GDPR: One Year Down, Forever to Go
The GDPR was intended to harmonize the European Union's approach to data protection, but the last year may indicate that it's actually an even more fragmented privacy landscape.
May 01, 2019 at 07:00 AM
9 minute read
Here's something that will make you feel just a little bit older: the European Union's General Data Protection Regulation (GDPR) is coming up on the one-year mark this May. How fast the last 365 days came and went probably has a direct correlation to if and how much you were fined, but nevertheless the paper anniversary seems a good time for a checkup.
The GDPR was instituted in part to provide some regulatory cohesion to the data privacy landscape that rolls across the EU's 28 member states. Since irony apparently doesn't observe international borders, over the last year things have actually started trending in the opposite direction, with individual jurisdictions making the most of whatever enforcement latitude the GDPR affords them.
The firm of Latham & Watkins maintains an online tracker that charts derogations across member states. For example, the age of data usage consent for children is 14 in Austria and 13 in the Czech Republic. Spain requires that data identifying a person's religion, sexual orientation or labor union affiliation be processed under another legal basis in addition to explicit consent. Not so in Germany.
As the EU's privacy landscape continues to diversify, experts are anticipating even more regulatory confusion and compliance-related headaches. Enforcement, meanwhile, is only expected to become stronger as regulators experiment with penalties that could potentially cause more long-term damage to offending companies than a single fine.
|Regulatory Clarity
Another year older, another year wiser, right? When it comes to the GDPR, the answer is a resounding "sort of"—and that uncertainty might be causing member states to overcompensate on privacy precautions.
"You have to realize, the way it's drafted is a much higher level of generality than what we would see in a U.S. regulation," says David Peloquin, an associate with Ropes & Gray.
His practice is focused mainly on health care, where he counsels life sciences companies, universities and researchers on how to prevent the GDPR from becoming an ongoing impediment to clinical research. This time last year, a question from a client might have looked a little something like, "to what extent does the law apply to a hospital in Denver?"
The present—and by the looks of it, the immediate future—is dominated by the nitty-gritty stuff, the actual barriers that either drag a business matter out interminably or prevent it from happening altogether. "We have seen certain research projects not go forward because there's not a suitable means to transfer personal data from the EU to the U.S.," Peloquin says.
Peloquin attributes some of the schedule-busting precautions to a lingering sense of confusion European entities still hold toward the GDPR.
"I do feel for the Europeans here because I think the European [Data] Protection Board hasn't issued as clear of guidance on these types of points as one might like. … I don't think they anticipated the extent to which Europeans who are really scared about the enforcement of this law are going to take extreme interpretations of this," Peloquin says.
Health care isn't the only space where data is having trouble making international travel arrangements. Myriah Jaworski, an attorney and certified information privacy professional at Beckage law firm, foresees a point in the not-too-distant future where discovery obligations will run afoul of the GDPR too.
She says the European Commission has made clear that compliance with a U.S. court order is not a lawful basis for processing personal data, calling the dueling obligations a direct conflict for businesses. Some might even see it as an opportunity. "I think that we're going to see companies in the states using their GDPR obligations on the basis to not have produce certain information in the U.S.," Jaworski explains.
|'Splinter' Compliance
David Lucas, a partner at Bradley Arant Boult Cummings, typically encounters GDPR wrinkles while in the service of his larger clients. Over the last year, he has become attuned to the reality that GDPR provides splinters of a standard rather than one cohesive obligation that passes from border to border unchanged.
Lucas' clients would prefer a more unified standard moving forward. They ask, "Is there any way that we can come up with a common compliance strategy where we build it once and replicate it across all jurisdictions? And unfortunately that doesn't appear to be the case," Lucas says.
So what are the realities that businesses should expect to face in a post-GDPR world? Tougher matchmaking, for one. In 2018, Merrill Corp. conducted a survey with input from 500 dealmakers across Europe, Africa and the Middle East in which 58 percent of respondents indicated that they had worked on an M&A transaction that had not progressed as a result of GDPR-related concerns.
Lucas expects that pattern to continue, largely because the GDPR-associated risks still haven't been sufficiently time-tested. "Right now that's an uncertainty and I think that an organization needs to do a lot of diligence around the perspective on the liability of acquiring a foreign entity," he explains.
As for any ongoing anxiety the GDPR and other privacy regulations have stunted a company's ability to innovate—well, the jury is still out on that one. Lucas pointed out that the French regulatory authority Commission Nationale de l'informatique et des Libertés (CNIL) has already come out and said that by its very nature, blockchain is noncompliant and will require a greater emphasis on disclosure and consent. But for his money, innovation is more heavily impacted by an inconsistent application of the law.
