An independent survey polling 500 IT and risk/fraud decision makers in the US, UK, Germany, and France, reveals that 75% will struggle to be ready for the EU General Data Protection Regulations (GDPR) deadline of May 25, 2018. Half of them miss the required Data Protection Officer and say their bigest challenges are Article 17 Right to Seek Erasure Article 30 process records and Article 32 secured process
Down the line, one of two things may happen to your Company: (1) You take the risk to not be compliant, with fines up to 20 million Euros or 4% of your global turnover (whichever is greater), at the will of 27 national data protection authorities whose fines are independent of one another, or (2) You forfeit your online presence in the European Union, a 620 million users market, second only to Asia with 1.1 billion users.
It could work, but for the new Chinese regulation - call it GDPR Mark II - that just became effective on June 1, 2017 (with financial penalties for those who do not localize their data in China) but makes it legal to kick you out of mainland China (not to mention a looming death penalty if the breach is "deemed" affecting state secrets...) So, forget the Chinese online market, too?
In a nutshell, European nationals control their online destiny giving OPT-IN permission before you can share or transfer to Big Data any personal information, whereas people in the U.S. must actively OPT OUT to protect their privacy.
Asking for permission on the Old Continent has always been King. It seems that we lost that mentality when we crossed the Atlantic to populate the burgeoning America with Freedom (and French fries) Lovers.
Over two centuries later, the Silicon Valley comes back to us with the culture of Winners take all your privacy away. We don't have kings anymore (almost...) but comes the new data privacy law in the EU, we want to give you back and help you stay away from trouble with budget-savvy solutions by EU licensed attorneys specialized in privacy and technology EU laws.
'Forget about it’ is like if you agree with someone, you know, like Raquel Welch is one great piece of ass, ‘forget about it.’ But then, if you disagree, like a Lincoln is better than a Cadillac? ‘Forget about it!’ You know? But then, it’s also like if something’s the greatest thing in the world, like mingia those peppers, ‘forget about it.’ But it’s also like saying ‘Go to hell!’ too. Like, you know, like ‘Hey Paulie, you got a one inch pecker?’ and Paulie says ‘Forget about it!’ Sometimes it just means, ‘forget about it'. - 'Donnie Brasco' (Johnny Depp) - Sony Pictures
-- The Right to be Forgotten in EU Legalese --
JUDGMENT OF THE EUROPEAN COURT OF JUSTICE
Google Spain v. AEPD, Mario Costeja González - 13 May 2014
"Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, when appraising the conditions for the application of those provisions, it should inter alia be examined whether the data subject has a right that the information in question relating to him personally should, at this point in time, no longer be linked to his name by a list of results displayed following a search made on the basis of his name, without it being necessary in order to find such a right that the inclusion of the information in question in that list causes prejudice to the data subject. As the data subject may, in the light of his fundamental rights under Articles 7 and 8 of the Charter, request that the information in question no longer be made available to the general public on account of its inclusion in such a list of results, those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name. However, that would not be the case if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question."
Article 29 Working Party is not the Communist Party EU Union Local. Safe Harbour Principles are not to be found in Monte Carlo harbour. EU-US Privacy Shield is not a NATO Star Wars initiative. They all were successive regulations to reign in data protection of EU nationals, until all hell broke lose with the Snowden files that revealed that no adequate level of protection for the transfer of EU personal data to the US would ever be met again. Now comes the long-due EU Data Privacy overall: the G.D.P.R., or General Data Protection Regulation, that comes into full effect in 28 countries at once on May 25, 2018.
Our Clients ran across new legislation in the past, some got their feet wet with a few US regulators, and even got lucky with their online activity in the EU and the now 22-year old EU Directive on data privacy. Others simply did not care about the transfer of their EU employees' HR data back to the US... Those were the days when EU local authorities were learning, along with the EU multi-jurisdiction system, how to deal with US companies like Google, Facebook, Microsoft, and other Silicon Valley behemoths.
