Risks associated with data, data privacy, and the changing global regulatory landscape for such issues are some of the most complex challenges facing financial services companies’ legal and compliance departments today.
The recent first anniversary of the effective date of the European Union’s General Data Protection Regulation (GDPR) (on May 25) provides occasion for a look back at the rush to prepare for GDPR, enforcement and penalties related to it thus far, and the new challenges ahead for U.S.-based firms.
The GDPR report card
U.S. financial services firms trying to manage regulations and guidance on data protection and cybersecurity from multiple jurisdictions faced an enormous challenge last year when the strict new EU rules governing the use of personal information took effect.
GDPR, which was adopted in April 2016 and took effect May 25, 2018, is designed to protect the privacy rights of EU individuals but applies to all companies processing or controlling the personal information of EU residents, regardless of where those firms are located.
Preparing for GDPR came with myriad implications for US firms. A key principle of the regulation is that the ownership of personal data is deemed to remain with the individual and not with the data controllers or processors. GDPR also includes enhanced requirements regarding consent to use and includes a “right to be forgotten” or removed from the record. And although breach notifications are a big part of GDPR (as well as the US focus on data protection), in the United States there are countless businesses whose commercial models are based on the use and sale of data.
These factors pose a distinctly different legal view and approach from the U.S. perspective, and thus, a great challenge to some U.S. companies.
Last year, experts (we) pointed out that many of the larger U.S. firms were working to prepare for the regulations and were at varying degrees of preparedness; smaller firms were the least prepared. Today, the picture has changed little. “GDPR was pretty well written, and mapping, segregation, and planning efforts in preparation by firms was largely successful and beneficial,” says Cynthia Cole, special counsel in the Palo Alto technology practice at law firm Baker Botts. “However, even now a year later, most companies are still nowhere near compliant.”
Penalties & private litigation
The enforcement powers associated with GDPR are significant. Fines for violations can reach up to 20 million Euros or 4% of a firm’s global annual revenue (whichever is larger) per violation. With the potential for such stiff penalties, there was great concern of heavy-handed enforcement from data protection authorities in the EU; however, the numbers and sizes of fines thus far don’t back that up.
The biggest penalty — 50 million euros — was issued by the French Data Protection Authority in January against Google. The investigation stemmed from complaints received by the French authority over Google’s handling of personal data; and the fine was related to a “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization,” according to the regulator. Google’s penalty represents nearly 90% of the total value of fines levied to date —but it had the potential to be much larger.
Perhaps a greater concern is the risk of private litigation. Under the GDPR, individuals are able to file claims for “material or non-material damage” as a result of a breach of the GDPR, according to William Long and Wim Nauwelaerts of the law firm Sidley Austin. In addition, they point out that not-for-profit organizations have the right to lodge a complaint on behalf of an individual, and cited as an example, an airline that had been threatened with a £500 million class action lawsuit in a UK court for non-material damage caused by a security breach.
“The airline has already pledged to cover any losses suffered by its customers, but a law firm acting for some of the affected individuals has taken the position that under the GDPR, the individuals have a right to further compensation of £1,250 each,” Long and Nauwelaerts say.
This increase in consumers exercising their privacy rights and a growth in privacy litigation is likely a result of GDPR and is therefore expected to increase in the future. Indeed, the efforts to comply with GDPR, and the penalties thus far are likely only the tip of an enormous iceberg of data privacy regulations and litigation in the future.
U.S. challenges ahead
Without question, GDPR set a new standard for privacy laws and the rest of the world has taken notice. For example, an amendment to Canada’s Personal Information Protection and Electronic Documents Act, went into effect November 1, 2018 and has significant overlap with GDPR; and Australia’s Privacy Act of 1988 underwent extensive updates in 2014 following a comprehensive review by the Australian Law Reform Commission. Australia published additional guidance and resources in June 2018 specifically addressing similarities and differences to GDPR.
Although there have been calls for similar federal regulations on privacy in the United States, there has been little action at the federal level. Not surprisingly, a patchwork of state regulations is beginning to unfold in its place. Most significantly, the California Consumer Privacy Act (CCPA) is scheduled to go into effect January 1, 2020 and is currently considered the most expansive state privacy law in the United States. At least six other states — Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, and Washington — have introduced similar privacy laws, many which largely mirrored the California act.
“GDPR and the CCPA are largely consistent with significant overlap,” says Baker Botts’ Cole, adding the data mapping exercises undertaken by U.S. firms in preparation of GDPR will put them in a better starting position for the preparation efforts.
Operationally one of the largest challenges faced by firms in preparation of the California law is the review of contracts and the challenge of “carve outs” or “exceptions” such as publicly available information, certain medical and health information, or other financial information. Service provider agreements and vendor agreements also must be mapped and reviewed.
With all of these challenges, corporations’ compliance, legal, and technology departments, as well as their outside data privacy lawyers, will be busy preparing companies to meet these new legal obligations and prepare for any future litigation that may arise.
“Longer-term, privacy could turn into a class-action nightmare,” says Cole, noting that it is likely that none of the preparation work related to mapping and inventory of data will be privileged, making it discoverable, which “will be an enormous cost in future litigation.”