Sticking Your Head in the Sand: How NOT to Approach the GDPR
In speaking with entities, of all sizes and all industries, we are often confronted with the same series of questions over and over again regarding the EU’s General Data Protection Regulation (“GDPR”): why do I need to comply? Is the EU really going to enforce this? What are the odds (as if we have a Magic 8-Ball) that the EU will actually sanction me? That is in essence like saying: what are the odds I will be hit by a car? I don’t know, but I still look both ways before crossing the street and I have insurance because I don’t want to risk it. The doubters, the deniers, the wait-and-see’ers; these are the entities that will get hit by the GDPR. They hope that the GDPR will not be as extensive, or as intrusive, or as devastating as privacy experts are saying and while we don’t have a Magic 8-Ball, the response we give these naysayers is, “All signs point to Yes!”.
Companies need to start asking: how much of my company’s value is derived from the EU? How much data do I collect from the EU as part of my business? How much do I want to access the EU? Because, the number one mechanism that the EU has to force GDPR compliance (beyond just the potentially astronomical sanctions under Article 83) is access to a large, profitable, and thriving economy. If you want to do business in the EU, you have to play by their rules.
And, while the GDPR has yet to take effect (we have approximately 7 months), we can look to other EU actions, taken both at the EU Commission and the EU Courts, to forecast how the EU will approach enforcement and sanctions after May 2018.
In September, EU representatives visited Washington, D.C. to meet with US officials to review the first year of the EU-US Privacy Shield (the current guidance for companies transferring data out of the EU and into the US), and to evaluate the protections and enforcement of those protections provided for under the EU-US Privacy Shield. The discussions revolved around the US’s commitment to actually enforcing the Shield, as well as whether companies are: (a) certifying under the Shield; and then (b) actually complying with the Shield.
There are many within the EU who still do not believe that the EU-US Privacy Shield does enough to protect the individual rights of EU citizens and the protection of their data. These concerns revolve around US surveillance and the ability of the US government to obtain access to the data from commercial entities. In fact, there is a pending court case in Ireland (Schrems II) that is already challenging the validity of Standard Contractual Clauses (SCCs) required by the Shield, also known as “Model Contracts,” and in essence the Privacy Shield framework, arguing that the US still is not meeting the higher data protection standards, and fundamental rights of EU citizens. Further, the EU-US Privacy Shield will ultimately be subject to the requirements of the GDPR, requiring changes in key areas, including automated data processing and decision making (Article 22).
On October 18, 2017, the EU Commission published its first annual report on the EU-US Privacy Shield. Ultimately, the EU Commission’s report concludes that “the United States continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the Union to organisations in the United States.” Report, §2. However, there were a number of recommendations made by the EU Commission to the US for improvement to the EU-US Privacy Shield functioning, including active monitoring of company compliance by the US Department of Commerce and increased awareness efforts to EU individuals on how to exercise their rights.
In the EU Commission’s Press Release, Věra Jourová, Commissioner for Justice, Consumers and Gender Equality, stated: "Transatlantic data transfers are essential for our economy, but the fundamental right to data protection must be ensured also when personal data leaves the EU. Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation. The Privacy Shield is not a document lying in a drawer. It's a living arrangement that both the EU and U.S. must actively monitor to ensure we keep guard over our high data protection standards." Clearly, the EU does not intend to sit back and allow the US to determine how and when it will comply with the EU-US Privacy Shield -- and we can expect the same level of deference when it comes to GDPR compliance.
In addition to the EU-US Privacy Shield assessment, we can look to the discussions being put forth by the Courts -- both the CJEU and the European Court of Human Rights (“ECHR”) -- for guidance on how the GDPR will be enforced. The CJEU has already taken a proactive, privacy-oriented approach in the Judgment of the Court of Justice of the European Union of 6 October 2015, Case C-362/14, Maximilian Schrems v Data Protection Commissioner ("Schrems I"), invalidating the previous Safe Harbour framework to transfer data between the US and the EU.
A recent decision by the Grand Chamber of the ECHR shows significant weight being given to an individual’s right to privacy. In Bărbulescu v Romania (“Bărbulescu”), the Grand Chamber interrupted Article 8 of the European Convention on Human Rights (the “Convention”), which pertains to the right to respect for private and family life, as a limiter on an employer’s ability to monitor the personal communications that an employee may send via an employer’s account at her workplace. The Grand Chamber, in its Bărbulescu press release, cautioned member states to ensure that “when an employer takes measures to monitor employees’ communications, these measures are accompanied by adequate and sufficient safeguards against abuse” by considering a variety of factors outlined by the ECHR.
The Bărbulescu decision supports to the growing number of cases within Europe that are providing greater and greater protections for the individual. And, there are only more decisions to come.
All of these sources point towards a more privacy oriented approach to data, giving the individual much more protection against private and public entities. The European Union is proactively pushing companies to embrace privacy by design. And, companies and entities were given two years to comply with the GDPR: claiming ignorance will likely not be an acceptable excuse. Don’t be caught sticking your head in the sand -- start the conversation TODAY, begin the process of moving towards compliance and creating a culture of privacy within your company. Our recommendation -- don’t wait until the EU comes knocking.
* * * * *
Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.