SUMMER 2019 TODAY’S GENER AL COUNSEL
Compliance
GDPR One Year Later By Todd Daubert and Peter Stockburger
38
F
or over 20 years, data privacy was regulated in the EU by the laws that each individual member state adopted to implement the Data Protection Directive. Three years ago, the EU adopted the General Data Protection Regulation (GDPR) to overhaul and update the European privacy and data protection framework. At the one-year anniversary of the effective date of the GDPR, it clearly has had an impact on individuals, companies and regulators around the world. The GDPR is based on the same key principles as the Data Protection Directive, but it represents a monumental shift in regulatory approach. First, the GDPR modernized and harmonized privacy and data protection in Europe by replacing individual EU member
state laws with a uniform set of rules, rights and obligations. Second, the GDPR made it significantly easier for individuals to exercise their privacyrelated rights, thus imposing far greater burdens on companies to honor privacyrelated requests by individuals. Third, the GDPR clarified the legal bases for processing personal data and making it more difficult to rely on consent. Fourth, the GDPR requires companies to notify regulators within 72 hours of discovery breaches of personal data that represent a likely risk to the rights and freedoms of individuals. Finally, and perhaps most importantly for companies based outside of the EU, the GDPR introduced a new scope of extraterritoriality and brought with it the risk of stiff penalties for non-compliance
(up to four percent of global annual turnover or 20 million euros, whichever is higher). One important impact of the GDPR is that it forced much needed conversations in C-suites and boardrooms across the world about how companies approach data privacy, individual rights, data security and data transparency. As a result, many more companies are exploring how their approach to privacy can impact their market share and customer loyalty. The avalanche of notices about updated privacy policies and press coverage that the GDPR triggered has led many individuals around the world to consider how companies are using their data. The increased focus on privacy has led regulators around the world to consider whether their laws should follow the EU’s approach of treating privacy as a fundamental human right or the traditional approach in the United States of addressing market failures on an issue-by-issue basis, which has led to a patchwork of hundreds of issuespecific federal and state laws. In 2018, California became the first state to pass a GDPR-inspired consumer privacy law. Other states are considering similar laws. INFORMAL GRACE PERIOD ENDING
With one year of enforcement actions in the books, we know much more about how EU members are likely to enforce the GDPR. In the initial months after the GDPR went into effect, some regulators in the EU took a relaxed approach to enforcement. The French Data Protection Authority, the CNIL, for example, publicly acknowledged the difficulty of complete GDPR compliance, and stated that companies not yet compliant could expect to be treated “leniently initially” provided they had acted in good faith. The Dutch issued a similar statement. That informal grace period appears to be ending. Authorities in Portugal