(Left to right): Michael Bonasso, a founding member of Flaherty Sensabaugh Bonasso; Sara Cushard of GreyCastle Security; Brian Dusek, assistant vice president of technical underwriting at Zurich North America; and Marshall Wall, managing partner at Cranfill Sumner & Hartzog at the 2019 Corporate Counsel Symposium hosted by the Federation of Defense and Corporate Counsel in Philadelphia. Photo: Dan Clark/ALM

In-house counsel should make compliance with laws like the European Union's General Data Protection Regulation and the California Consumer Privacy Act a top priority, a panel at the 2019 Corporate Counsel Symposium in Philadelphia said Tuesday.

Dr. Jürgen Hartung, a partner at Oppenhoff & Partner in Cologne, Germany, who joined the conference via telephone, said Japan has a new data privacy law and others are being worked out across the globe. He said while those laws are not carbon copies of the GDPR, the GDPR is serving as a template.

"They're [other countries'] goal is to be recognized by the European Commission because that means they are a safe country which allows for much easier data transfers to those countries," Hartung said.

While the GDPR was on the minds of in-house counsel and the companies they work for in 2018, this year legal departments should be working to make sure they're compliant with the CCPA, the panel said. The CCPA goes into effect Jan. 1, 2020, and impacts companies that do business in California. Businesses can be based outside of the state and still be impacted by the law, the panel said.

The CCPA covers California residents and applies to companies that do business in California.  The law will apply to for-profit businesses that have an annual revenue of $25 million or more.

"It really has implications all across the United States," Michael Bonasso, a founding member of Flaherty Sensabaugh Bonasso in Charleston, West Virginia, said of the law.

Marshall Wall, managing partner at CSH Law in Raleigh, North Carolina, said the CCPA's definition of personal information is much broader than how other states have defined it in the past.

"In CCPA, much like the GDPR, personal information is defined much more broadly," Wall said. "It includes things like tags you use online. It includes biometric data and it includes [internet protocol] addresses."

Historically, data has become a commodity, and companies have gone from being able to do whatever they want with data to consumers getting more rights, Wall said. In-house counsel should continue to stay on top of the ever-changing developments in the laws, he added.

"As each of these statutes is passed in various states in the U.S. they're going to have differences," Wall said. "This is an area that is evolving literally every day, and there are going to be changes. It's an area where you have to keep on top of what's going on."