"I think the uncertainty of what's going to be required and the uncertainty of what it's going to take to comply is really right now what's dampening some innovation," Lucas says.
He argued that a more streamlined regulatory landscape would allow entrepreneurs to build GDPR compliance into their products from the ground up rather than trying to shoehorn requirements into the process as they arise.
The startup players that Jaworski sees walk through the door at Beckage are typically not that far along in their thinking yet. A year into the GDPR, new businesses are still focused on the big idea rather than big data, but regulatory awareness is something Jaworski said is slowly being infused into the startup world.
As awareness of GDPR-related hang-ups continues to grow into the future, compliance-related concerns might transition from being a hindrance to a key selling point. "There's an awareness of what can separate you in the eyes of an investor from the other guy down the street who's doing something very similar is that … you've already addressed data protection," Jaworski says.
|Tougher Enforcement on the Horizon?
Anybody hoping that EU supervisory authorities took the last year to mellow out on a beach and reconsider just how strongly they feel about this whole privacy thing will be sorely disappointed.
In February, the law firm of DLA Piper released a survey suggesting that regulators were dealing with a backlog of reports, citing a total of 59,000 reported breaches, while just 91 fines had been issued. Jaworski thinks that as consumers become better acquainted with data subject rights thanks to the GDPR's preponderance of cookie banners and terms of use notices, the number of complaints could go up.
Fortunately—or unfortunately, depending on where you sit—manpower shouldn't be an issue. "You've seen, I believe, a doubling of employment at the [U.K.'s Information Commissioner's Office], and you've seen a similar increase in hiring in Ireland and Germany and some of the other more active supervisory authorities," Jaworski says.
Funny enough, though, the admittedly brief enforcement history of the GDPR suggests that future actions will not be oriented around breaches. She adds, "If you're in the European Union and you're working in the supervisory authority, you're viewing more as the human rights-oriented nature of the GDPR."
By that, she means the way that organizations treat and collect consumer data on a day-to-day basis, with an emphasis on transparent and highly specific disclosures regarding the "why" and "how" that data is being used.
Google found that out the hard way. In January 2019, it was hit with a $57 million fine by CNIL for essentially not making its data consent policy easier for users to find and read. It was the first GDPR fine levied at a major U.S. tech company, and there was nary a breach in sight.
When it comes to data in a GDPR world, data treatment will also be equally important as transparency. Just a few months prior to the Google fine, Central Hospital of Barreiro Montijo in Portugal was assessed a fine totaling close to $453,000 by the country's supervisory authority. Its transgression? Allowing close to 1,000 people to have doctor-level access to its patient management system while only having about 300 doctors on staff.
The stakes surrounding how fastidious companies are with the data in their care are poised to become even higher. Jaworski thinks that in addition to fines, the future holds potentially stiffer penalties for companies deemed to be noncompliant. The GDPR authorizes supervisory authorities to issue either temporary or permanent data processing bans, making the pain point for companies something that runs deeper than cutting a big check: the forced modification of their operation or business practices.
It's not without precedent. Back in February, for example, the Bundeskartellamt (Germany's Federal Cartel Office) said that while Facebook could continue to collect data from Facebook-owned apps like Instagram or WhatsApp, it could not assign that data to a user's profile without consent.
Jaworski expects to see similar enforcement actions taken in the future, supplemented by full-out bans on data processing. Since regulatory authorities are showing no signs of backing down, companies who want to thrive rather than just survive under the GDPR may have to look beyond simple compliance and figure out a way to turn data protection into an advantage rather than an obligation.
"Fundamentally, you can go back and forth on the GDPR," she says. "I think that it's a flawed regulation in many ways, but data protection is here to stay. How can we view data protection as an opportunity?"
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Read the Document: 'Google Must Divest Chrome,' DOJ Says, Proposing Remedies in Search Monopoly Case
- 2Voir Dire Voyeur: I Find Out What Kind of Juror I’d Be
- 3When It Comes to Local Law 97 Compliance, You’ve Gotta Have (Good) Faith
- 4Legal Speak at General Counsel Conference East 2024: Virginia Griffith, Director of Business Development at OutsideGC
- 5Legal Speak at General Counsel Conference East 2024: Bill Tanenbaum, Partner & Chair, AI & Data Law Practice Group at Moses Singer
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
