U.S. law firms that deal with EU citizens must get ready to comply with the EU General Data Protection Regulation (GDPR) or will risk incurring potentially huge penalties, speakers told members of the Association of Professional Responsibility Lawyers Feb. 3.
The EU Parliament enacted the “broad and wide-ranging” GDPR three years ago to reconcile and consolidate the privacy laws of all EU member states, said panelist Susan E. Gunter, a partner at Dutton Brock LLP in Toronto. Before its adoption, she said, privacy regulation in the EU differed depending on the country. That will change effective May 25, when GDPR will apply to and be enforceable by any EU member state against any business, anywhere in the world, that holds or processes the personal data of even one citizen of the EU, Gunter told the audience.
The law will extend to all companies doing business in Europe, including law firms and their clients, as well as nonprofits and companies that don’t have a physical location there—“so any company that sells anything on the internet.” GDPR also applies to companies that collect information about EU data subjects and, in Gunter’s opinion, may extend to companies that conduct marketing activities on the internet.
The regulation’s definition of personal data is “incredibly broad,” Gunter said. Referring to an online FAQ contained in the conference materials, she noted “personal data” includes names, email contact information, location data, social media posts, medical information, and any other information that might identify a person, either directly or indirectly.
Additionally, Gunter said, GDPR requires organizations to implement “privacy by design.” This means designing a mechanism that from the outset minimizes collection and retention of personal data and curtails the risk of breach. Fines authorized under GDPR, she noted, are up to four percent of a company’s annual revenue or €20 million.
GDPR “creates new rights,” Gunter said. Unlike citizens of the U.S., EU citizens have the “right to be forgotten.” GDPR “allows [the EU data subject] to say, ‘I want you to erase all the information you ever put out into the world about me.’”
Under GDPR, Gunter said, EU data subjects will have the right to access their personal information held by an organization at any time, and the organization will have a very short response deadline.
Because Gunter’s law firm does work for a German company, she said, one of that client’s employees who previously sent her an email “could contact me and say ‘I want to know what information you have about me,’ and I have to respond.” The employee would also have the right to object to the automated collection of his personal data, ask Gunter’s firm to correct inaccurate data, or ask for all of his personal data, including metadata, to be put onto a device or transmitted to him—and deleted forever from the company’s servers and devices.
Moderator Trisha Rich asked, “Does that company have an affirmative obligation to go to all the people to whom they’ve given that data,” or does the data subject have to make separate inquiries? Rich is a partner at Holland & Knight LLP in Chicago.
Gunter said GDPR would require her to contact those to whom she disclosed the data subject’s personal information “if I disclosed [it] without his express consent.” But a company that’s in compliance with GDPR would only have the subject’s information if it had first explained how it might use it. In the case of a law firm, Gunter said, a GDPR-compliant disclosure might include a statement that it would be disclosing the subject’s personal information to the opposing party, to the court, or any other reasonably foreseeable entities.
Panelist Brian Faughnan, who’s with Lewis Thomason in Memphis, Tenn., noted that under GDPR “consent can no longer be a global consent” but must specify the types of data and uses to which the subject is consenting. “Lawyers are going to have to address this in their engagement letters,” he said. And GDPR doesn’t permit waiving consent, noted Gunter.
‘You and What Army?’
Faughnan commented that in the U.S., as a rule, under any state’s rules regarding returning client files, it’s ok to say, “I’m keeping a copy.” But under GDPR, he said, it appears that U.S. lawyers may not keep a copy if the client wants the data returned. Still, Faughnan wondered how an EU member state might enforce a fine against a U.S. business such as his firm in Tennessee unless it holds assets in Europe. “They can say there’s extraterritorial jurisdiction, but you and what army?”
Gunter suggested the U.S. might negotiate an agreement on GDPR enforcement with the EU, but she emphasized U.S. firms must take GDPR seriously. The largest global firms already are in compliance, she said, but she fears midlevel firms may not be aware of GDPR’s reach and will incur fines for noncompliance. She recommended firms not rely on white papers written by consulting companies but rather read the regulation themselves to determine what compliance requires.
Gunter said all EU countries have now appointed privacy commissioners to help enforce GDPR, and any EU citizen may make a complaint to any EU privacy authority. Once that happens, she said, a target firm will be notified of its responsibility to comply with the regulation, and if its compliance is deemed insufficient, that authority can impose a sanction. GDPR also creates a private right of action in the event of noncompliance, so an aggrieved data subject may sue. GDPR permits nonmaterial damages such as loss to reputation and does not require the aggrieved subject to prove them, she said. It also provides for class actions by nonprofit entities created for that purpose. [See Article 80, GDPR.]
“Remember how up in arms we all got about Gramm-Leach-Bliley? We fought back,” said Faughnan. [The Gramm-Leach-Bliley Act contains provisions requiring “financial institutions” to notify customers of their policies of protecting their privacy. In American Bar Ass’n v. Federal Trade Comm’n, D.C. Cir.,
“This is a global Gramm-Leach-Bliley, on steroids, and we don’t have any say in stopping it.”
The panel, entitled “Privacy and Confidentiality in a Changing World,” convened at APRL’s midyear meeting in Vancouver.