Last year, the death of the US-EU Safe Harbor Arrangement sent waves of shock and despair to the approximately 4500 companies that used this mechanism to transfer personal data from the US to the EU. But a new day has dawned.
I’ve been going through my blog posts from 2015 to find the ones I most want to highlight. Here are some selected posts on privacy issues:
II. PRIVACY LAW
Last week, the EU issued the General Data Protection Regulation (GDPR), a long-awaited comprehensive privacy regulation that will govern all 28 EU member countries. Clocking in at more than 200 pages, this is quite a document to digest. According to the European Commission press release: “The regulation will establish one single set of rules which will make it simpler and cheaper for companies to do business in the EU.”
The GDPR has been many years in the making, and it will have an enormous impact on the transfer of data between the US and EU, especially in light of the invalidation of the Safe Harbor Arrangement earlier this year. It will has substantial implications for any global company doing business in the EU. The GDPR is anticipated to go into effect in 2017.
Here are some of the implications I see emerging from the GDPR as well as some questions for the future:
1. Penalties and Enforcement
Under Article 79, violations of certain provisions will carry a penalty of “up to 2% of total worldwide annual turnover of the preceding financial year.” Violations of other provisions will carry a penalty of “up to 4% of total worldwide annual turnover of the preceding financial year.” The 4% penalty applies to “basic principles for processing, including conditionals for consent,” as well as “data subjects’ rights” and “transfers of personal data to a recipient in a third country or an international organisation.”
These are huge penalties. Such penalties will definitely be a wake-up call for top management at companies to pay more attention to privacy and to provide more resources to the Chief Privacy Officer (CPO). Now we can finally imagine the CEO at a meeting, with her secretary rushing over to her and whispering in her ear that the CPO is calling. The CEO will stand up immediately and say: “Excuse me, but I must take this call. It’s my CPO calling!”
To date, EU enforcement of its privacy laws has been spotty and anemic, so much so that many characterize it as barely existent. Will the new GDPR change enforcement? With such huge fines, the payoff for enforcement will be enormous. We could see a new enforcement culture emerge, with more robust and consistent enforcement. If privacy isn’t much of a priority of upper management at some global companies, it will be soon.
By Daniel J. Solove
The US regulates privacy with a sectoral approach, with laws that are directed only to specific industries. In contrast, the EU and many other countries have an omnibus approach — one overarching law that regulates privacy consistently across all industries. The US is an outlier from the way most countries regulate privacy.
About 15 years ago, the sectoral approach was hailed by many US organizations as vastly preferable to an omnibus approach. Each industry wanted to be regulated differently, in a more nuanced way focused on its particular needs. Industries could lobby and exert their influence much more on laws focused on their industry. Additionally, some organizations liked the sectoral approach because they fell into one of the big gaps in regulation.
But today, ironically, the sectoral approach is not doing many organizations any favors. There are still gaps in protection under the US approach, but these have narrowed. In fact, many organizations do not fall into gaps in protection — they are regulated by many overlapping laws. The result is a ton of complexity, inconsistency, and uncertainty in the law.