RegWatch GDPR USA vs EU Photo: Shutterstock.com

Think about how many photos there are of you on Facebook. Then think about how many photos there are of your kids, or your nieces and nephews, or grandkids. Cute, right? Perhaps, until this—under French law, there can be legal liability for posting photos of minors online without permission, meaning that those children who don't want early photos of them online could actually sue for damages upon turning 18.

It's not a law that many U.S.-based attorneys may be thinking about, but that's only one of many to be aware of, says cybersecurity expert and commentator Adriana Sanford. “I'm touching on something basic here like posting photos, but what about something like planned obsolescence?”

These gaps between U.S. and international laws, and where they might create problems for in-house attorneys, was the basis of the opening keynote of the 2019 SuperConference in Chicago. Sanford noted how in the current regulatory landscape, “It's not only corporate exposure that we need to minimize. We also need to minimize personal exposure.”

To that end, she told the story of Diego Dzodan, Facebook's vice president for Latin America. In one criminal case, the Brazilian government wanted access to messages sent through the WhatsApp service owned by Facebook. But given the ephemeral nature of those messages, Facebook couldn't turn them over. The Brazilian government didn't accept that explanation though, and eventually arrested Dzodan himself. And this, said Sanford, is just one example of many.

So for in-house attorneys, the end result may be something that seems antithetical to the practice of law: noncompliance. “It's a word you're going to have to be comfortable with, because no matter how much you do, no matter how hard you work, it's a word that may pop up in your department,” she explained. She added that given the current regulatory world there “may come to a point where you have to decide which laws to break and which laws to follow.”

Following the bounds of the law only means so much in the ever-shifting cyber and privacy landscape, she further noted. “The problem is, we can't always do that anymore, because what does it mean to stay within the borders? There's a constant reshuffling of priorities, because what's ethical today may not be ethical tomorrow.”

For instance, there's the EU's General Data Protection Regulation. “Are you complying with GDPR?” she asked the audience. “Are you? I can tell you you're not.” Because of the minute differences in local GDPR regulations and variety of enforcement levels between EU countries, and also adding other countries like Uruguay that have adapted similar laws, following all privacy regulations to the letter may actually be impossible.

Then there's the issue of Cathy's quandary: how attorney-client privilege applies in various ways across international jurisdictions. Sanford gave the example of a compliance-focused corporate attorney that passed the bar in a few states like Florida or New York, but then moves to Spain. Upon learning of money laundering occurring in the company, the attorney must report the action by EU law—but doing so could violate privilege in the U.S. and leave them in violation of some states' bars.

“Ethics is one thing, ethics is keeping in line with what we're supposed to do,” Sanford said. “Morality, living with yourself, now we have a dilemma.” Unfortunately, she added, “the way the system is set up, it really wasn't designed to deal with these quandaries.”

So what are attorneys to do when faced with these conflicting directives? It's not an easy question to answer, but Sanford suggested incorporating more open-ended questions into daily work. “Place them everywhere, because you're going to find out what's going on,” she explained. And although following templates can make life easier, “that template is going to get you into trouble.”

Sanford ended the keynote by noting that when she was working in-house, she would also end a conversation with the question, “Is there anything else that I need to know that I don't already know?” Normally the answer would be no, but one time, the answer she got back from a foreign co-worker was, “Are you serious?” It turns out, some of the company's European activities were against U.S. law, something she wouldn't have known without asking the question. And that, she said, can make all the difference.