Advertisement
U.S. markets closed
  • S&P 500

    5,254.35
    +5.86 (+0.11%)
     
  • Dow 30

    39,807.37
    +47.29 (+0.12%)
     
  • Nasdaq

    16,379.46
    -20.06 (-0.12%)
     
  • Russell 2000

    2,124.55
    +10.20 (+0.48%)
     
  • Crude Oil

    83.11
    +1.76 (+2.16%)
     
  • Gold

    2,254.80
    +42.10 (+1.90%)
     
  • Silver

    25.10
    +0.35 (+1.41%)
     
  • EUR/USD

    1.0792
    -0.0037 (-0.35%)
     
  • 10-Yr Bond

    4.2060
    +0.0100 (+0.24%)
     
  • GBP/USD

    1.2623
    -0.0015 (-0.12%)
     
  • USD/JPY

    151.3700
    +0.1240 (+0.08%)
     
  • Bitcoin USD

    70,791.75
    +1,688.41 (+2.44%)
     
  • CMC Crypto 200

    885.54
    0.00 (0.00%)
     
  • FTSE 100

    7,952.62
    +20.64 (+0.26%)
     
  • Nikkei 225

    40,168.07
    -594.66 (-1.46%)
     

GDPR: One Year Down, Forever to Go



GDPR
GDPR



 

Here’s something that will make you feel just a little bit older: the European Union’s General Data Protection Regulation (GDPR) is coming up on the one-year mark this May. How fast the last 365 days came and went probably has a direct correlation to if and how much you were fined, but nevertheless the paper anniversary seems a good time for a checkup.

The GDPR was instituted in part to provide some regulatory cohesion to the data privacy landscape that rolls across the EU’s 28 member states. Since irony apparently doesn’t observe international borders, over the last year things have actually started trending in the opposite direction, with individual jurisdictions making the most of whatever enforcement latitude the GDPR affords them.

The firm of Latham & Watkins maintains an online tracker that charts derogations across member states. For example, the age of data usage consent for children is 14 in Austria and 13 in the Czech Republic. Spain requires that data identifying a person's religion, sexual orientation or labor union affiliation be processed under another legal basis in addition to explicit consent. Not so in Germany.

As the EU's privacy landscape continues to diversify, experts are anticipating even more regulatory confusion and compliance-related headaches. Enforcement, meanwhile, is only expected to become stronger as regulators experiment with penalties that could potentially cause more long-term damage to offending companies than a single fine.

Regulatory Clarity



Another year older, another year wiser, right? When it comes to the GDPR, the answer is a resounding “sort of”—and that uncertainty might be causing member states to overcompensate on privacy precautions.

“You have to realize, the way it’s drafted is a much higher level of generality than what we would see in a U.S. regulation,” says David Peloquin, an associate with Ropes & Gray.

His practice is focused mainly on health care, where he counsels life sciences companies, universities and researchers on how to prevent the GDPR from becoming an ongoing impediment to clinical research. This time last year, a question from a client might have looked a little something like, “to what extent does the law apply to a hospital in Denver?”

The present—and by the looks of it, the immediate future—is dominated by the nitty-gritty stuff, the actual barriers that either drag a business matter out interminably or prevent it from happening altogether. “We have seen certain research projects not go forward because there’s not a suitable means to transfer personal data from the EU to the U.S.,” Peloquin says.

Peloquin attributes some of the schedule-busting precautions to a lingering sense of confusion European entities still hold toward the GDPR.

“I do feel for the Europeans here because I think the European Data Protection Board hasn’t issued as clear of guidance on these types of points as one might like. ... I don’t think they anticipated the extent to which Europeans who are really scared about the enforcement of this law are going to take extreme interpretations of this,” Peloquin says.

Health care isn’t the only space where data is having trouble making international travel arrangements. Myriah Jaworski, an attorney and certified information privacy professional at Beckage law firm, foresees a point in the not-too-distant future where discovery obligations will run afoul of the GDPR too.

She says the European Commission has made clear that compliance with a U.S. court order is not a lawful basis for processing personal data, calling the dueling obligations a direct conflict for businesses. Some might even see it as an opportunity. “I think that we’re going to see companies in the states using their GDPR obligations on the basis to not have produce certain information in the U.S.,” Jaworski explains.

'Splinter' Compliance



David Lucas, a partner at Bradley Arant Boult Cummings, typically encounters GDPR wrinkles while in the service of his larger clients. Over the last year, he has become attuned to the reality that GDPR provides splinters of a standard rather than one cohesive obligation that passes from border to border unchanged.

Lucas’ clients would prefer a more unified standard moving forward. They ask, “Is there any way that we can come up with a common compliance strategy where we build it once and replicate it across all jurisdictions? And unfortunately that doesn’t appear to be the case,” Lucas says.

