I asked Judge Whitaker for some background on GDPR in advance of the session. Here’s what he had to say:
1. First of all, what is GDPR?
The General Data Protection Regulation will have direct application to member states when it commences and will replace their national data protection legislation enacted under the 1995 Data Protection Directive which will itself be repealed. The perceived benefit of having a Regulation that has direct effect in all member states is that it will engender a level playing field as to data protection law in all states so that in theory none of them have any advantage over others and outsiders benefit from the consistency across the Union. In fact, we will discuss in the program on the 1st December that there are provisions in the Regulation that provide room for inconsistency. There is sadly not going to be full harmonization across the EU as the member states will be able to introduce their own requirements in certain defined circumstances.
2. Why would an American company need to worry about these regulations?
If they are a business targeting customers in the EU and are thereby controllers and processors whose activities are related to offering goods or services to individuals located in the EU or the profiling of those individuals, then the protection of the GDPR extends to the persons whose data is being processed whether it is processed in the EU or in the US. In effect, the extraterritorial effect has been widened. See Art 3 para 2. This is an enshrinement of the previous rulings of the ECJ. Obviously, if your company business has nothing to do with individuals in the EU and their personal data you probably have no concern.
3. We’ve heard about some of these rights — like the right to be forgotten — in Europe before. How is GDPR different from some of these pre-existing regulations that companies needed to worry about?
This is a huge question to answer, examples of what’s different in the GDPR or what has been strengthened or modified are numerous. I have already mentioned Art. 3 on extraterritoriality above; There is a new concept of pseudonymization. We will look at this on 1st December; There is the recognition of the concept of joint controllers; There is a slight change in the definition of personal data to cover location data and online identifiers; An identifiable person is defined more carefully and uses a test to see if data is truly anonymous or not; There is a short time limit reporting requirement for data breaches; The requirements for individual consent have been tightened; There is a purpose limitation on further processing after the original purpose is exhausted; There are potentially massive sanctions; The Article 39 Working Party will be replaced by a Board with wider functions; The transfer provisions in Chapter 5 have been strengthened by Article 48, about which there will be I suspect much debate and misunderstanding; and on and on ……
4. Are there any specific challenges law firms will face in complying with GDPR? What about vendors (specifically eDiscovery vendors)?
This question is nearer the mark in terms of what we want to look at on the 1st December. Handling personal data of EU individuals for litigation purposes will, as it always has, involve law firms and service providers who will still have to be able to justify the processing under the normal requirements of the Regulation before complying with the requirements of Chapter 5 for transfer. These requirements have been modified to include Article 48. I have seen panic in various written articles about this provision predicting that it will be the end of cross-border transfer to the US for litigation purposes. I disagree and we will be looking at this.
5. What should people be doing today to ensure compliance by May? (For that matter, is it even possible to be in compliance by May if you’re starting today — I’ve heard of a survey where half of companies asked say they don’t expect to be in compliance on time).
The first step logically is to do an audit of your business and it’s data to see whether you come within Art. 3 of the regulation. See 2 above. If you do – you have a steep learning curve to see if you re compliant. Given that this new provision has been extant for 18 months it is surprising that there is such concern at this late stage.
6. Not so much a question as an invitation to share any thoughts you have on the wisdom/effectiveness of various anonymization/pseudonymization strategies.
We will look at this on 1st December. My own view is that it is not perhaps the golden key to compliance that people have been assuming it is. The onus is still on the processor to ensure the precautions taken to prevent unraveling are adequate. If anything goes wrong, you will only find out if you did what was required sometime down the line when the ECJ rules on it!! Otherwise, perhaps you can fill me in on what these strategies are. No one could give any strategy a green light – I suspect Ralph will be in a better position to comment here.
Remember to check out Judge Whitaker’s panel discussion next Friday at 10 a.m. Eastern. You can sign up to watch here.
Joe Patrice is an editor at Above the Law and co-host of Thinking Like A Lawyer. Feel free to email any tips, questions, or comments. Follow him on Twitter if you’re interested in law, politics, and a healthy dose of college sports news.
Original article source: https://abovethelaw.com/2017/11/why-gdpr-is-going-to-change-the-way-your-clients-do-business/