The key points of The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) were assessed in the Digital Journal article “European business needs to get smart about data protection.”
By GDPR explicitly acknowledging the protection of natural persons in relation to the processing of personal data as a fundamental right, this put financial and logistical strains on businesses. Despite various forms of guidance, many businesses are unsure as to how to interpret the law. For instance, the biggest global issue is with international transfers of data.
Digital Journal: What is GDPR all about?
Bryan Clark: The GDPR’s focus is maximizing the ability of people in the European Union to control what information is collected about them and how that information is handled after it is collected. This includes consent standards that in many cases are more rigorous than those required under U.S. law, as well as limitations on the transfer of data to the United States. The GDPR also affords various rights to data subjects, including the right to be forgotten. Regulators enforcing the GDPR will always expect transparency from the company, and they will expect that consumers are in control of their information.
DJ: How does GDPR impact on people operating outside of Europe?
Clark: The GDPR has already affected companies operating outside of the Europe Union that have taken steps to comply with GDPR either because they hope to operate in the EU in the future or because they have business partners in the EU who are demanding compliance. One critical question that remains unanswered, however, is whether and to what degree the GDPR can be enforced outside of the EU. The language of the GDPR says its territorial scope extends beyond the EU, but whether the EU actually has jurisdiction and the ability to take any action against companies abroad and without any physical presence in the EU is debatable.
DJ: What has been the impact of GDPR since its inception?
Clark: Thus far, the GDPR has had a greater impact on compliance than enforcement. Companies and organizations of all sizes across the United States have attempted to comply with the GDPR — sometimes without fully assessing whether the GDPR applies to them and/or would be enforceable against them. The flood of new privacy policies and cookie pop-ups released around the May 25, 2018 effective date has had a large ripple effect.
Many smaller companies and organizations first learned of the GDPR when they saw a competitor change its practices or saw GDPR-related information on a Web site they visit regularly. Since then, some companies have been scrambling to catch up. But as some companies have scrambled to comply, regulators have been quiet. There has not been a similar wave of regulatory actions after the May 25 deadline.
DJ: What types of similar privacy laws are likely to impact the U.S.?
Clark: To date, the only similar wide-ranging privacy law in the United States has been the California Consumer Privacy Act (“CCPA”), which was passed earlier this year (but continues to be modified via amendments in the legislature and does not go into effect until January 1, 2020). The CCPA shares the GDPR’s broad definition of what is considered personal information, but it continues to have an opt-out model (which is more familiar to American companies) rather than the GDPR’s stringent opt-in requirements. It remains to be seen whether other U.S. jurisdictions will follow suit.
DJ: How similar will these laws be to GDPR?
Clark: The question is whether new laws in the United States will shift the way Americans think about privacy. In general, Americans assume that companies and organizations will use their information unless they opt out. In Europe, the assumption is that information will not be used unless the consumer affirmatively opts in. This obviously creates an entirely different structure. The CCPA expands the definition of personal information and creates a private right of action for consumers whose information was subject to disclosure as a result of a business’s failure to reasonably protect that information. But at its core, the CCPA still adopts the traditional opt-in model.
DJ: Are these laws a good thing?
Clark: That is a matter of perspective. For American businesses, these laws are generally bad news. Whether it is the GDPR, the CCPA, or another similar law, any law that imposes greater regulatory scrutiny on a company’s data practices is not ideal because it means increased compliance costs. The private rights of action in the GDPR and CCPA are also sure to draw the attention of plaintiffs’ class action attorneys. Whether these costs are outweighed by the prospect of increased privacy is in the eye of the beholder.
DJ: What should businesses do to prepare for new privacy laws?
Clark: The first step any business should take is to determine whether these laws apply. We often hear from clients frantically trying to comply with the GDPR or the CCPA, only for us to do some investigation and determine that the law does not apply. But if these laws do apply — or if a business is gearing up for future privacy laws — a great first step is to engage in a data mapping exercise that identifies all types of data the business collects, where it comes from, and what is done with it. Inevitably, the individuals leading the compliance effort learn through this process that the company’s data handling apparatus is more complicated than originally thought.
Once a business has a full understanding of what data it has and what is being done with that data, it is in a much better position to determine how to proceed with new privacy laws. This process can be orchestrated among in-house counsel, in-house IT, outside counsel, and outside IT, and we’ve engaged in and are engaging in many of these exercises.
DJ: Will there be any changes to businesses-to-business communications?
Clark: Whether there is a change in business-to-business communications depends on where the businesses are located and what kind of relationship the businesses have with one another. Business-to-business communications within the United States should be largely unchanged. But international business communications could be much more limited, as companies covered by the GDPR fear running afoul of the international transfer regulations.
DJ: What differences will consumers see?