EU Data Protection: GDPR In Full Force and Now?
German attorney-at-law (Rechtsanwalt)
Dr. Axel Spies is a German attorney (Rechtsanwalt) with Morgan Lewis & Bockius (Washington DC) and co-publisher of the German journals Multi-Media-Recht (MMR) and Zeitschrift für Datenschutz (ZD).
On the Rocky Road toward Compliance with No Time to Lose
When the General Data Protection Regulation (GDPR) of the EU entered into force on May 25, this was a milestone for European and global privacy. Organizations that have paid attention to the GDPR can now shift gears from readiness toward sustained compliance. Consent strategies, policies on data subject rights, and breach notifications are probably most prominent, as well as any large predictive analytics programs with personal data access and anything involving storage of data in a cloud. There is a host of issues. For instance, there is a serious debate in Germany on what to do under the GDPR with business cards that someone hands over to a company representative. Given the recent GDPR hype, some businesses take it more from a humorous side. An Austrian butcher recently posted the following sign in his shop: “Attention! Our butchery sometimes asks for your name to remember which meat you like. If you don’t want this, when you enter the shop please shout, ‘I do not consent.’ – we will then pretend that we don’t know you.”
China’s Interest in the GDPR
But given the fines and potential law suits the GDPR can trigger, the compliance challenge is much more serious. Many companies that should pay attention to the GDPR are not yet ready even though they deliver goods and services to EU data subjects or receive chunks of their personal data from EU-based companies or EU contacts. Many U.S. companies ignore the GDPR at their own risk, casting doubt over the enforcement powers of EU regulators of U.S. entities without an office or branch in the EU. Others remain proactive. They are not alone. In other non-EU jurisdictions, such as China, many data processing companies are seeking advice on how to comply with the GDPR. They are less concerned about the penalties the EU regulators can impose, and see GDPR compliance as a marketing tool that helps them compete with EU-based entities.
Meanwhile, on the first day of GDPR enforcement, two large U.S. companies have been hit with lawsuits accusing the companies of coercing users into sharing personal data. The lawsuits seek fines of approximately $8.8 billion. They were filed by Austrian privacy activist Max Schrems, a longtime critic of the companies’ data collection practices. It could become the tip of the iceberg as legal actions on a smaller scale are likely throughout the EU. Many EU companies will need to defend themselves against professional litigators that will scare them with warning letters and will demand “processing fees” to settle potential GDPR claims of affected individuals.
Not All Member States are Ready
More worrisome for the people in charge of GDPR compliance is that even in the EU many countries are not yet ready. The EU member states that have so far adopted new national laws include Germany, Austria, Slovakia, Denmark, Sweden, the UK, the Netherlands, Italy, Belgium, Ireland, and Croatia. France has adopted an implementation act, but it remains under constitutional review. Even in these countries, the rules are not the same. A good example is the sector of employment data, which the GDPR has largely handed back to the member states. Most prominently, the GDPR also gives great latitude to EU member states to come up with their own rules governing the processing of employee and HR-related data. The German implementation law with the tongue-twister abbreviation DSAnPuG-EU sets out a test to establish whether employee consent is given freely. It confirms that consent is freely given if it sought to deliver a “legal or economic benefit” to the employee or when the worker and company are pursuing “similar interests.” Other EU member states may have different rules and interpretations of the GDPR. Companies are facing a patchwork of requirements across the EU again—creating a headache as employee data processing presents a significant activity for every organization. A new official bulletin from Poland tells companies bluntly that they are on their own: “Since the Polish regulations have not been enforced yet, enterprises in Poland will have to interpret the regulations on their own until the Polish law is implemented.” The industry focus will now be on the implementation laws and how to interpret them in light of the GDPR. It is true that as an EU regulation, the GDPR will prevail if there is a conflict with national law, but to resolve the issue is upon the courts (with the European Court of Justice on top), which will likely take years.
What To Do Next?
Consent strategies, data subject rights, and breach notifications will need to be prioritized, as well as any predictive analytics programs processing personal data and anything involving cloud. For latecomers, there are things companies can and should do right away. These include issuing appropriate privacy notices, revising internal policies and procedures related to data subjects, and evaluating IT systems and data repositories for data protection purposes. A simple, yet often overlooked task is to revisit, update, and enforce company record retention policies. Updating vendor contracts can be a lengthy and daunting task. Companies need to ensure that those third parties are complying with the GDPR because this will affect their own compliance. Moreover, GDPR data protection impact assessments should be completed—a task that many companies have put on the backburner. Finally, old systems will need to be checked for compliance, while new ones should already have data protection embedded in their design.
It remains to be seen whether the new European Data Protection Board (EDPB) will issue some unifying rules for more legal certainty. Andrea Jelinek, Head of Austria’s Data Protection Authority, who was recently elected as the EDPB’s first chair, confirmed that the EDPB is fully functioning. This week, the EDPB adopted its first two guidelines in the interpretation of the so-called “derogations” in the GDPR on international data transfers and on certain certification issues. Since the EDPR has the power to issue binding decisions in a number of areas, it will be interesting to watch which role this new body will play in the near future.