The Administration’s attacks on allies, perhaps former allies and other in the area of trade and sanctions has not occurred in vacuum. Many other countries and groups such as the EU have retaliated with counter-sanctions. One area that the current administration does not seem to have considered too well is EU data privacy and data protection. In this episode of Life with GDPR we explore this issue in the age of trade policy as conflict. Some of the highlights are:

  1. Did the comments by US Secretary of Commerce Wilbur Ross about GDPR actually embolden GDPR enforcement?
  2. Is there a trade war between the US and EU over data?
  3. Is there a way to reconcile the divergences in approaches to data privacy and data protection between the EU and US? and
  4. Will the Privacy Shield framework survive the Schrems court challenge? Will it be renewed in September, suspended in September or even revoked in September?

For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

The recent case involving the Jehovah’s Witnesses and data privacy in the UK raised some very interesting legal issues. It also demonstrated just how broad the reach of GDPR could be. In this podcast Jonathan Armstrong and I unpack the case, detailing the underlying facts, the Court’s rationale behind its decision and conclude with some of the implications for not only corporations but also individuals and data privacy practitioners. Some of the highlights are:

  1. Religious communities subject to GDPR;
  2. Individual persons can be data controllers as well as their parent organization, even if they do not exercise control;
  3. Data protection and data privacy laws apply to hard copies; and
  4. The domestic purpose exception is to be narrowly applied.

The General Data Protection Regulation (GDPR) went live on May 25, 2018. What has happened since then in the data privacy and data protection world? In this episode, Jonathan Armstrong, partner at Cordery Compliance and I explore what is going on publicly and what has been going on behind the scenes as well. Armstrong provides his thoughts, reflections and observations on the activity which have and will impact companies and individuals going forward.

Some of the highlights of this podcast include:

  • A discussion of the significant court cases filed pre-GDPR go-live, but are now coming to fruition in court;
  • The numbers on data privacy complaints is very strong. There have been over 1100 complaints filed in the UK alone. Armstrong estimates there have been over 10,000 complaints filed EU wide;
  • Equally interesting is the number of data breaches reported. The numbers in Ireland and the UK alone are instructive at 1100 and 1800 respectively;
  • Over 100 cross border cases have been filed and Armstrong believes the EU system for coordinating complaints seems to be working well; and
  • Regulators are putting on training and educational campaigns around GDPR for companies, practitioners and individuals.

For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.

How does a company transfer data from the European Union (EU) to the US under the General Data Protection Regulation (GDPR) which went live on May 25, 2018? I recently had the opportunity to visit Jonathan Armstrong, partner at Cordery Compliance in London and an internationally renowned data privacy/data protection expert on this topic. Armstrong noted there have been some changes which may significantly impact this issue going forward. There are basically four ways to affect such a transfer.

However, there is a method that many people may not realize is a data transfer as it involves reviewing data which sits on a server in the EU. This means that even if the data does not move out of the EU but you can access it from the US that counts as a data transfer as well. A fairly typical corporate example might be where your organization has a system for your employees that does that payroll and that payroll information is on a server in Belgium. Your Human Resources (HR) Department from the US can get into that server and extract data from it. This is a data transfer under GDPR.

  1. Consent.  The first method to safely and legally transfer data is through consent.
  1. Standard Contractual Clauses or Model Clauses. Armstrong noted he expects to see new form clauses at some point from EU data regulators. Once again, these standard contractual clauses in their current form are likely to face a number of legal challenges going forward, so they may well be less safe post-GDPR go live than there were before.
  1. Privacy Shield. One reason is that there are many Europeans who do not believe that the current US administration is respecting privacy as well as it might. Not that the Trump Administration is any friend of the EU (or data privacy for that matter) but if the European Commission is minded to retaliate, one easy way to do so would be to withdraw the Privacy Shield scheme.  Armstrong concluded by stating, “my gut feel would, would be the privacy shield will die. It is a question of when and not on privacy shield. Certainly, in a worse position now than it was on May 25th.”
  1. Binding Corporate Rules. Armstrong believes this is the one area for data transfer which has benefited from GDPR go-live. Under this scenario, an organization can go to any one of the EU data regulators ask it to be a group of companies lead regulator. From this point, the companies would put in place that system that is somewhat akin to Privacy Shield; including a series of commitments from all the other the entities which make up this the corporate network. These commitments are to each other. From there the lead regulator then reviews and assess then approve the entire network’s data privacy/data protection commitments. Finally, the lead regulator goes to such other regulators in the EU, supporting these Binding Corporate Rules.

