(And Why U.S. Companies Should Take Note)
The General Data Protection Regulation (GDPR), Europe’s sweeping data protection law, has been in effect for six months, and while fines have yet to be levied against U.S. companies for breach of the law, enforcement is beginning to take hold. Anne Shannon Baxter of Access Partnership discusses what organizations with cross-border operations should know.
The General Data Protection Regulation (GDPR) has been in effect for six months, and U.S. companies are still struggling to understand its ramifications. As readers of this publication are aware, the European Union law applies to any foreign companies processing the personal data of data subjects residing in the EU, regardless of the company’s location. This means that businesses in the U.S. that offer goods and services, monitor the behavior of individuals or have an establishment within the EU are liable.
There have not been any fines levied against U.S. companies for breach of the law at the time of writing, but this won’t be the case for long and, with fines of up to €20 million or 4 percent of annual global turnover (whichever is the higher), the risk can’t be brushed off.
Adding to the difficulty, enforcement of the GDPR so far has focused on big technology companies, making it harder for many businesses to ascertain whether or not they are sufficiently prepared. Because fines under the GDPR are retroactive, companies must ensure they do not get complacent about their compliance.
GDPR Enforcement in Europe Ramps Up
Here’s how GDPR is playing out in Europe. At the recent International Association of Privacy Professionals’ European Data Protection Congress, Andrea Jelinek, the European Data Protection Board Chair, noted that there are several cross-border enforcement cases making their way through the board. While some rulings have already been handed down by regulators across Europe, enforcement and fines will become more frequent throughout 2019 as the transition period for GDPR implementation comes to an end.
Throughout Europe, the GDPR has seen a rapid increase in the number of complaints and breach notifications. On November 21, the German data protection authority (DPA) issued its first fine under the GDPR against a social media company for violating data security obligations by storing passwords in plain text. The German DPA’s fine of €20,000 is, however, significantly lower than the maximum fine for this issue — 2 percent of the company’s annual revenue — thanks to the company’s cooperation with authorities. Uncooperative companies may push their eventual fines higher.
Businesses must remain vigilant and adhere to best practices as we wait for the first GDPR enforcement test case in the U.S. As a result of the GDPR’s threat of fines and its effect on cross-border data flows, many countries, including the U.S., are considering altering their domestic privacy laws to fit within the GDPR’s framework.
The U.S. Plays Catch-Up
There is growing consensus in the U.S. among legislators and industry that there is a need for federal privacy legislation to replace the current U.S. privacy regime: an amalgamation of self-regulation and strict regulation on government access to or use of personal data. An essential component of policymaker considerations will be ways to ensure equivalency with the EU’s data protection standards, both in the legislative framework and how it is enforced.
The U.S. Senate Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security held a hearing in November with the Federal Trade Commission (FTC), which highlighted the need for a federal privacy law. The FTC hopes this would provide more resources and increase their enforcement abilities within the U.S.
In parallel, the National Telecommunications and Information Administration (NTIA) recently called for comments on the Commerce Department’s approach to consumer privacy. Several groups, mostly representing the technology industry, submitted comments with suggestions ranging from having state attorneys general enforce privacy standards to self-regulatory programs.
With the newly-elected members of the U.S. House of Representatives taking office in January 2019, there is hope that a Democratic-led House will invigorate the push for a federal data privacy regime. But don’t hold your breath; it remains unlikely that legislation of this magnitude will have an easy path through Congress. Any federal legislation that develops will likely be shaped by a combination of the GDPR, California’s Consumer Privacy Act, and already proposed bills like the one proposed by Senator Ron Wyden (D-OR). There is hope among industry players that a federal law will provide a unified regulatory landscape, potentially similar to California’s, which is set to come into effect in 2020.
However, any U.S. privacy law is as likely to push back on the GDPR as to be inspired by it. Many lawmakers and industry leaders in the U.S. have criticized the GDPR for creating trade barriers in certain markets, and privacy reform in the U.S. would offer an opportunity to create a counterweight model to the GDPR.
A key feature of a privacy law such as this would be the protection of cross-border data flows and promotion of world engagement. Any counterweight will also need to offer political benefits that allow lawmakers to claim they are protecting and empowering consumers. A major advantage here would be a law that’s coherent and easily understood, or at least easily presented, but it must also find a balance between supporting innovation and placing guardrails on the use of data.
The GDPR has already had an outsized effect on businesses and the way they interact with consumer data, but this is not the end. Additional privacy regulations will develop in the coming years focusing on IoT and electronic communications. If businesses in the U.S. are already struggling with the impact of the GDPR, they should monitor the EU closely as the ePrivacy Regulation and European Electronic Communications Code move toward becoming legislation over the next year.