Right? An independent survey polling 500 IT and risk/fraud decision makers in the US, UK, Germany, and France, reveals that 75% will struggle to be ready for the EU General Data Protection Regulations (GDPR) deadline of May 25, 2018. Half of them miss the required Data Protection Officer and say their bigest challenges are Article 17 Right to Seek Erasure Article 30 process records and Article 32 secured process
Down the line, one of two things may happen to your Clients: (1) They take the risk to not be compliant, with fines up to 20 million Euros or 4% of their global turnover (whichever is greater), at the will of 27 national data protection authorities whom wrath is independent of one another, or (2) Decide to forfeit their online presence in the European Union, a 620 million users market, second only to Asia with 1.1 billion users.
Now, wait! A new Chinese regulation - call it GDPR Mark II - became effective on June 1, 2017 that has not just set financial penalties for those who do not localize their data, but also made it legal to kick them out of mainland China, not to mention a looming death penalty if the breach is "deemed" state secrets... So forget the Chinese online market, too?
In a nutshell, European nationals control their online destiny giving OPT-IN permission before Big Data can share or transfer any personal information, whereas people in the U.S. must actively OPT OUT to protect their privacy.
Asking for permission on the Old Continent has always been King. It seems that we lost that mentality when we crossed the Atlantic to populate the burgeoning America with Freedom (and French fries) Lovers.
Over two centuries later, the Silicon Valley comes back to us with the culture of Winners take all your privacy away. We don't have kings anymore (almost...) but comes the new data privacy law in the EU we call GDPR, we can help you help your Clients staying away from trouble with budget-savvy solutions.
'Forget about it’ is like if you agree with someone, you know, like Raquel Welch is one great piece of ass, ‘forget about it.’ But then, if you disagree, like a Lincoln is better than a Cadillac? ‘Forget about it!’ You know? But then, it’s also like if something’s the greatest thing in the world, like mingia those peppers, ‘forget about it.’ But it’s also like saying ‘Go to hell!’ too. Like, you know, like ‘Hey Paulie, you got a one inch pecker?’ and Paulie says ‘Forget about it!’ Sometimes it just means, ‘forget about it'. - 'Donnie Brasco' (Johnny Depp) - Sony Pictures
-- The Right to be Forgotten in EU Legalese --
JUDGMENT OF THE EUROPEAN COURT OF JUSTICE
Google Spain v. AEPD, Mario Costeja González - 13 May 2014
"Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, when appraising the conditions for the application of those provisions, it should inter alia be examined whether the data subject has a right that the information in question relating to him personally should, at this point in time, no longer be linked to his name by a list of results displayed following a search made on the basis of his name, without it being necessary in order to find such a right that the inclusion of the information in question in that list causes prejudice to the data subject. As the data subject may, in the light of his fundamental rights under Articles 7 and 8 of the Charter, request that the information in question no longer be made available to the general public on account of its inclusion in such a list of results, those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name. However, that would not be the case if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question."
Article 29 Working Party is not the Communist Party EU Union Local. Safe Harbour Principles are not to be found in Monte Carlo harbour. EU-US Privacy Shield is not a NATO Star Wars initiative. They all were successive regulations to reign in data protection of EU nationals, until all hell broke lose with the Snowden files that revealed that no adequate level of protection for the transfer of EU personal data to the US would ever be met again.
Your Clients run across new legislation in the past, maybe got their feet wet with a few regulators, and they could get lucky with the GDPR and their online activity in the EU, or the transfer of their EU employees' HR data back to the US... They can live without GDPR until it hits them. When this happens, they'll blaim your Firm for not getting them up-to-speed and not preparing the Board for these heavy fines.
You see, the issue is more about evangelizing your Clients with the new set of rules in the EU that can come to haunt them - while cashing in billable hours and CLE credits - than teaching them how to act like Google or Facebook and fight back the EU data authorities. The EU finally got the the teeth to bite US companies in breach of data privacy compliance, and they certainly going to use that power.
You'll sound great when you'll drop "Privacy by Design" at your next Client meeting. Unless you're a scholar or an attorney practicing data privacy for a leaving, chances are that you and most of your Clients never heard of Article 25 of the GDPR that sets privacy settings at a high level by default.
Your average Client does not necessarily sell anything online in the EU, but you want to be able to explain that "design thing" is simply making sure your Client's whole data processing lifecycle complies with the GDPR, from collecting personal information to share it with Big Data for a buck. You'll be happy to tell your Client that he should start thinking to only process personal information when necessary for a specific purpose. Then you can refill the drinks and talk Dodgers, Cubs or Cardinals. Or maybe Football and fantasy drafts (not the soccer we play in Europe, but that tough game you guys play only in the US).
