It’s been five years since GDPR was put into effect, with consequences reaching far beyond the European continent. Data privacy is now a top consideration for international businesses, as countries continue to develop new policies to clarify the rules of regulation. In the U.S., six states have already enacted their own privacy protections as of January 1, 2023. But what has the industry learned from data privacy compliance so far, and what is the state of GDPR today?
Jonathan Armstrong, a partner at U.K. compliance law firm Cordery who advises on eDiscovery, investigations, and GDPR issues, addressed our PIIP 2023 audience with a fascinating review of international trends to watch, considerations for U.S. businesses operating globally, and predictions for U.S. data privacy regulations and enforcement. Enjoy this lightly edited summary of his comments.
GDPR became effective in May 2018 – where are we now?
What we saw in the first year or so is a steady growth in GDPR cases, and there’s been a dramatic increase in GDPR activity. As of February 14, 2023, there were 1821 fines recorded; overnight, that figure went up to 1837. We’re already well over 2.6 billion Euros worth of fines since GDPR came in. One of the great myths when GDPR was introduced is that it’s a law about data security, will be concerned with data breaches, and as long as you keep data secure, you’re fine. However, that wasn’t the case.
Only one of the top six GDPR fines involved a data breach. For example, H&M, while not in the top six, had one of the biggest fines (although it did not involve a data breach). Instead, the regulators have been focusing on transparency and lawfulness of processing. In an eDiscovery or an investigation setting, they’re the two key themes that are hard to get right. For example, if you are involved in litigation and you are going to disclose employee emails, do you want to be transparent with them, and how does that help the litigation? If you’re in an internal investigation, many organizations, particularly those that are government-led or supervised, will be reluctant to tell employees exactly what might happen to their data (and to them) because they might not then cooperate with the investigation.
So, how do you square those circles? And in the olden days – three years ago – it was relatively easy because your jeopardy was less under GDPR since the average level of fine was lower. Now you can get fines that are substantially worse than the consequences of let’s say a sanctions order from a U.S. court because you haven’t obeyed discovery rules. So, I think the equation is starting to look a bit complicated and as a result, I’m seeing more people investing more time in trying to get the ground rules when they’re looking at eDiscovery and investigations.
Have GDPR issues become more challenging?
The stuff that I’m seeing across my desk has increased in complexity. I was recently with another law firm looking at some really challenging issues around conflicts between orders from judges in the U.S. who don’t want to listen to GDPR-type issues and then try to square the circle of a related entity in the U.K., knowing that it’s going to breach GDPR if the U.S. order is observed.
Often there is an elegant solution that enables you to please both audiences, but that’s not always the case. And I think these discussions are getting much tougher now – do you observe your transparency obligations, or do you follow what a U.S. court or a U.S. regulator wants you to do? Unfortunately, I think these challenges are going to increase.
The difficult cases involving Meta tend to take the law in a different direction. And so, you might say, “that’s all very well, but I’m a U.S. attorney in a U.S. law firm acting for U.S. corporations. Why should I listen to any of this GDPR stuff? Why should I be concerned about it? As a general rule, it’s hard for any U.S. corporation or U.S. law firm to conduct their operations without applying GDPR.
Where does data residency fall on the list of regulatory priorities?
We’re seeing more data residency laws, some following conflict or repressive regimes. In the ENRC case, the judge seemed to say that it was a law firm’s professional obligation to look at where data was going to be located and possibly where that data will be reviewed. This case was specifically around section two powers that the SFO has, but it’s easy to see a judge extrapolate that into a general duty to look at the powers of review. And of course, sometimes we review in different countries, and we might review data in country X because we don’t want to travel to country Y to review the data and put people at risk. We might review in location A because we know we can get low-cost staff, or we might review in location B because they’ve got the language skills we need. I think we have to add the legal implications of data residency as part of that equation.
How do you stay on the right side of international data privacy laws when handling data transfers?
Data transfer is another key issue. You might remember Max Schrems – the Austrian law student who took on Facebook and led to the collapse of Safe Harbor second installment and Privacy Shield. He’s still actively looking at data transfer related issues, so when you’re transferring data from the EU to the U.S., you’re going to have to do double due diligence.
You’re going to have to look not only at the location that you’re transferring data from – let’s say the U.S. and its laws – and also the organization you’re transferring data to. You’ll need those two bits of due diligence in place, along with some sort of agreement, which might be standard contractual clauses. There’s a new version of those: If it’s a U.K. to U.S. data transfer it will need to be an International Data Transfer Agreement (IDTA), broadly the same as SCCs. And there’s a workaround if you’re transferring both at the same time.
Should we expect a new EU data privacy framework to emerge?
There is a theory that will have a new scheme in place – Safe Harbor 3, Privacy Shield 2, also called the Data Privacy Framework (DPF). Some people in the European Commission are trumpeting this, and President Biden has made executive orders which make DPF more likely. However, an influential committee of EU parliamentarians have said that they weren’t happy with DPF. I think that will put the timescale back for DPF. Will it face a challenge? Yes. And almost certainly that challenge will be successful, at least in as far as DPFs Limited.
When I interviewed Max Schrems, he said that Privacy Shield was just Safe Harbor with flowers on it and it would be struck down. It was. I think he has similar thoughts about DPF and he’s probably right. I think there are real issues over the judicial redress clause, which doesn’t resemble a court, even if you call it a court. Some of the other aspects of the executive order might not play well with European courts. We’re also seeing customers and clients demand answers on data transfer because they know that the risk is high. So, our law firm clients are getting asked more and more questions about how we intend to transfer data. It’s an increasing feature of cases, and there are some class actions kicking about as well.