So what are the realities that businesses should expect to face in a post-GDPR world? Tougher matchmaking, for one. In 2018, Merrill Corp. conducted a survey with input from 500 dealmakers across Europe, Africa and the Middle East in which 58 percent of respondents indicated that they had worked on an M&A transaction that had not progressed as a result of GDPR-related concerns.

Lucas expects that pattern to continue, largely because the GDPR-associated risks still haven’t been sufficiently time-tested. “Right now that’s an uncertainty and I think that an organization needs to do a lot of diligence around the perspective on the liability of acquiring a foreign entity,” he explains.

As for any ongoing anxiety the GDPR and other privacy regulations have stunted a company’s ability to innovate—well, the jury is still out on that one. Lucas pointed out that the French regulatory authority Commission Nationale de l’informatique et des Libertés (CNIL) has already come out and said that by its very nature, blockchain is noncompliant and will require a greater emphasis on disclosure and consent. But for his money, innovation is more heavily impacted by an inconsistent application of the law.

“I think the uncertainty of what’s going to be required and the uncertainty of what it’s going to take to comply is really right now what’s dampening some innovation,” Lucas says.

He argued that a more streamlined regulatory landscape would allow entrepreneurs to build GDPR compliance into their products from the ground up rather than trying to shoehorn requirements into the process as they arise.

The startup players that Jaworski sees walk through the door at Beckage are typically not that far along in their thinking yet. A year into the GDPR, new businesses are still focused on the big idea rather than big data, but regulatory awareness is something Jaworski said is slowly being infused into the startup world.

As awareness of GDPR-related hang-ups continues to grow into the future, compliance-related concerns might transition from being a hindrance to a key selling point. “There’s an awareness of what can separate you in the eyes of an investor from the other guy down the street who’s doing something very similar is that ... you’ve already addressed data protection,” Jaworski says.

Tougher Enforcement on the Horizon?



Anybody hoping that EU supervisory authorities took the last year to mellow out on a beach and reconsider just how strongly they feel about this whole privacy thing will be sorely disappointed.

In February, the law firm of DLA Piper released a survey suggesting that regulators were dealing with a backlog of reports, citing a total of 59,000 reported breaches, while just 91 fines had been issued. Jaworski thinks that as consumers become better acquainted with data subject rights thanks to the GDPR's preponderance of cookie banners and terms of use notices, the number of complaints could go up.

Fortunately—or unfortunately, depending on where you sit—manpower shouldn't be an issue. "You’ve seen, I believe, a doubling of employment at the U.K.'s Information Commissioner's Office, and you’ve seen a similar increase in hiring in Ireland and Germany and some of the other more active supervisory authorities," Jaworski says.

Funny enough, though, the admittedly brief enforcement history of the GDPR suggests that future actions will not be oriented around breaches. She adds, “If you’re in the European Union and you’re working in the supervisory authority, you’re viewing more as the human rights-oriented nature of the GDPR.”

By that, she means the way that organizations treat and collect consumer data on a day-to-day basis, with an emphasis on transparent and highly specific disclosures regarding the “why” and “how” that data is being used.

Google found that out the hard way. In January 2019, it was hit with a $57 million fine by CNIL for essentially not making its data consent policy easier for users to find and read. It was the first GDPR fine levied at a major U.S. tech company, and there was nary a breach in sight.

When it comes to data in a GDPR world, data treatment will also be equally important as transparency. Just a few months prior to the Google fine, Central Hospital of Barreiro Montijo in Portugal was assessed a fine totaling close to $453,000 by the country's supervisory authority. Its transgression? Allowing close to 1,000 people to have doctor-level access to its patient management system while only having about 300 doctors on staff.

The stakes surrounding how fastidious companies are with the data in their care are poised to become even higher. Jaworski thinks that in addition to fines, the future holds potentially stiffer penalties for companies deemed to be noncompliant. The GDPR authorizes supervisory authorities to issue either temporary or permanent data processing bans, making the pain point for companies something that runs deeper than cutting a big check: the forced modification of their operation or business practices.

It's not without precedent. Back in February, for example, the Bundeskartellamt (Germany's Federal Cartel Office) said that while Facebook could continue to collect data from Facebook-owned apps like Instagram or WhatsApp, it could not assign that data to a user's profile without consent.

Jaworski expects to see similar enforcement actions taken in the future, supplemented by full-out bans on data processing. Since regulatory authorities are showing no signs of backing down, companies who want to thrive rather than just survive under the GDPR may have to look beyond simple compliance and figure out a way to turn data protection into an advantage rather than an obligation.

"Fundamentally, you can go back and forth on the GDPR," she says. "I think that it's a flawed regulation in many ways, but data protection is here to stay. How can we view data protection as an opportunity?"

Advertisement