Companies And Their Lawyers Brace For Wide Ranging EU Data Privacy Law - CATEGORY Latest news: TITLE

By Jason Tashea

>March 2018

Woman smiling

Photograph of Linda Priebe by Devon Cass.

A pending European Union law has companies across the globe reviewing how they collect and protect user data.

The General Data Protection Regulation “is without a doubt, the biggest, most wide-impacting regulation in the area of data protection in the history of the world,” says Joshua Lenon, lawyer in residence at Clio, a practice management software company in Vancouver, British Columbia. The regulation goes into effect on May 25.

Over the past two years, the Clio team has conducted a top-to-bottom review of its products to be compliant with the GDPR, which affects the collection, storage, transfer and deletion of personal data. Clio’s process tweaked “client-facing” features on the platform, revamped its privacy policy, and updated contractual relationships with vendors.

All Clio’s customers throughout the world, regardless of whether they reside in the EU, will have access to these heightened privacy protections. That’s because, Lenon says, Clio sees the GDPR as the new floor for data privacy worldwide.

Clio is not alone. With the May deadline looming, companies big and small are turning to their lawyers for guidance as they seek to comply with the new regulations. Additionally, European regulators, called data-protection authorities, are preparing for the post-GDPR era, in which they expect their enforcement authority to be significantly strengthened and expanded.

The GDPR replaces a 1995 EU directive with old and new provisions that cover topics as diverse as a right to be forgotten and an individual’s ability to confront automated decision-making systems.

For those previously compliant with European privacy law, the GDPR should not be a big concern, says Linda Priebe, a partner at Culhane Meadows in Washington, D.C. However, she adds, “a lot of folks were caught asleep at the switch.”


Even with a two-year compliance period, a 2017 survey by the International Association of Privacy Professionals, a nonprofit industry group, reported that about 60 percent of firms that think the GDPR applies to them “will be only partially compliant by the deadline.”

Priebe says the GDPR applies to “any entity that has customers, employees or potential customers in the EU” or the European Economic Area. With 99 articles, the breadth and depth of the regulation is immense.

In the United States, companies have struggled to adequately inform users of what data is collected and how it is used. Under the GDPR, a company must gain a user’s consent to collect their data through “a clear, affirmative act that is freely given, specific and informed,” Priebe says.

In one example, the Dutch Data Protection Authority stated Microsoft Windows 10 was noncompliant because the operating system didn’t “clearly inform users about the type of data it uses,” which meant “people cannot provide valid consent.” Microsoft challenged some aspects of the complaint but resolved “to cooperate with the DPA to find appropriate solutions,” according to the company blog.

Compliance can come at a cost, says Lokke Moerel, senior of counsel at Morrison & Foerster in Berlin. For example, businesses must create a register of their data-processing activities, but this step alone “takes much more time than they anticipated” and is not feasible for many, she says.

Further, some companies will need a data-protection officer, business-level leadership that oversees GDPR compliance. Others will require new technology, which will cost some Fortune 500 companies up to $1 million, according to a report by the law firm Paul Hastings. Failure to comply could be devastating—a company could be fined up to 4 percent of its global annual revenue.

To understand the potential impact, consider the 2014 and 2015 hacks on Hilton Worldwide, which exposed the credit-card information of 350,000-plus customers. Because of the breach, New York Attorney General Eric Schneiderman fined it $700,000—about $2 per record. In 2015, the hotel chain reported $11.2 billion in revenue worldwide. Under the GDPR, the fine for the same breach could be as much as $448 million, or $1,280 per record.

As companies race toward compliance, data-protection authorities are ramping up.

In late 2016, many of Germany’s state-level officials sent surveys to 500 companies to collect information about international data-transfer practices. In December 2017, French regulators threatened to sanction WhatsApp for its data-sharing agreement with Facebook. And U.K. authorities launched an investigation into Uber after it was reported that the company covered up a 2016 breach that affected 57 million people. This all primes the pump for May 25.

As far as what to expect from authorities then, Moerel at MoFo says regulators could take various directions. And regardless of direction, expect them to act forcefully. “The data-protection authorities will need to make a statement,” she says.

This article was published in the March 2018 issue of the

ABA Journal with the title “A New Era: Companies and their lawyers are bracing for a wide-ranging EU data-privacy law that takes effect in May.”


New billable hour tracking tools reignite fee debate


Learn to quiet the inner critic and its impossible demands

Filed under:

International Law | Law Practice Management | Business of Law | Business of Law | Privacy Law

You might also like:

We welcome your comments, but please adhere to our comment policy and the ABA Code of Conduct.

    1. Winner-take-all electoral college system is unconstitutional, say suits led by Boies
    2. Stormy Daniels sues Trump, says confidentiality deal is void because he didn't sign it
    3. What frequently misused—or misspelled—phrases annoy you?
    4. ABA urges steps 'to curb the scourge of gun violence'
    5. Oregon judge interrupts victim's statement and leaves courtroom before she finishes

    Digital Dangers logo with thumbprint lock.>
    Cybersecurity and the law
    A guide for practitioners ...


    Podcast powered by Legal Talk Network


    More podcasts ...

    Defending Justice shield logo.>
    Essays on judicial independence
    A new online series ...

    Your Voice.> >Your Voice

    Articles and commentary ..., Site News current daily serving News today and the latest news about politics until News lifestyle and sport.

    Source :

    Companies and their lawyers brace for wide-ranging EU data-privacy law
    Overlap Between the GDPR and PSD2
    Tech companies are hindering criminal investigations, under outdated law
    US, Israeli experts warn of danger to data privacy in digital age
    European Regulator Warns Silicon Valley About Privacy
    ‘La difference’ is stark in EU, U.S. privacy laws
    Case study: How the USA PATRIOT Act can be used to access EU data
    What cybersecurity investigators can learn from airplane crashes
    UK spy agencies systematically amass data on innocent people, legal challenge reveals
    Euro Commission gives tech firms an hour to take down terror content
    [LIMITED STOCK!] Related eBay Products