Bloomberg Law
May 23, 2018, 5:00 PM

Sheppard Mullin Partner: U.S. Privacy Norms Already Close to Europe’s

Elizabeth Olson
Elizabeth Olson
Special Correspondent

Europe’s new Generalized Data Protection Regulation will undoubtedly be challenging for many companies, but could have wider-ranging consequences for information governance in the U.S.Liisa Thomas, who is a partner atSheppard Mullinand co-heads the firm’s privacy and cybersecurity practice, gave her thoughts on the E.U. regulation’s potential fallout.

Hear more from Thomas at the 2018 Bloomberg Law Leadership Forum on May 23 in New York, where corporate counsel from Fortune 500 businesses and leaders from top law firms will gather to discuss trends in trade, regulation, and technology.

[Image "" (src=]

Will GDPR implementation move the U.S. regulatory environment closer to privacy norms in the EU?

There is often a misperception that the U.S. privacy environment is not as stringent as that in the EU, and that the General Data Protection Regulation may cause the U.S. to “strengthen” its privacy laws. I disagree with that rigid perspective. In the U.S., there are hundreds of privacy laws that companies need to follow that exist both at the federal and state levels. These laws apply depending on your industry, or the activities in which you engage.

From a practical perspective, the combination of these laws imposes essentially the same obligations on companies in the U.S. as those that exist under GDPR. Perhaps the biggest differences are the “right to be forgotten” concept, as well as some of the internal administrative requirements (such as having a data protection officer).

We will have to wait and see if the U.S. adopts this approach, but I don’t anticipate these two things will be added to the U.S. patchwork soon. Additionally, it is hard to envision a move from this patchwork approach to privacy to a one law approach, given our different governmental (state) structure.

What are the immediate risks that GDPR implementation issues pose to your clients and what strategies are they taking to address the directive?

Right now, most of the focus we are seeing at companies has been around some of the administrative requirements of GDPR. Namely, electing a data protection officer (if needed), looking at vendor contracts, and assessing what information the company maintains, how it processes it and what the basis for processing is.

Companies are also working on effectuating rights requests, like opt-outs and right to be forgotten. Most companies have been working on this for quite some time. That said, there are still many questions that remain about how to implement the law’s requirements. For example, the extent of data deletion obligations after receiving such a request. The general hope is that regulators will begin to clarify these questions in the coming months.


For the 4th year, theBloomberg Law Leadership Forumis the premier event for legal industry leaders to gain insights and discuss how global economic and regulatory changes impact their business.

The 2018 Forum features an update on current regulatory priorities, a look at where corporate risk is rising, and an exploration of the technology and management tools legal counsel need to respond effectively.

Click here to request an invitation to the 2018 Bloomberg Law Leadership Forum.

Leadership Forum Speakers Include:

  • Chairman Jay Clayton , U.S. Securities and Exchange Commission

  • Deputy Attorney General Rod Rosenstein , U.S. Department of Justice

  • Marcy Cohen , Managing Director and Chief Legal Officer, ING Americas

  • Noah Perlman , ‎Global Head of Financial Crimes, Morgan Stanley

  • Katherine Choo , Chief Investigative & Anti-Corruption Counsel, GE