The legal landscape for U.S. data privacy is changing rapidly. California led the way in 2020 with the California Consumer Protection Act (CCPA), followed by the California Privacy Rights Act (CPRA), effective January 1, 2023. Now, five additional states have enacted stringent privacy protections and many more are actively debating proposed laws and regulations. Considering the climate for litigation and regulatory enforcement in the U.S., what should we expect to see in the coming months and years?
Jonathan Armstrong, a partner at U.K. compliance law firm Cordery who advises on eDiscovery, investigations, and GDPR issues, addressed our PIIP 2023 audience with a fascinating review of international trends to watch, considerations for U.S. businesses operating globally, and predictions for U.S. data privacy regulations and enforcement. Enjoy this lightly edited summary of his comments. To read Part 1 about GDPR trends, click here.
How does GDPR jurisdiction apply to U.S.-based businesses?
GDPR will apply if an organization has an EU or U.K. subsidiary handling data, even if that processing takes place outside the EU, such as at the mothership in the U.S. GDPR will also apply if the organization is offering goods and services. So, if you are a U.S. law firm and you have clients in the EU or the U.K., then GDPR is going to apply to you. Monitoring behavior is subject to a number of cases going through the courts at the moment, but it might be the case that even something as simple as allowing your website to be viewed by people in the EU or the U.K. and putting cookies on their machine will be enough to put you in the GDPR jurisdiction.
As a footnote, remember that if you’re in the GDPR jurisdiction, then you have to appoint a data protection representative (DPR), which is not the same as a DPO. A DPR is a liaison for regulators. We’re seeing a real concentration of regulators looking at the DPR provisions. We have a U.S. corporation having difficulty with an EU regulator for not appointing a DPR, even though external counsel advised them that a DPR wasn’t necessary. I think that the external counsel unfortunately got that equation wrong; however, the regulator is convinced that that was the wrong decision and we’re being criticized for that decision not to appoint a DPR made four years ago. So, if in doubt, appoint a DPR and add that extra bit of compliance assurance to your investigation or litigation.
Should U.S. companies pay attention to the GDPR’s six data protection principles?
Even if you’re not subject to GDPR, there’s still a benefit in understanding the six principles – to be honest, a lot of it is common sense and good practice to make your organization or client more robust. For example, if we take one principle of data minimization, obviously if you hold less data then you are less likely to have GDPR issues. And if you hold less data, then eDiscovery is going to be less onerous because there will be less data to disclose. I think there’s often an advantage in looking through the six GDPR principles and almost trying to rule your life by them. If you use those principles and question yourself whenever you’re handling data, that will reduce risk in the U.S., the EU, and the U.K.
Drawing parallels between a pre-GDPR Europe and the current state of privacy in the U.S, should the U.S. be more concerned about states that install the most stringent privacy protocols or those with the least? And, which mismatch poses the greatest risk?
GDPR came in to try and resolve the differences that we had between nation states, which in some respect mirror the differences in the U.S. as different states enact their own privacy laws. But what we’ve seen with GDPR is there’s still disharmony, partly because individual countries were allowed to add their own provisions in addition to the GDPR skeleton. That’s why we have criminal offenses in the U.K. that mirror existing legislation and partly because regulators may react to the same body of law differently. So, you might look at somewhere around 600 cases in Spain, only 11 of which are are over a million Euros and contrast that with Luxembourg, which has only brought maybe 10 cases, a small fraction of that 600 or so, but involve 700 million Euros. We’re always going to get divergence wherever we have separate regulators.
I think one of the lessons learned from the U.S. is even if we think that federal law’s going to come in and unify the law, who’s going to enforce it? Is it going to be enforced differently in diverse areas or are we also going to have a federal system of enforcement and tell the state AGs to back off? I think there are some real lessons to be learned from granular regional laws to some overarching law. That’s led to no uniformity at all.
