sign in sign up
<<
Home , Information privacy, Information privacy law

8 www.uslaw.org US LAW

THE MAY 25 GDPR COMPLIANCE DEADLINE HAS PASSED What Does Enforcement Really Look Like?

Batya F. Forsyth and Everett Monroe Hanson Bridgett LLP

The ’s General as individual agencies and through their re- regularly collect on a large Protection Regulation went into effect on constituted body, the European Data scale and those in a position to reveal inti- May 25, 2018. While very high-profile com- Protection Board. As the DPAs plan meet- mate details about a data subject’s life. plaints were lodged with some European ings and continue to discuss key issues, en- Meanwhile, non-EU organizations continue Data Protection Authorities (DPAs), the forcement has settled on the fundamentals to struggle with whether and how GDPR ap- agencies themselves have focused more on of the regulation. A particular focus is being plies to them, while DPAs prioritize provid- providing guidance for EU businesses, both paid to those industries where companies ing guidance to businesses in the EU. US LAW www.uslaw.org 9

GDPR succeeds the now defunct Data data processing activities that constitute a behavior," or by preventing EU users from Protection Directive that required EU mem- high risk to data subjects. Sweden's DPA has accessing their services altogether. ber states to pass laws to control how per- sent out enquiries to organizations that col- Many U.S. companies that were not sonal data could be collected and used. The lect and process more sensitive personal necessarily concerned about GDPR’s direct new regulation maintains much of the sub- data, seeking to determine whether those application are now receiving compliance stance of the original directive, but substan- organizations have appointed a data protec- inquiries from their EU business partners. tially increases penalties for violations, seeks tion officer as the GDPR requires of compa- Some companies have been expected to ac- to improve uniform application of rules nies handling large volumes of sensitive cept additional addendums to their service across the EU, and expands the territorial personal data. agreements requiring them to ensure that scope of the regulation to include non-EU So far, other DPAs seem more intent they will also agree to respect the rights of businesses offering goods and services to on providing guidance for compliance data subjects whose data is in their care, re- EU data subjects or monitor the behavior of rather than pursing enforcement. For ex- quiring them to agree to auditing and co- EU data subjects. ample, the 's Information operation with EU data protection GDPR has multiple avenues of enforce- Commissioner's Office has published exten- authorities. Some U.S. contractors, in an ef- ment. The long-established national DPAs sively on compliance topics Collectively, fort to maintain some uniformity in com- are still empowered to bring actions in their DPAs have worked together through the mitments to their clients, have written their member countries. Additionally, individuals new organizing body, the European Data own forms that give effect to GDPR's con- may submit complaints to the DPAs to Protection Board (EDPB). The EDPB re- tractual assurances requirements. which the DPAs must review and respond. places the Data Protection Directive's While many organizations in the EU Individuals may also bring civil suits in EU Article 29 working party, and has been and the U.S. braced themselves for a wave member state courts for damages caused by granted more formal powers to address is- of lawsuits and severe enforcement actions, GDPR violations. Injured parties may also sues of GDPR interpretation with an eye to- it appears that serious enforcement has assign their legal rights to a non-profit or ward uniformity and consistency. In its first been limited to a small number of high-pro- civil society organization to bring suit col- meeting, the Board focused on revising and file cases. While DPAs do appear to want to lectively for a group of data subjects. adopting its previous guidance from the move companies towards compliance, it Private consumer complaints from EU Article 29 Working Party, and has issued seems for now that their current strategy is data subjects currently drive enforcement new guidelines regarding exceptions appli- much more focused on providing guidance activities within the European Union. The cable to international data transfers. and advice than it is on starting aggressive non-profit organization (an acronym DPAs, individually or collectively, have enforcement campaign. Ultimately, this of "none of your business") filed the most not focused attention on GDPR's expansion gives all organizations that process personal prominent of these complaints, alleging of territorial scope. GDPR expanded its ter- data an additional opportunity to take a GDPR violations against Google, Facebook, ritorial scope to include businesses outside thoughtful approach to GDPR compliance and two of Facebook's subsidiaries, the EU offering goods and services to EU before enforcement begins in earnest. WhatsApp and Instagram. noyb's founder persons, and monitoring the behavior of and chairman, Max Schrems, was the persons in the EU. Because these territorial named party in the 2013 case Schrems v. scope provisions were not in the Data Batya Forsyth is the chair of Data Protection Commissioner that invali- Protection Directive, there is little guidance Hanson Bridgett's Litiga- dated the EU-U.S. Safe Harbor legal frame- on how DPAs plan to interpret that provi- tion Section and co-chair of work that Facebook used to transfer sion, and there has not yet been an attempt the , personal data from the European Union to to bring an enforcement action against a and Information Govern- the . Then, when Facebook company based on the new expanded ance group. She is a switched its compliance mechanisms for in- scope. Certified ternational data transfer to EU standard That uncertainty, combined with addi- Professional (US) with the contract clauses, Schrems challenged the tional legal responsibilities for EU busi- International Association of Privacy Professionals data transfers on that basis as well. nesses to ensure adequate protections for (IAPP.org). Batya counsels clients regarding pri- The core of noyb's current complaints personal data from their contractors and vacy policies, compliance issues, data breach re- is about —namely, that consent ob- vendors has drawn the most attention in the sponse and related insurance coverage issues, tained from data subjects for the use of United States. While there is reason to be- across multiple industries and jurisdictions. their data is invalid because it is a pre-con- lieve that GDPR's expanded scope is fo- dition for using the service at all. At least at cused on preventing the tracking of a user's Everett Monroe’s litigation first glance, this would appear to be con- web browsing activities across websites, the practice at Hanson Bridgett trary to guidance from DPAs providing that letter of the regulation is written broadly focuses on data privacy consent for processing personal data can- enough to include even innocuous behav- and intellectual property not be tied to the provision of a service that iors like keeping track of the items in a disputes and counseling, does not require that processing to func- user's online shopping cart or remembering two areas in which his tech- tion. the preferences of a user on a customizable nical background as an DPA-initiated enforcement actions webpage. As a result, many U.S. businesses electrical engineer join with against companies remain more limited in that may fall within that definition are tak- his legal experience to serve clients in a range scope with a focus on ensuring the protec- ing incremental steps to comply with GDPR. of complex matters. Everett is also an Adjunct tion of data subject rights from serious or In the alternative, some companies are im- Professor at the University of San Francisco, systemic harms. The Irish data protection plementing changes in order to avoid teaching Information . commissioner has announced its office will GDPR, either by disabling website technolo- prioritize enforcement towards large-scale gies that could be considered "monitoring