP in Washington, said.

Kerry said the biggest risk to the Privacy Shield is how the Trump administration handles surveillance issues and especially President Policy Directive 28 (PPD-28), which aims to limit the amount of data intelligence authorities can collect and process. If Trump repeals or alters PPD-28 in any material way, companies “can kiss the Privacy Shield goodbye,” he said.

But hope is not lost for companies wanting to do business in the EU, Nahra said. Companies should have backup plans with good processes, procedures, contracts and internal controls, so they can “engage in these activities” if the Privacy Shield is no longer adequate to protect EU citizens’ data, he said.

To contact the reporter on this story: Daniel R. Stoller in Washington at

To contact the editor responsible for this story: Donald Aplin at

For More Information

The video is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security