Ultimately, the EU got with GDPR the teeth to bite US companies who fail to comply with the new data privacy rules, and the national authorities are certainly going to use that power. You can probably live without GDPR compliance until it hits you big time. When this happens, your CEO will blame the legal team and its GC for not getting your company up-to-speed soon enough and failing to alert the Board for the heavy fines as many as 28 EU member states
(until Brexit goes live) may assert independently against you.
You see, our goal is less about evangelizing you and your company about the GDPR than putting you in a safe place so the new set of EU privacy rules cannot come to haunt your company as you'll know the details about how to fight back the EU data authorities.
You'll sound great when you'll drop "Privacy by Design" at your next meeting with your engineers. Unless you're an attorney practicing data privacy for a leaving, chances are that you never heard of Article 25 of the GDPR that requires your engineers set privacy settings at a high level by default.
Your company does not necessarily sell anything online in the EU, but you want to be able to explain to your Board and your Chief Information Officer that "Privacy by Design" simply means to make sure your whole data processing life-cycle complies with the GDPR, from collecting personal information in the EU to share it with Big Data in the US (or elsewhere) for a buck. You'd be smart to explain why your marketing team should start thinking to process personal information only when necessary for a specific purpose. Then everyone can go for that Happy Hour on Friday, refill the drinks and talk Dodgers, Cubs or Cardinals.
The EU's General Data Protection Regulation requires that companies (including non-EU organizations like US companies) appoint and designate a corporate or outsourced Data Protection Officer (DPO) who ensures complaince with all aspects of the new data protection regime and is the point-person to the 28 national data protection regulation authorities (minus UK when Brexit becomes effective in March 2019).
The International Association of Privacy Professionals (IAPP) estimates that more than 75,000 DPOs will be needed to meet GDPR compliance requirements.
The DPO has critical advisory role and responsibility to companies of all sizes processing personal data from EU nationals. He supervises the respect and handling of requests regarding the exercise of EU individuals’ rights. As the GDPR puts it, he is “designated on the basis of professional qualities” with expert knowledge in national and EU data protection laws and practices and an in-depth understanding of the GDPR.
He also trains company staff on proper data handling practices, stays current with always changing privacy laws and evangelize data privacy culture in implementing the GDPR data protection program. He recommends whether or not to prepare a Data Protection Impact Assessment (DPIA) and to verify if it meets GDPR requirements, and acts independently of C-suite executives when investigating privacy or cybersecurity complaints from EU users, and cooperates with national data protection authorities. Your California-licensed attorney cannot match the competence and profile of EU-licensed attorneys specialized in privacy matters with post-JD diploma in EU online laws and data privacy.
This job requires strong ethical responsibilities to maintain independence and avoid conflicts of interest. European-licensed attorneys specialized in data privacy with information and communications technology expertise are particularly well suited for the job, whether in-house at your EU subsidiary or as your outsourced DPO in the US.
The "right to be forgotten" gave rise to a new "right to seek erasure" under the GDPR, where EU online users can request erasure of their personal information under several grounds, including when the business interests of the data controller (think Google, FB, etc., and don't forget to look the part when you call your Company a 'data controller') is overridden by the interest or the fundamental right of an EU data subject (another expression to add to your dining vocabulary to look on the ball) whom personal data needs to be protected.
At this point, your CEO may ask the difference between the Right to be forgotten and the Right to seek erasure. Remember Johnny Depp telling Sometimes it just means, ‘forget about it'? Well, your best educated guess might well be: Sometimes, the Right to seek erasure just means the Right to be forgotten. The GDPR people tried hard to look creative and not to plagiarize the European Court of Justice' legalese.
By Spring 2018, if your Company is dealing with personal information of EU nationals, you need to thoroughly maintain accurate internal records of all stages of their entire data life-cycle. Although some software solutions provide some technical support to meet that requirement, the Data Protection Officer is the person responsible to meet the GDPR record keeping requirements that involves pulling data activities from many departments and affiliates.
