Get Ready For The EU’s Kafkaesque Data-Privacy Rules

The EU’s General Data Protection Regulation runs 261 pages and covers every conceivable use of data about EU residents that could in any way be described as “personal.”

Next May, companies will be forced to contend with EU data privacy regulations that make the Sarbanes-Oxley Act look simple by comparison. Don’t be fooled by the singular in the title: The EU’s General Data Protection Regulation runs 261 pages and covers every conceivable use of data about EU residents that could in any way be described as “personal.”

The new rules prohibit private parties from collecting or processing information on criminal offenses or “related security measures,” for example, with or without the consent of the subject. Lawyers are debating what this means, but it seems to run smack into U.S. Treasury rules that require financial institutions to cross-check foreign transactions against the Office of Foreign Assets Control list of terrorist organizations and other banned entities. The fines for violating OFAC regulations can run to millions of dollars.

The fines for violating GDPR can run to 4 percent of a company’s global revenue. Which one do you obey?

“It’s a direct conflict of law, and there’s no answer yet,” says Miriam Wugmeister, a partner at Morrison & Foerster who advises clients on global data privacy matters.

“The new regs cover any company that collects or monitors information that could reveal identity or sensitive data like buying habits and sexual preference of people within the borders of the EU.”

The criminal data rule is just one of many GDPR provisions that have U.S. lawyers scratching their heads—and legions of consulting firms peddling solutions to problems that may or may not exist. The new regs cover any company that collects or monitors information that could reveal identity or sensitive data like buying habits and sexual preference of people within the borders of the EU. They include the much-debated “right to be forgotten,” requiring companies to delete embarrassing information that has no compelling social purpose. The GDPR might even cover companies that engage in the routine security measure of tracking IP addresses of devices accessing their networks. “If that’s monitoring,” asks Wugmeister, “who isn’t monitoring?”

Some of the GDPR paranoia is misplaced. First, it only applies to companies that deliberately seek to do business with people in the EU. That means U.S. firms that occasionally serve European customers who find their websites, read them in English and pay in dollars probably don’t have to worry about GDPR at all.

Second, the new rules don’t apply to companies that do business with EU citizens outside the EU. The words “citizen” and “resident” don’t even appear in the text of the GDPR; the regulations apply to data-processing activities affecting people on EU soil. A U.S. company that employs a French green-card holder in its New York office isn’t covered, but if it has employees in Paris, it most certainly is.

Assuming a company does routinely interact with customers within the EU, the third test is whether it is “monitoring” or “profiling” the behavior of those individuals. Here’s where the trouble begins.

The definition of these terms is still fuzzy but could include virtually every form of interest-based advertising, where companies accumulate data from online sources to direct ads toward specific individuals. If that’s the case, U.S. firms must obtain unambiguous consent each time they engage in profiling. It can’t be ignored or hidden in fine print. “The consent bar has definitely been raised,” says Stuart Levi, a partner in the data privacy practice at Skadden Arps. “It can’t be ambiguous, and you can’t assume consent from inaction.”

One of the biggest burdens for U.S. companies will look depressingly similar to the record-keeping rules under Sarbanes-Oxley. Companies subject to GDPR must build an entire compliance infrastructure—including privacy officers and designated “representatives” subject to EU law—whether or not they actually break the rules.

“Failure to have your own governance and accountability policies is its own violation,” says Wugmeister.

Bring in the lawyers and consultants. It’s going to be a busy next few months.


MORE LIKE THIS

  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events

    Roundtable

    Strategic Planning Workshop

    1:00 - 5:00 pm

    Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process

    Executives expressed frustration with their current strategic planning process. Issues include:

    1. Lack of systematic approach (70%)
    2. Laundry lists without prioritization (68%)
    3. Decisions based on personalities rather than facts and information (65%)

     

    Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns.  They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning.  Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process.  This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented.  If you are ready for a Strategic Planning tune-up, select this workshop in your registration form.  The additional fee of $695 will be added to your total.

    To sign up, select this option in your registration form. Additional fee of $695 will be added to your total.

    New York, NY: ​​​Chief Executive's Corporate Citizenship Awards 2017

    Women in Leadership Seminar and Peer Discussion

    2:00 - 5:00 pm

    Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations. 

    Limited space available.

    To sign up, select this option in your registration form. Additional fee of $495 will be added to your total.

    Golf Outing

    10:30 - 5:00 pm
    General’s Retreat at Hermitage Golf Course
    Sponsored by UBS

    General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.

    The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.

    To sign up, select this option in your registration form. Additional fee of $295 will be added to your total.