Armstrong concluded by cautioning there is still much fluidity in the mechanisms for data transfer. There still may be many changes from both the regulatory perspective and the legal perspectives through court challenges. He concluded by stating “vigilance is the watch word here.”

You will note the new title for this episode, Life With GDPR. When Jonathan Armstrong and I began this series in early 2018, we had intended to give listeners a grounding in the new law in the lead up to its go-live date of May 25. However, the response was so overwhelming and Jonathan and I had so much fun putting on the podcasts that we decided to make Countdown to GDPRa permanent part of the Compliance Podcast Network, albeit with a more appropriate name. So welcome to the re-monikered Life With GDPR, which I hope you will enjoy as much as you enjoyed its predecessor. Today Jonathan and I take up the issue of non-monetary penalties.

While most practitioners focused on the heavy fines and penalties available under the General Data Protection Regulation (GDPR) of up to 4% of total global revenues or other very large fines, there are other remedies that each EU and UK data regulator can levy or put into place that may require considerable corporate cost and effort. Moreover, these lessor penalties and sanctions can be the precursor to larger monetary fines and penalties. Armstrong emphasized that each EU country has its own regulator and they will have varying degrees of aggressiveness.

Armstrong pointed to three areas the regulators can order companies to engage in activities. First, it can order a GDPR audit to determine if it has previously assessed its data protection/data privacy issues correctly. Here he pointed to an example of a healthcare organization that was ordered to perform a Data Protection Impact Assessment (DPIA) and report back to the regulators within one month.

Next, Armstrong pointed to the joint areas of date controllers and data processors. Regulators can require a company Data Protection Officer (DPO) to comply with data requests, even Subject Access Requests (SARs). He referenced to a recent example from the UK involving Cambridge Analytica, which was ordered to comply with a US academic’s SAR. Further, a regulator can order a company to bring its data protection program in line with GDPR. Additionally, regulators can maintain investigations in the form of data protection audits and have the right to obtain access to any premises of the controller and the processor, including any data processing equipment by obtaining a warrant. This may prove to be a significant tool in the data protection regulators’ toolkit.

Regulators can also order companies to stop certain activities. Here Armstrong provided the example of a US based company with operations in Europe who is not GDPR compliant around its internal reporting structures. An EU regulator could order the company to suspend its hotline in Europe until there is compliance. Under such a scenario, the US Company would be out of compliance with US securities law and it may be at risk under best practices compliance programs under the Foreign Corrupt Practices Act (FCPA), Anti-Money Laundering (AML) regulations, export control regulations or even US anti-trust law.

Armstrong emphasized that it is not simply the regulators who have powers under GDPR, individuals do as well. SARs of course are well-known but there are other individual rights Armstrong emphasized. If an individual files some type of GDPR complaint with a statutory regulator, who does not take up the complaint within 30, days that individual can appeal against both the regulator to get the complaint moving forward. This means that individuals can file SAR actions against companies that do not respond in a timely manner to SARs. Moreover, such individuals can then band together in a class action lawsuit over such failures. There is also a mechanism for equitable reallocation of damages between parties. If a data processor has to pay damages properly attributable to a data controller, GDPR Article 82 provides a procedure for claiming these damages back. Finally, recall that any person who has suffered “material or non-material damage” due to an infringement of the new rules has a right to compensation from the data controller or processor concerned for the damage suffered and you begin to realize the powers that individuals hold under GDPR.

Interestingly, Armstrong believes that the number of regulatory and individual remedies will mandate that if companies have an incident, they should investigate and remediate quickly. From there, the entity should prepare their investigative results, remedies and internal sanctions they may have put in place on those employees involved. These steps will all go towards mitigating any proposed financial penalty the regulators may be considering. Basically, businesses need to have their ducks in a row, as it can lead to not only reduced costs for corporations, but also could well lead to greater compliance if tied to a root cause analysis.