Next May, companies will be forced to contend with EU data privacy regulations that make the Sarbanes-Oxley Act look simple by comparison. Don’t be fooled by the singular in the title: The EU’s General Data Protection Regulation runs 261 pages and covers every conceivable use of data about EU residents that could in any way be described as “personal.”
The new rules prohibit private parties from collecting or processing information on criminal offenses or “related security measures,” for example, with or without the consent of the subject. Lawyers are debating what this means, but it seems to run smack into U.S. Treasury rules that require financial institutions to cross-check foreign transactions against the Office of Foreign Assets Control list of terrorist organizations and other banned entities. The fines for violating OFAC regulations can run to millions of dollars.
The fines for violating GDPR can run to 4 percent of a company’s global revenue. Which one do you obey?
“It’s a direct conflict of law, and there’s no answer yet,” says Miriam Wugmeister, a partner at Morrison & Foerster who advises clients on global data privacy matters.
“The new regs cover any company that collects or monitors information that could reveal identity or sensitive data like buying habits and sexual preference of people within the borders of the EU.”
The criminal data rule is just one of many GDPR provisions that have U.S. lawyers scratching their heads—and legions of consulting firms peddling solutions to problems that may or may not exist. The new regs cover any company that collects or monitors information that could reveal identity or sensitive data like buying habits and sexual preference of people within the borders of the EU. They include the much-debated “right to be forgotten,” requiring companies to delete embarrassing information that has no compelling social purpose. The GDPR might even cover companies that engage in the routine security measure of tracking IP addresses of devices accessing their networks. “If that’s monitoring,” asks Wugmeister, “who isn’t monitoring?”
Some of the GDPR paranoia is misplaced. First, it only applies to companies that deliberately seek to do business with people in the EU. That means U.S. firms that occasionally serve European customers who find their websites, read them in English and pay in dollars probably don’t have to worry about GDPR at all.
Second, the new rules don’t apply to companies that do business with EU citizens outside the EU. The words “citizen” and “resident” don’t even appear in the text of the GDPR; the regulations apply to data-processing activities affecting people on EU soil. A U.S. company that employs a French green-card holder in its New York office isn’t covered, but if it has employees in Paris, it most certainly is.
Assuming a company does routinely interact with customers within the EU, the third test is whether it is “monitoring” or “profiling” the behavior of those individuals. Here’s where the trouble begins.
The definition of these terms is still fuzzy but could include virtually every form of interest-based advertising, where companies accumulate data from online sources to direct ads toward specific individuals. If that’s the case, U.S. firms must obtain unambiguous consent each time they engage in profiling. It can’t be ignored or hidden in fine print. “The consent bar has definitely been raised,” says Stuart Levi, a partner in the data privacy practice at Skadden Arps. “It can’t be ambiguous, and you can’t assume consent from inaction.”
One of the biggest burdens for U.S. companies will look depressingly similar to the record-keeping rules under Sarbanes-Oxley. Companies subject to GDPR must build an entire compliance infrastructure—including privacy officers and designated “representatives” subject to EU law—whether or not they actually break the rules.
“Failure to have your own governance and accountability policies is its own violation,” says Wugmeister.
Bring in the lawyers and consultants. It’s going to be a busy next few months.