There is no easy way to deliver such task: the same data may be used in different ways, by different services or departments: HR might receive the personnel information of overseas EU employees via the company's intranet forms, while Finance needs some of that information to process payroll, and Operations to keep track of performances and, say, bonuses. Not to mention how Marketing is trying to monetize that information at all cost...
Your Company must demonstrate by May 25, 2018 that it has considered high-quality and reliable technology to monitor its systems for unauthorized access or changes in real time, and/or opted for the anonymisation and encryption of personal data during all transmissions. Your in-house or outsourced Data Protection Officer will make sure these functions are actually occurring, as required by Article 32 of the GDPR:
Article 32 - Security Processing
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Likely to affect or Likely to harm, that is the question. Either the breach of personal information will likely affect any user to any degree of certainty, or it may also harm users. In the first case, the users only must be notified within 72 hours of the discovery of the breach. In case of harmful breach, bring into the mix up to 27 data protection authorities, depending on the users' EU member state of residence.
Thanks to the GDPR and the worldwide reach of the internet, you now can tell your Board that you need to keep track not just of our 50 states, DC, Puerto Rico etc., where your Company might have users who reside there, but also those who live in Austria, Latvia, Bulgaria, Malta, Lithuania, Croatia, Cyprus, Czech Republic, Denmark, Poland, Estonia, Slovakia, Finland, Romania, Sweden, Greece, Slovenia, Hungary, Netherlands, Portugal, and the usual suspects France, Italy, Belgium, Luxembourg, Germany, Spain, Ireland and, perhaps, United Kingdom if it has not not yet Brexited at the time of the breach.
Your Company should try to stay away from storing financial data from its users that would trigger the "harm" threshold if breached. If only user ID, email or just IP address are breached you would just have to notify the customers, but, thank goodness, not one of the 27+1 EU authorities.
That's a tough one. Basically, comes May 25, 2018 and any EU user can ask Google to give him his complete profile, all his personal information accumulated over the years, his surfing habits, his searches, his buying habits, everything, and take that personal data dump to a competitor like Yahoo to upload it for sale or just for fun. Under the GDPR, users can get for free their own personal information in a usable format and sell it themselves to a Big Data company of their choice, or just frame it in their living room.
So to put it in EU legalese, internet users will be able to copy, move or transfer their personal data from one IT environment to another in an easy and safe way, on-demand and for free "without usability issues".
There are some dudes who believe this right just concerns the personal information directly communicated by the user on an online form. WRONG! The WP29 (which is not a South Central gang but the working group born out of the article 29 of the EU 1995 Data Privacy Directive called the Article 29 Working Party) considers it covers data provided knowingly and actively by the data subject as well as the personal data generated by his or her activity.
You have probably heard by now that the new EU privacy regulation may fine your Company up to 20 million Euros or 4% of its global annual turnover, whichever is the smallest. However, there is no such one-size-fits-all fine in the GDPR. This is a maximum amount that may be reached if your Company is breaking the data processing basic principles like disregarding the valid consent requirement to process personal information, and being in contempt of one or more EU member state Data Protection Authorities (DPA).
If there is a violation of the "Privacy by design" requirement, the maximum fine is limited to 10 million Euros or 2% of the total worldwide annual turnover. In fact, the actual practice of most DPAs (under the 1995 Data Protection Directive) is to first issue a warning or a request letter, followed by either a reprimand or an order to comply with a regulation. DPAs must take into account the seriousness of the infringement, its nature and duration, and if it is by negligence or a voluntary act. Even then, you may ask your overseas attorney to file suit against the DPA before an administrative court (a process that may take over 10 years to reach a final decision, with the right attorney.
Such fines may be imposed independently by each EU member state DPA, for the same privacy breach in each country, multiplying the amount of fines by a possible factor of 27 (+1 before Brexit is achieved in March 2019). Although the administrative nature of these fines open the way to dispute them in local Courts, the multiple procedures that would ensue may be a deterrent as well for your legal team and the Board. Now you know, so better safe than sorry.
