Brexit Multiplies Uncertainty Over EU Privacy Regulations and Shield

US companies doing business in the EU face a May 25, 2018 deadline to comply with its General Data Protection Regulation [GDRP], a 200+ page law. It is so riddled with questions it requires a new European Data Protection Board [EDPB] to give answers, guidelines, and recommend best practices.

Those answers will be influenced by what is called the EU-US Privacy Shield now being angrily negotiated. And something called the Article 29 Working Party [A29WP] with members from each EU member state is supposed to issue important opinions on data protection.

Clear as crystal. And there is much more. The Irish Data Protection Commissioner, for example, may ask Ireland’s High Court to rule on whether standard EU contract clauses on data protection are valid. That could put the issue in front of the EU’s Court of Justice.

And then the UK voted to leave the EU. To the cascade of speculation underway about what happens next, you can now add an uncertainty multiplier about what rules and best practices you must follow in handling the personal and business data of European residents.

The one certainty in all this is that no one knows what will happen or when. The EDPB and A29WP may give clear direction, but it could come in waves instead of one comprehensive set of do’s and don’t’s. The UK could go it alone and adopt its own laws and regulations. Privacy Shield negotiations and court decisions could change all the above. And no matter what legislators do, technology will keep pointing to new ways to protect and new ways to compromise personal and business data.

So how do you get ready to comply with whatever may be coming? By focusing on guiding principles that must be served no matter how the legal chaos resolves.

Active consent. The GDRP wants you to get active consent to use customer, employee, or vendor data. Think of it as contracts versus implied contracts, clicking “I Agree” instead of relying on unread Terms of Use saying continued access to a website is conditioned on agreeing to the terms.

To implement active consent, you must first know all the kinds of personal and business data you are collecting or already possess. You must take inventory of your data.

Right to Be Forgotten. This is a startling idea for Americans whose use of information is shaped by the First Amendment. Our closest legal recognition of it may be the limited laws allowing expungement of juvenile or adult arrest or conviction records. The right is a recent development in European law largely driven by a desire to have the power to require information, photos, and videos deleted so search engines can’t find them.

Unlike the goal of privacy which is preventing information from becoming public, the right to be forgotten aims to eradicate forever information that is already public. It is a right to disappear into the crowd without a trace.

Exercising the right requires a request, but once you are asked there will be limited time to comply and sanctions for failing.

Your first task is to understand whether you currently can, and if not what is need to, permanently delete the personal or business data you obtain. This is not business as usual for most companies which have nothing beyond an unsubscribe capability for their mailing lists.  The technical difficulties can be substantial.

Rapid Disclosure of Data Breaches. Indiana requires notification within 45 days after discovering a data breach. The GDRP will require notification to its Data Protection Authority in 72 hours ─ 3 days.

No matter how the regulations develop, you must first understand your capabilities for identifying a data breach. If you don’t actively monitor your networks and the personal devices accessing it, start investigating what it will take.

Long Arm Jurisdiction. As Google learned many times, EU member states will exert jurisdiction over any business dealing in the personal or business information of an EU individual resident or company. The determination to exert legal authority over those outside the EU is unlikely to change no matter how the UK separation or further withdrawal votes go.

Lawyers have a way of telling people to do this and that as each new challenge comes along. But here the GDRP has value as a prod to do what’s needed for your organization now. The good thing about the self-knowledge to implement whatever final requirements are imposed by the EU is that it will help with what you’re facing from cyber threats in the next 24 hours.

About Craig Pinkus

Craig Pinkus is a partner in the Intellectual Property Group. He also is a member of the Litigation and the Sports, Entertainment and Media Groups. He assists clients with a broad range of disputes and transactions involving all areas of intellectual property, entertainment, and other complex business arrangements. He has conducted trials and arbitrations throughout the United States and has argued appeals before the Seventh, Sixth and Federal Circuit Courts of Appeal, the Indiana appellate courts, and United States Supreme Court.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s