Europe's new data protection monkey wrench
US firms knew in October that doing business in Europe was going to get tougher when the European Court of Justice (ECJ) invalidated the US-European Union (EU) Safe Harbor framework, which has guided data transfers between the two jurisdictions since 2000. In a webcast held on January 12, Latham & Watkins provided an overview of how to prepare for the EU’s pending General Data Protection Regulation (GDPR) that clarifies just how onerous it will be.
Replacing the EU’s data protection directive implemented 20 years ago, the new regulation is intended to simplify, harmonize and provide consistency to data protection across Europe. Taking internet-related issues into account, the GDPR also introduces some new provisions such as the right to be forgotten (already approved by the ECJ), the right to data protection by design and default, and the right to data portability.
The new law, which is expected to be finalized in the coming months but won’t become applicable until 2018, extends the restrictions on collecting sensitive personal information to new types of data such as genetic and biometric. It also broadens the definition of processing activities to include everything from data collection to data destruction. Companies will further be prohibited from processing information concerning criminal reference checks of prospective employees and customers.
Gaining data subjects’ consent for the use of information that has already been collected will become harder for companies. To be able to transfer data between countries, companies will need to show that consent has been given freely, taking into consideration whether consent is conditional for performance of a contract and is able to be withdrawn. ‘One of the first tasks will be for companies to decide whether they want to use consent as legal grounds for collection,’ says Ulrich Wuermeling, a partner in Latham & Watkins’ Frankfurt offices. ‘They should try to use legal grounds other than consent.’
Under the new regulation, there will be several internal compliance obligations for companies, starting with having to appoint a data protection officer if the company either monitors or processes sensitive data on a large enough scale. Companies will also need to designate a representative who is required to be addressed in addition to or instead of the data controller or processor and who will be subject to enforcement actions in case a data controller doesn’t comply with the regulation. The representative’s duties include keeping records of all data-processing activities and complying with supervisory authorities’ information requests. The concept existed under the directive but was interpreted differently by EU member states.
Because companies need to avoid inadvertent collection of data that’s insufficiently anonymized, ‘you will need to rethink your governance and your business in order to comply,’ says Jennifer Archie, a partner in Latham & Watkins’ Washington, DC offices. She suggests ‘all US businesses that offer global access should consider geo-blocking and consider what the business trade-offs are to avoid inadvertent stumbling into a complex and burdensome regime.’ She further warns that the requirements under the new regime may become contrary to many US business models.
A recent survey of 366 IT decision-makers worldwide by Ovum finds that more than half (52 percent) believe the GDPR will result in their company incurring business fines, while two thirds expect it to force changes to their European business strategy. More than 70 percent of respondents expect to spend more to meet data sovereignty requirements, and more than 30 percent expect budgets to rise by more than 10 percent over the next two years. Of those who plan to update data privacy strategies in the next three years, 38 percent plan to hire subject matter experts, and 27 percent will hire a chief privacy officer.
Nor is the stricter treatment of data limited to Europe: Brazil, Singapore and Russia are also tightening their data privacy regulations, according to the Ovum report.
In the aftermath of Edward Snowden’s revelations about US government electronic surveillance, the US is ranked as the least trusted country among 20 industrialized economies and the most likely to gain unauthorized access to sensitive information, with China and Russia ranked second and third, respectively. There is also a prevalent view that the GDPR will put US companies at an even greater disadvantage, with 63 percent of respondents believing it will make it harder for US firms to compete, and 70 percent thinking the new law will favor Europe-based companies.
The Ovum report also shows that many organizations aren’t taking advantage of available technologies to protect sensitive data. Just 44 percent of respondents say they monitor user activities and provide alerts to data policy violations; only 53 percent classify information to align with access controls. Nearly half (47 percent) have no policies or controls governing access to consumer cloud storage and file-sharing systems like Dropbox.
The risks of non-compliance with the new regime will increase, warns Gail Crawford, a partner in Latham & Watkins’ London office. By contrast to the negligible fines under the former directive, companies could be fined as much as €10 million ($10.8 million), or 2 percent of total revenue at the lower level, and as much as €20 million (or 4 percent of revenue) at the higher one.
All of this will give companies operating in Europe a lot to think about.