Foreign Legal Consultants are foreign attorneys registered with a US State bar to advise and practice solely the law of their foreign jurisdictions. A US law firm may be held liable for the unauthorized practice of foreign law on US soil when advising in EU privacy and cybersecurity law, unless its attorneys are also licensed to practice foreign law from any of the 27+1 EU member states, or the Firm works with a bar-registered Foreign Legal Consultant.
We are a Foreign Legal Consultant firm registered with the California bar to practice EU & French law. We advise on data privacy compliance with EU regulations. Our EU lawyers are experienced in privacy and technology with US and French Master in Laws in that discipline. They are bound by the same confidentiality duty as California attorneys, protecting their work product under attorney-client privilege.
Article 33 of the GDPR requires your Company to perform an assessment of the impact on privacy before personal information is processed. We provide an independent Privacy Impact Assessment to help you implement effective personal information processing when handling EU citizen' data. We assess the collect, process and transfer of customer data, reviewing and documenting the information flows, and identifying and mitigating the risks in our assessment report.
We develop a Data Inventory of what, where, who, why, when and how data is held, with the definition and implementation of processes for customer consent management, disclosure of stored personal data, correction of wrong personal data, right to erasure and data portability. We also discuss with you what your organisation will need to consider personally identifiable information, building a Data Flow map of personal data. Our assessment includes recommendations for an incident response plan to data breaches.
A well-executed Privacy Impact Assessment brings certainty and control to the data handling practices of your EU digital activity, including video face recognition in large public areas, or large scale databases of children' personal information, or even bio-metric data. It details the steps that need to be taken to implement security safeguards and mechanisms necessary to be fully GDPR compliant.
Under Article 37 of the GDPR, the Data Protection Officer must provide legal advice on data protection law to the data controller ( or processor). The United States and a majority of EU member states consider the provision of legal advice for compensation to be a “reserved” activity that can legally only be done by licensed attorneys. Hence, if the DPO is not a licensed lawyer, she or he could be involved in the unauthorized practice of law.
We fill that need in advising on EU privacy and cybersecurity laws as Foreign Legal Consultant registered with the California bar. Our expertise stems out of almost 20 years of practice in Europe in technology laws, and a Master in Law degree in Information Technology Law from the University of Strasbourg (France), precisely where sits the European parliament which voted the GDPR. One of our founders, Bruno Genovese, also has a Master in Laws degree in Cybersecurity and Data Privacy from Loyola Law School in Los Angeles.
Given the high profile requested of the DPO and some uncertainty as to the role definition and responsibilities, the GDPR has opened the possibility to not just hire a permanent in-house DPO, but also to outsource one, who can even be shared by several companies. We provide this service locally in California to your Company on an interim contract basis, so you can better define the requirements and right profile to look for when you will be ready to hire your own in-house DPO in several months or more time.
Following the GDPR requirement for Data Protection Officers to provide "awareness raising and training of staff involved in the processing operations", we offer flexible training options for your personel and legal staff to raise their privacy capability and avoid unnecessary business cost with your EU data privacy activities, including raising the understanding of GDPR for the board and senior management.
We offer live online and on site sessions and workplace training of 1 hour, 3 hours, and 6 hours, depending on the availability of your staff and executives, that cover the foundation to the GDPR with an overview of key requirements and compliance activities, including data breach reporting. These sessions are eligible for 1.0, 3.0 or 6.0 CLE Credit for your legal staff (Approval of the course credit is pending).
The sessions can be completed during business hours or on Saturdays, and include all materials necessary to get a thorough understanding of the GDPR and its impact on your organization.We include tabletop exercises to stimulate and develop team work on a given set of facts. It makes your company reasonably defensible if a privacy situation arose from any of the 27+1 EU member state Data Protection Authorities.
WE ARE A LOS ANGELES BASED FIRM OF EUROPEAN ATTORNEYS
PROVIDING GDPR EXPERTISE TO CALIFORNIA COMPANIES
USING OR COLLECTING PERSONAL INFORMATION FROM EU USERS
We offer and bill our services in California exclusively