One Year GDPR: What Comes Next?
German attorney-at-law (Rechtsanwalt)
Dr. Axel Spies is a German attorney (Rechtsanwalt) with Morgan Lewis & Bockius (Washington DC) and co-publisher of the German journals Multi-Media-Recht (MMR) and Zeitschrift für Datenschutz (ZD).
The General Data Protection Regulation (GDPR) came into force on May 25, 2018. Many EU and U.S. businesses rushed to take measures to comply with the new requirements. The GDPR is still the strictest and most comprehensive privacy law in the world. With the GDPR, data protection has risen to the top of the agenda of many corporate boards. Many companies have spent serious money on compliance. The GDPR also brought changes for many U.S. consumers that U.S. companies now treat on equal footing with the EU data subjects. They now enjoy various rights under the GDPR such as data access rights, a right-to-be-forgotten, consents, etc. Moreover, the GDPR mandates companies to take technical and organizational measures to protect personal data. They must comply with the principles of privacy by design and privacy by default, among others, for their products. Within a few months of the GDPR coming into effect, it seems that the new rules are already yielding tangible results, although the compliance process is ongoing in many cases. While this is very positive for the individuals (the GDPR’s “data subjects”), there are areas where companies struggle. Here are the top five:
- The right-to-be-forgotten: When does it apply? What scenario does it cover? How must companies and regulators balance this right of the data subjects against other rights (e.g., free speech or law enforcement requirements)?
- Data retention periods: Under the GDPR, personal data must be stored no longer than needed for the purpose collected. How does a company square these requirements with its business needs?
- Data breach reporting: When must a company report a data security breach (hacking, data theft, data loss) to the data protection agencies and what is the time period for it?
- Vendor contracts: When are vendors allowed to pass on personal data to their agents and third parties (data sub-processors)?
- International data transfers: Will the EU-U.S. Privacy Shield remain? When does consent justify an international data transfer out of the EU/EEA to the U.S.?
Privacy Laws Still Vary and Make Compliance Challenging
Although the GDPR has yielded a solid degree harmonization in Europe, the data protection laws are still not the same in each jurisdiction. The implementation laws of the GDPR in the EU vary significantly. Brexit will add an additional layer of uncertainty for companies with UK operations. In the U.S. there are various privacy laws that companies must follow that are their own definitions and requirements, such as in the financial sector the Gramm-Leach Bliley Act and the Fair Credit Reporting Act. In the healthcare sector HIPPA (Health Insurance Portability and Accountability Act of 1996) and the Illinois Biometric Privacy Act, for instance, have their own rules. In addition, there are U.S. state privacy laws that companies must observe. The much-debated California Consumer Privacy Act (CCPA) will bring sweeping changes for companies doing business in California. The CCPA mirrors some rights and obligations that companies dealing with the GDPR will be familiar with, but the CCPA is far from being a copy of the GDPR. There is no end in sight to the debate if and when the United States will have a federal privacy regime that will be comparable with the GDPR.
New Suggestions by the German Ministry: Use Icons and Pictograms
The German Federal Ministry of the Interior is not pleased with the situation as is evidenced by a recent statement in response to an information request (Kleine Anfrage) from the Free Democrats (FDP) dated April 5, 2019 (BT-Drs 19/9168). The Ministry proposes some measures against overly lengthy policies and user “click fatigue”:
- Pictograms or icons in the privacy statements that would be well suited to “provide users with a better understanding of privacy policies.”
- Software should “automatically scan the privacy statements and point [the user] to certain privacy risks (e.g., data processing based on consent, tracking, data transfer to third parties).”
Back to the Ancient Egyptians?