June 18, 2018

June 18, 2018

Subscribe to Latest Legal News and Analysis

GDPR is Now Effective – How Will Regulators Enforce It?

What happened?

Today the EU General Data Protection Regulation (GDPR) goes into effect, ending the data protection landscape as we know it. This comprehensive privacy law applies directly to the 28 EU countries and companies established in or doing business in those countries. Unlike its predecessor, the GDPR applies to companies established outside of the EU that offer goods or services to individuals in the EU or monitor the behavior of individuals in the EU, such as through the use of cookies. The GDPR imposes a number new of requirements on companies and raises the stakes by imposing potential maximum fines up to 4% of worldwide revenue.

It’s the end of the data protection world as we know it, and we (don’t) feel fine…

The law’s broad scope and stringent requirements have left many companies—particularly small- to medium-sized U.S. businesses with no physical presence in the EU—scrambling to implement the required privacy protections. According to surveys, the majority of companies, both within and outside the EU, are not compliant today. One April 2018 survey indicated that only 15% of companies surveyed are fully compliant. Non-compliance with the GDPR’s requirements carries particularly high risk, given the two-tiered fine structure of the GDPR, which allows regulators to fine companies the greater of up to 4 percent of their annual global revenue or 20 million euros for violations of the GDPR.

What do the regulators say?

While the potential to be assessed such massive fines has been a motivating factor for many companies, data protection authorities have sent mixed messages with regards to whether we can expect to see such high fines assessed right away. Some have indicated that should a company be subject to enforcement, if it made good faith efforts towards compliance, this would be a mitigating factor. The French data protection authority has reportedly stated that companies that have not achieved full compliance “can expect to be treated leniently initially provided that they have acted in good faith.” The Dutch data protection authority has similarly stated that while “no provision has been made in law for a grace period from compliance with the GDPR,” “an organisation can minimise and mitigate against the potential consequences and sanctions that they could face . . . [with a healthy] GDPR compliance programme. . . [and] a genuine commitment and best efforts to meeting their GDPR obligations.” On the other hand, Austrian data protection authority Andrea Jelinek, who is now the president of the newly formed European Data Protection Board (EDPB), held a press conference today and reportedly warned that “If there are reasons to warn we will warn; if there are reasons to reprimand we will do that; and if we have reasons to fine, we are going to fine.”

It’s not the end, it’s just the end of the beginning.

While statements from data protection authorities give us some insight into the enforcement approach that data protection authorities may take, a lot of open enforcement questions remain, including:

  • What will be the enforcement priorities?
  • What kinds of activities will trigger what level of fines?
  • Which EU regulators will be the most aggressive in enforcing the GDPR?
  • Will EU regulators train their attention on specific industries, and if so which ones?
  • What damages are plaintiffs entitled to in judicial actions arising out of GDPR violations?
  • How can an EU regulator claim jurisdiction over a U.S. company with no physical presence in the EU and no local representative?

U.S. companies should also pay careful attention to future EDPB guidance, rulings from the Court of Justice of the European Union, and enforcement actions that may help answer numerous substantive questions that have bedeviled companies trying to comply with vague provisions of the GDPR. Such questions include:

  • What does “large scale processing” mean?
  • How to reconcile conflicting requirements under the GDPR and the ePrivacy Directive?
  • Will courts require a de minimis threshold to trigger the GDPR’s territorial scope?
  • Are dynamic IP addresses considered personal data?
  • What constitutes a “legal effect” in the context of automated decision-making?
  • Do the data breach notification requirements cover personal data of EU residents collected while they were in the U.S.?

Now that the GDPR is in effect, we may finally get answers to these questions. At the same time, how EU regulators enforce the GDPR may create new privacy headaches for U.S. companies. For U.S. companies struggling to understand the GDPR, one thing remains certain: today marks the beginning, not the end of GDPR compliance.

Copyright © by Ballard Spahr LLP

TRENDING LEGAL ANALYSIS


About this Author

Philip Yannella, Ballard Spahr Law Firm, Philadelphia, Data Security Attorney
Partner

As Co-Practice Leader of Ballard’s Privacy and Data Security Group, and Practice Leader of the firm’s E-Discovery and Data Management Group, Philip N. Yannella provides clients with 360-degree advice on the transfer, storage, and use of digital information.

Mr. Yannella regularly advises clients on the Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), EU-US Privacy Shield, General Data Protection Regulation (GDPR), Defense of Trade Secrets Act, PCI-DSS, Telephone Consumer Protection Act (TCPA), New York Department of...

215-864-8180
Odia Kagan, Attorney, Ballard Spahr law firm
Of Counsel

Odia Kagan combines her in-depth knowledge of privacy and data security regulations and best practices with her keen understanding of emerging and information technologies, to provide clients with practical advice on how to design and implement their products and services, consummate their M&A transactions, and engage third party vendors, in the US and abroad. She utilizes her ability to break down complex concepts into easy to understand action items to provide effective ongoing counseling to clients in their day-to-day operations.

With a transactional practice focus, Ms. Kagan negotiates cloud computing, outsourcing, and e-commerce agreements both on the vendor and on the client side, and prepares privacy and information security policies and procedures. A former partner in a Tel-Aviv, Israel law firm, Ms. Kagan has substantial experience working with Israeli start-ups and assisting multinational companies with cross border transactions.

Ms. Kagan is a Certified Information Privacy Manager (CIPM) and a Certified Information Privacy Professional in the laws of the United States – private sector (CIPP/US) and in the laws of the European Union (CIPP/E). She is also certified as a Fellow of Information Privacy (FIP) by the International Association of Privacy Professionals (IAPP). She serves on the board of advisors of Prifender, a privacy compliance startup. Ms. Kagan also serves on the Publications Advisory Board of IAPP, and is co-chair of the IAPP's Philadelphia KnowledgeNet chapter. She serves as co-chair of the Philadelphia Bar Association Business Section's Cyberlaw Committee.

215-864-8349
Roshni Patel, Attorney, Privacy, Data Security, Ballard Spahr Law Firm, Washington DC
Associate

Roshni Patel advises clients on privacy and data security matters. She helps companies maintain compliance with federal and state laws and regulations, including the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Children’s Online Privacy Protection Act, and California’s Online Privacy Protection Act. She also counsels companies on industry standards, such as the Payment Card Industry Data Security Standards (PCI-DSS), and evolving Federal Trade Commission and Consumer Financial Protection Bureau standards related to privacy and data security. Ms. Patel routinely drafts privacy...

202-661-7686