Michael Morgan of McDermott Will & Emery talks with Vivienne Artz of Thomson Reuters about the possibility of GDPR being a global export.
As the leader of his law firm’s global privacy and cybersecurity practice, Michael Morgan has advised clients through complex data breach incidents involving more than 50 million records and affecting persons in over 100 countries. His list of clients touches a wide variety of industries, including financial services, automotive, telecommunications, healthcare, insurance and big data.
Thomson Reuters chief privacy officer, Vivienne Artz, sat down with Michael Morgan, a partner with international law firm McDermott Will & Emery, to discuss the far-reaching implications of the European Union’s General Data Protection Regulation (GDPR) and what it means in practical terms now and in the future for businesses across the globe.
The below interview has been edited for length and clarity. Click here to listen to the expanded conversation.
VIVIENNE ARTZ: What do you see as the biggest issues coming out of GDPR for the global companies that you’re advising?
MICHAEL MORGAN: For many U.S. companies, the challenge has been that –- unlike their EU counterparts — they didn’t have considerable experience working with the Data Protection Directive. Large enterprises may have smart and experienced privacy professionals who were exposed generally to European data protection principles, but GDPR compliance initiatives required a deep understanding of these issues. It forced many large U.S. enterprises to dig into the issues in ways they hadn’t previously done.
As just one example, data mapping is something that many U.S. organizations had on their to-do lists even before GDPR. With GDPR, it now becomes an essential part of the compliance process. Organizations have had to really ramp up their knowledge and capabilities on European data protection issues in light of GDPR.
ARTZ: How much of a challenge is it for U.S. organizations to marry up an increasing number of breach reporting obligations, when you have 50 different standards across the U.S., as well as the 72-hour breach notification in the EU?
MORGAN: It is a challenge, but it seems to be going reasonably well. U.S. organizations have been subject to breach notification requirements for many years. To be sure, the quick notification trigger will post a challenge in the early stages of incident responses. 72 hours is a fast trigger, so organizations are going to have to make a notification decision at a very early stage of an incident response, when there is a lot of anxiety, a heavy workload and often considerable uncertainty about the facts. It’s going to be inconvenient and will present a challenge in many instances, but at the end of the day, I know many organizations that are reasonably well prepared for this situation.
Oftentimes, your ability to comply will turn on how well you can execute on the fundamentals of incident response, which are well understood at this point. For example, your incident response preparation needs to be thorough and tailored to the types of incidents that are most likely and most challenging. If you’ve prepared well, then you have thought about how you’re going to make a notification decision at an early stage of the response process.
The quick notification requirement will present a particular challenge to European companies, most of which are dealing with notification requirements for the first time. These companies are going to be playing catch up for a while.
ARTZ: I think one of the analogies I’ve used in the past is GDPR (or European privacy) is a bit like a virus that attaches to the data and wherever the data goes, it follows it. Do you think GDPR is leading firms to create much higher standards in jurisdictions where it’s not necessary in order to achieve consistency, or do you think that they’re managing to separate it out, so that it only applies to European type data versus others? Because otherwise, there is a real possibility that GDPR is going to be a global export.
MORGAN: GDPR is a global export, and you’re right that some companies are choosing to adopt global policies driven by European data protection principles because they think it’s too difficult to try to track global developments and maintain different practices for Europe. But I wouldn’t go so far as to say that most companies are defaulting to European standards globally; rather, they’re taking a look at what makes the most sense for their company given the range of considerations, including the scope of their global operations and customer base. If a company has particular, localized arrangements, such as relationships with local suppliers, the company would not ordinarily want to default to a contractual relationship that is dictated by heightened European standards.
That said, many organizations are looking at this and are worrying about whether they can remain in compliance if they try to track changing requirements around the world and modify their practices only when required under the laws in particular regions or nations.
ARTZ: Let’s move on to the Internet of Things (IoT) which is opening up enormous opportunities to automate, personalize and connect people together. We’ve seen a lot recently about the cybersecurity risks in relation to the Internet of Things; what do you think of privacy challenges for the Internet of Things going forward?
MORGAN: The challenges are considerable. One key question is how you configure devices so that they can respect the privacy preferences of individuals and allow individuals to exercise meaningful choice. IoT devices are ubiquitous, and many consumers want their devices to respect their individualized privacy preferences. But consumers often do not have the time to manage all their devices and ensure they reflect their preferences. We need to come up with some shortcuts for managing privacy preferences across devices.
This is an issue with many platforms and media, but there are particular challenges that arise from the nature of IoT devices. These devices tend to gather data and interact with the environment in a way that is new and different; they observe the environment in ways that potentially can implicate rights of third parties. If you’re in a private setting, that doesn’t mean your IoT device isn’t gathering data. There are situations where third parties potentially might object if they thought an IoT device was listening or observing them.
Similarly, advanced applications like vehicle autonomy rely heavily on sensory devices, gathering information about the environment, including third parties in that environment. Again, those potentially can implicate privacy issues because the devices generally are not programmed to make decisions about what is socially appropriate to record.
Many of these IoT products are rolled out globally. This requires companies to confront the question of how they are going to address the privacy issues in jurisdictions around the world, which includes both the regulatory and legal requirements regarding privacy and data protection as well as cultural issues. We talked earlier about the possibility of using the EU standards as a baseline, but staying up to speed on all of the changing rules across the globe is a challenge for any organization that rolls out these devices around the world.
ARTZ: Because of the significant change that this whole GDPR compliance effort has had, how do you see the data privacy landscape evolving in the future?
MORGAN: It’s going to be fascinating. Some organizations are going to try to find and set an international high watermark and use that standard on a global basis because they think it’s too complicated to manage regional or national variations in dozens or hundreds of countries. In the coming years, we’re likely to see a continued spread of data privacy protections and cybersecurity requirements around the globe. GDPR is going to be very influential in this development.
Some organizations that are deciding to go with European standards now may be rewarded because it may be easier for them to administer and apply such standards on a global basis. Other organizations will make a different decision, which might be right for them depending on a variety of factors, including the scope of their international operations, the availability of global privacy compliance resources, and the volume of their personal data processing.
With the rise of regulation around the world, you’re going to have developments like China’s Network Security Law and other data localization and data privacy requirements that are going to impose themselves on how large enterprises manage global data. It’s going to be a really dynamic time over the next five years. A complicating factor could be the escalation of trade tensions, which might impair international cooperation on data issues. It also might impede data globalization and the spread of global enterprises. It also would significantly affect how organizations manage their global networks and their global privacy and cybersecurity practices.
For additional content concerning the use of personal data in the digital age, be sure to explore the rest of our multimedia series: A new dawn for data privacy and transparency.