Maybe one of the worries from a U.S. point of view is that federal privacy law will come in and save the day. Maybe it will make life easier. Maybe you won’t have to have this DPF discussion, this whack-a-mole game of new scheme, the Schrems attack, court hits it down, start again. Maybe it eases issues like that, but will it bring harmony and uniformity across the U.S.? I doubt it.
Is there a movement to streamline data transfers between the U.K. and U.S., and the EU to the U.K.?
I think that there is definitely a recognition that there is a need to do something better and more meaningful about data transfers. I think the U.K. regards one of the Brexit benefits as the ability to do its own deal with the U.S., and that has all sorts of potential implications for the EU adequacy decision. I don’t think those concerns are as great as some people think because the rules say that the U.K. has to be adequate, not identical to the EU GDPR regime.
I believe that we have people in the U.K. government who don’t truly understand these issues. They’ve obviously lost their data transfer expert recently. But there is a wish for the U.K. to make it easier for businesses to export data from the U.K. to the U.S. and I think we can expect further announcements on that soon. As far as the EU to the U.S. is concerned, there are certainly still many people who are sympathetic to the assertions that Schrems has made regarding concerns about transferring data to the U.S. I don’t think there was a uniform round of applause for DPF when it was announced.
I think the fact that we’ve had this critical report and we have an EDPB report to come in the next couple of weeks so expect that to have a rocky road. I think we’re going to get another area of divergence where the U.K. might find it easier to streamline data transfers to the U.S. than the EU does. And that’s something that we’re all going to factor into our decisions on where reviews take place, where data is collected, and where it’s stored. We’re going to have to look at those strategies in a much more complex way.
How should U.S.-based companies assess and address data privacy regulatory risk in 2023?
What we’re increasingly seeing is that there are no home games with regulators, and many of U.S. lawyers (and many of our clients) have focused on understanding our home regulatory regime. So, if I am head of compliance at a Fortune 100 company based in the U.S., that might be me understanding memos from the DOJ. It might be me understanding what the SCC is up to. It might be me looking at the shenanigans at the FTC and understanding the direction of travel there. In my experience, U.S. corporations have generally been better than almost any other country at assessing the regulatory risk and the different compositions of those regulators and work out what that might all mean for them as a corporation.
However, the difficulty they now have is there are no home games (or very few) anymore. If you are Meta, you have threats from the FTC, but you also have regulators in Europe levying 1.6, 1.7 billion Euros worth of fines and interrupting your business model, taking some of the reassurances out of online behavior advertising, which is suppressing revenue and hitting your bottom line. U.S. as law firms must understand that they might be playing in a different country to a different set of rules. There’s certainly more pressure to do more with less. We face that as law firms, because of issues like the great resignation, quiet quitting, and because some of our associates want to work on their terms, not ours.
Our clients are feeling that pressure as well. Whenever I speak to my quarter, they’re expecting this year to be particularly brutal. Many of my clients look for cost savings in October onwards when they know they are going to have a bad year. I’m seeing many of them looking at cost-cutting measures in Q1. That seems to be a sign that they think 2023 is going to be rocky and they’re under pressure to do more with less. Data protection is being used as a weapon and as a shield, and people are using that to do pre-action discovery on the cheap to work up cases that they can then sell to litigation funders to bring more class actions. We’re seeing rising professional obligations as turning up of the judicial and regulatory scrutiny on lawyers, law firms, and our clients.
But the good news: all of this brings opportunities as well. Just as our clients are facing bigger subject access requests, there’s an opportunity to use all the good technology to try and streamline those processes. Just as we have more jurisdictional issues around handling data lawfully and structuring investigations in the right way, there’s also an opportunity to do front end consulting to make sure that people get that right. As the consequences become greater, there’s an opportunity to talk to organizations at the highest level about their data handling strategy. There is promise out there in 2023. But I think it’s a year of many challenges and a year when we’re going to have to look at our compliance strategy in a much more authoritative way.