The DPO has critical advisory role and responsibility to companies of all sizes processing personal data from EU nationals. He is the point-person for the 27 EU data protection authorities and supervises the respect and handling of requests regarding the exercise of EU individuals’ rights. As the GDPR puts it, he is “designated on the basis of professional qualities” with expert knowledge in national and EU data protection laws and practices and an indepth understanding of the GDPR.
He also trains your Client's staff on proper data handling practices, stays current with always changing privacy laws and evangelize data privacy culture in implementing the GDPR data protection program. He recommends wether or not to prepare a Data Protection Impact Assessment (DPIA) and to verify if it meets GDPR requirements, and acts independently of your Client' C-suite executives when investigating privacy or cybersecurity complaints from EU users, and to cooperate with national data protection authorities.
This job requires strong ethical responsibilities to maintain independence and avoid conflicts of interest. European lawyers specialised in data privacy with information and communications technology expertise are particularily well suited for the job, whether in-house or as an outsourced DPO.
The "right to be forgotten" gave rise to a new "right to seek erasure" with the GDPR, where EU online users can request erasure of their personal information under several grounds, including when the business interests of the data controller (think Google, FB, etc., and don't forget to look the part when you call your Client a 'data controller') is overridden by the interest or the fundamental right of an EU data subject (another expression to add to your dining vocabulary to look smarter than your four-year Associates) whom personal data needs to be protected.
At this point, your Client may ask the difference between the Right to be forgotten and the Right to seek erasure. Remember Johnny Depp telling Sometimes it just means, ‘forget about it'? Well, your best educated answer might well be the same: sometimes, the Right to seek erasure just means the Right to be forgotten. The GDPR people tried hard to look creative and not to plagiarize the European Court of Justice.
By Spring 2018, those of your Clients dealing with personal information of EU nationals need to thoroughly maintain accurate internal records of all stages of their entire data life-cycle. Although some software solutions provide some technical support to meet that requirement, the Data Protection Officer is the person responsible to meet the GDPR record keeping requirements that involves pulling data activities from many departments and affiliates.
There is no easy way to deliver such task: the same data may be used in different ways, by different services or departments: HR might receive the personnel information of overseas EU employees via the company's intranet forms, while Finance needs some of that information to process payroll, and Operations to keep track of performances and, say, bonuses.
Your Clients must demonstrate by May 25, 2018 that they have considered high-quality and reliable technology to monitor their systems for unauthorized access or changes in real time, and/or opted for the anonymisation and encryption of personal data during all transmissions. Their Data Protection Officer will make sure these functions are actually occurring, as required by Article 32 of the GDPR:
Article 32 - Security Processing
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Likely to affect or Likely to harm, that is the question. Either the breach of personal information will likely affect any user to any degree of certainty, or it may also harm users. In the first case, the users only must be notified within 72 hours of the discovery of the breach. In case of harmful breach, bring into the mix up to 27 data protection authorities, depending on the users' EU State of residence.
Thanks to the GDPR and the worldwide reach of the internet, you now can tell your Clients that they need to keep track not just of our 50 states, DC, Puerto Rico etc., where they might have users who reside, but also those who live in Austria, Latvia, Bulgaria, Malta, Lithuania, Croatia, Cyprus, Czech Republic, Denmark, Poland, Estonia, Slovakia, Finland, Romania, Sweden, Greece, Slovenia, Hungary, Netherlands, Portugal, and the usual suspects France, Italy, Belgium, Luxembourg, Germany, Spain, Ireland and, perhaps, United Kingdom if not yet Brexited at the time of the breach.
Your Clients should try to stay away from storing financial data from their users that would trigger the "harm" threshold if breached. If only user ID, email or just IP address are breached they would just have to notify the customers but not any of the 27 EU authorities.
That's a tough one. Basically, comes May 25, 2018 and people can ask Google to give them their complete profile, all the personal information accumulated over the years, their surfing habits, their searches, their buying habits, everything, and take that personal data dump to a competitor like Yahoo and upload it for sale or just for fun. Under the GDPR, users can get for free their own personal information in a usable format and sell it themselves to a Big Data company of their choice, or just frame it in the living room.
So to put it in EU legalese, internet users will be able to copy, move or transfer their personal data from one IT environment to another in an easy and safe way, on-demand and for free "without usability issues". There are some dudes who believe this right just concerns the personal information directly communicated by the user on an online form. WRONG! The WP29 (which is not a South Central gang but the working group born out of the article 29 of the EU 1995 Data Privacy Directive called the Article 29 Working Party) considers it covers data provided knowingly and actively by the data subject as well as the personal data generated by his or her activity.
