A New Era
| Author | Jason Tashea |
| Pages | 34-35 |
34 || ABA JOURNAL MARCH 2018
Business of Law
PHOTOGRAPH BY DEVON CASS
A New Era
Companies and their lawyers are bracing for a wide-ranging EU data-privacy law
that takes eect in May By Jason Tashea
A PENDING EUROPEAN UNI ON
LAW HAS COMPANIES ACROSS THE
GLOBE rev iewing how they collect and
protect user data .
The General Data Protec tion Regulation “is without
a doubt, the biggest, most wide-i mpacting regulation in
the area of data protec tion in the history of the world,”
says Joshua Lenon, lawyer in residence at Clio, a prac tice
management softwa re company in Vancouver, British
Columbia. The regulation
goes into eect on May 25.
Over the past two yea rs,
the Clio team has c onducted
a top-to-bott om review of
its products to be compliant
with the GDPR, which aect s
the collection, storage, t rans-
fer and deletion of personal
data. Clio’s process twea ked
“client-facing” features on
the platform, revamped it s
privacy policy, and updated
contractual rel ationships
with vendor s.
All Clio’s customers
throughout the world,
regardless of whether they
reside in the EU, will have
access to these heightened
privacy protect ions. That’s
because, Lenon says, Cl io sees
the GDPR as the new floor for
data privacy worldwide.
Clio is not alone. With the
May deadline looming, companies big and sma ll
are turning to t heir lawyers for guidance as they seek
to comply with the new regul ations. Additionally,
European regulat ors, called data-protection authorities ,
are preparing for the post- GDPR era, in which they
expect their enforcement author ity to be significantly
strengthened and expa nded.
The GDPR replaces a 1995 EU directive w ith old
and new provisions that cover topics a s diverse as a
right to be forgotten and a n individual’s ability to
confront automated decision-mak ing systems.
For those previously compliant with Europe an
privacy law, the GDPR should not be a big concern,
says Linda Priebe, a pa rtner at Culhane Meadows in
Washington, D.C. However, she adds, “a lot of folks
were caught asleep at the swit ch.”
RACING TOWARD COMPLIANCE
Even with a two-year c ompliance period, a 2017
survey by the Internat ional Association of Privacy
Professionals, a nonprofit industry g roup, reported
that about 60 percent of firms that t hink the GDPR
applies to them “will be
only partial ly compliant
by the deadline.”
Priebe says the GDPR
applies to “any entity that
has customers, employees
or potential customers in
the EU” or the European
Economic Area. Wit h 99
articles, the brea dth and
depth of the regulation is
immense.
In the United States,
companies have struggled
to adequately inform
users of what data is col-
lected and how it is used.
Under the GDPR, a com-
pany must gain a user’s
consent to collect their
data through “a clear,
armative ac t that is
freely given, speci fic and
informed,” Priebe says.
In one example, the
Dutch Data Protec tion Authority stated Microsoft
Windows 10 was noncompliant because the operat ing
system didn’t “clearly inform user s about the type of data
it uses,” which meant “people cannot provide va lid con-
sent.” Microsoft challenged some aspe cts of the com-
plaint but resolved “to cooperate w ith the DPA to find
appropriate solutions,” according to the company blog.
Compliance can come at a cost , says Lokke Moerel,
senior of counsel at Morrison & Foerster in Berli n.
For example, businesses must create a reg ister of
their data-processing a ctivities, but this step alone
“takes much more time than t hey anticipated” and
is not feasible for many, she says.
Technology
The new data regulation should
not be a big concern, but “a lot
of folks were caught asleep
at the switch.” —Linda Priebe
To continue reading
Request your trial