You have probably heard by now that the new EU privacy regulation may fine your Clients up to 20 million Euros or 4% of their global annual turnover, whichever is the smallest. However, there is no such one-size-fits-all fine in the GDPR. This is a maximum amount that may be reached if your Client is infringing the data processing basic principles like disregarding the valid consent requirement to process personal information, and being in contempt of one or more EU member State Data Protection Authorities (DPA).
If there is a violation of the "Privacy by design" requirements the maximum fine is limited to 10 million Euros or 2% of the total worldwide annual turnover. In fact, the actual practice of most DPAs (under the 1995 Data Protection Directive) is to first issue a warning or a request letter, followed by either a reprimand or an order to comply with a regulation. DPAs must take into account the seriousness of the infringement, its nature and duration, and if it is by negligence or a voluntary act.
But such fines may be imposed independently by each EU member State DPA, for the same infringement in each country, multiplying the amount of fines by a possible factor of 27. Although the administrative nature of these fines open the way to dispute them in local Courts, the multiple procedures that would ensue may be a deterrent as well for your Clients. Better safe than sorry.
Foreign Legal Consultants are foreign attorneys registered with a US State bar to advise and practice solely the law of their foreign jurisdictions. A US law firm may be held liable for the unauthorized practice of foreign law on US soil when advising in EU privacy and cybersecurity law, unless the US attorney is also licensed to practice foreign law from any of the 27 EU member States, or works with a registered Foreign Legal Consultant.
We are a Foreign Legal Consultant firm registered with the California bar to practice EU & French law. We advise on data privacy compliance with EU regulations. Our EU lawyers are experienced in privacy and technology. They are bound by the same confidentiality duty as California attorneys, protecting our work product under attorney-client privilege.
Article 33 of the GDPR requires your Client to perform an assessment of the impact on privacy before personal information is processed. We provide an independent Privacy Impact Assessment to help your Client implement effective personal information processing when handling EU citizen' data. We assess the collect, process and transfer of customers data, reviewing and documenting the information flows, and identifying and mitigating the risks in our assessment report.
We develop a Data Inventory of What, where, who, why, when and how data is held, with the definition and implementation of processes for customer consent management, disclosure of stored personal data, correction of wrong personal data, right to erasure and data portability. We also discuss with you what your Client's organisation will need to consider personally identifiable information, building a Data Flow map of personal data. Our assessment includes recommendations for an incident response plan to data breaches.
A well-executed Privacy Impact Assessment brings certainty and control to the data handling practices of your Client's EU digital activity, including video face recognition in large public areas, or large scale databases of children' personal information, or even bio-metric data. It details the steps that need to be taken to implement security safeguards and mechanisms necessary to be GDPR compliant.
Under Article 37 of the GDPR, the Data Protection Officer must provide legal advice on data protection law to the data controller or processor. The United States and a majority of EU member states consider the provision of legal advice for compensation to be a “reserved” activity that can legally only be done by licensed attorneys. Hence, if the DPO is not a licensed lawyer, she or he could be involved in the unauthorized practice of law.
We fill that need in advising on EU privacy and cybersecurity laws as registered Foreign Legal Consultant with the California bar. Our expertise stems out of almost 20 years of practice in Europe in technology laws, and a Master in Law degree in Information Technology Law from the University of Strasbourg (France), precisely where sits the European parliament which voted the GDPR. Our founder, Bruno Genovese, also has a Master in Law degree in Cybersecurity and Data Privacy from Loyola Law School in Los Angeles.
Given the high profile requested of the DPO and some uncertainty as to the role definition and responsibilities, the GDPR has opened the possibility to not just hire an in-house DPO, but also to outsource one, who may be shared by several companies. We provide this service locally in California to your Clients on an interim contract basis so that they can better define the requirements and right profile to look for when they are ready to hire their own in-house DPO.
Following the GDPR requirement for Data Protection Officers to provide "awareness raising and training of staff involved in the processing operations", we offer flexible training options for your Clients and attorneys to raise their privacy capability and avoid unnecessary business cost with their EU data privacy activities, including raising understanding of GDPR to the board and senior management.
We offer live online and on site sessions and workplace training of 1 hour, 3 hours, and 6 hours, depending on the availability of your attorneys and clients, that cover the foundation to the GDPR with an overview of key requirements and compliance activities and data breach reporting. These sessions are eligible for 1.0, 3.0 or 6.0 CLE Credit (Approval of the course credit is pending).
The sessions can be completed during business hours or on Saturdays, and include all materials necessary to get a thorough understanding of the GDPR and its impact for the organization. They include tabletop exercises to stimulate and develop team work on a given set of facts.
WE ARE A LOS ANGELES BASED FIRM OF EUROPEAN ATTORNEYS
PROVIDING GDPR EXPERTISE SO YOU CAN ADD
GDPR BILLABLE HOURS TO YOUR CLIENT-MATTERS
We bill our services like e-Discovery vendors