Personal Data and the GDPR: Providing a Competitive Advantage for U.S. Companies
| DOI | http://doi.org/10.1111/ablj.12139 |
| Date | 01 June 2019 |
| Author | Kimberly A. Houser,W. Gregory Voss |
| Published date | 01 June 2019 |
American Business Law Journal
Volume 56, Issue 2, 287–344, Summer 2019
Personal Data and the GDPR:
Providing a Competitive Advantage
for U.S. Companies
W. Gregory Voss*and Kimberly A. Houser**
The European Union’s General Data Protection Regulation (GDPR) became
applicable in May 2018. Due to the GDPR’s extraterritorial scope, which could
result in massive fines for U.S. companies, comparative data privacy law is of
great current interest. In June 2018, California passed its own Consumer Privacy
Act, echoing some of the provisions of the GDPR. Despite the many articles com-
paring the two schemes of law, little attention has been given to the foundation of
these laws, that is, what exactly encompasses the data referred to by these laws? By
understanding how the term “personal data” or “personal information” is defined
in both jurisdictions, and why these definitions and the treatment of protected data
are so different, companies can strategize to take advantage of these developments
in the European Union. After explaining the differences in how data is treated in
the United States and the European Union by exploring the definitions, regula-
tions, and court cases, we will explore the five legal strategy pathways that compa-
nies might pursue with respect to the legal aspects of data transfer and privacy
law compliance. While these strategies range from ignoring the law to adopting
the European model worldwide, this analysis of legal strategy reveals a means for
companies to gain a competitive advantage through their adoption of a worldwide
compliance scheme.
*Associate Professor of Business Law, ToulouseBusiness School.
**Assistant Professor of Legal Studies, Oklahoma State University.
The authors wish to thank Laurie Lucas, Michael Schuster, David Orozco, and the ABLJ
reviewers for their helpful comments.
©2019 The Authors
American Business Law Journal ©2019 Academy of Legal Studies in Business
287
INTRODUCTION
On May 25, 2018, the European Union General Data Protection Regula-
tion (GDPR)
1
became applicable, and this proved to be a watershed
moment in the area of data privacy.
2
A growing body of academic litera-
ture has examined the differences between data privacy laws in the
United States and the European Union in relation to the GDPR.
3
Few
articles, however, have explained the differences among protected data
covered by these laws in a comparative data privacy context.
4
Since legal
harmonization seems unlikely at this point due to the current political
1
Commission Regulation 2016/679, of 27 April 2016 on the Protection of Natural Persons
with Regard to the Processing of Personal Data and on the Free Movement of Such Data
[hereinafter GDPR], 2016 O.J. (L 119) 1 (EU) (repealing Directive 95/46/EC (General Data
Protection Regulation) (May 4, 2016)).
2
See Kimberly A. Houser & W.Gregory Voss, GDPR: The End of Google and Facebook or a New
Paradigm in Data Privacy?,25R
ICH. J.L. & TECH. no. 1, (2018), at ¶¶ [53]–[70], https://jolt.
richmond.edu/files/2018/11/Houser_Voss-FE.pdf (discussing some of the main changes to
EU data privacy law brought by the GDPR, including its extraterritorial scope).
3
See, e.g., id. at ¶¶ [44]–[52] (drawing lessons from a comparison of past U.S. and EU data
privacy enforcement actions for enforcement of the GDPR); Michael L. Rustad & Thomas
H. Koenig, Towards a Global Data Privacy Standard,71F
LA.L.REV. (forthcoming 2019),
https://ssrn.com/abstract=3239930 (arguing that there are “affinities” between U.S. and EU
data privacy law and seeing transatlantic data privacy convergence on several points); Paul
M. Schwartz, The EU–U.S. Privacy Collision: A Turn to Institutions and Procedures, 126 HARV.
L. REV. 1966, 1974–79 (2013) (commenting on transatlantic divergences after the proposal
of the GDPR but before its enactment); Paul M. Schwartz & Karl-Niklaus Peifer, Transatlan-
tic Data Privacy Law, 106 GEO. L.J. 115, 119–22 (2017) (taking the angle of “legal identities”
on both sides of the Atlantic, in the context of transatlantic data trade); see generally Paul
J. Watanabe, An Ocean Apart: The Transatlantic Data Privacy Divide and the Right to Erasure,
90 S. CAL.L.REV. 1111 (2017) (making a comparison of privacy law related to the GDPR’s
right to erasure).
4
One exception is a 2014 study by Professors Schwartz and Solove that proposed a new def-
inition of personal information to harmonize the understanding of privacy in the two juris-
dictions. Paul M. Schwartz & Daniel J. Solove, Reconciling Personal Information in the United
States and European Union, 102 CAL.L.REV. 877 (2014) [hereinafter Reconciling Personal
Information]. Since the publication date of Reconciling Personal Information, a number of fac-
tors have made harmonization unlikely such as the Snowden revelations, the Cambridge
Analytica data breach scandal, the invalidation of the Safe Harbor, and the enactment of
the GDPR. See infra Part II.C–D. The same two authors have also categorized elements of
the definition of personally identifiable information (PII) in U.S. state data security breach
notification laws. See DANIEL J. SOLOVE &PAUL M. SCHWARTZ,PRIVACY LAW FUNDAMENTALS
210–13 (2017).
288 Vol. 56 / American Business Law Journal
environment, a new strategy for exploring these differences is necessary.
5
This article details the current differences among definitions of protected
data through a comparative study of regulations and case law. This pro-
vides the foundation to conduct a legal strategy analysis, based on a
framework established by Professors Bird and Orozco that allows firms
to rationalize and derive advantage of the two divergent sets of laws and
regulations.
6
The effort taken to disambiguate the differences among definitions of
protected data is worthwhile given the importance of the issue and the
central role that the definition of “personal data” has in data privacy leg-
islation as the basis for the scope of relevant laws and the development of
corporate compliance programs.
7
For example, compliance departments
must now map processed data, establish records of personal data
processing, and comply with other GDPR requirements. Indeed, the
greatest expense of GDPR compliance might involve auditing and classi-
fying data, which hinges on identifying the types of data processed.
8
This
in turn will depend on GDPR definitions of personal data and sensitive
data, which differ from equivalent U.S. legal definitions.
As an illustration, certain pseudonymized information may be consid-
ered de-identified and thus not subject to legislation in the United States.
9
5
The GDPR became applicable on May 25,2018. It repealed and replaced the 1995 Directive,
which is the legislation the Reconciling Personal Information article references. Reconciling Personal
Information, supra note 4 (addressing Council Directive95/46, 1995 O.J. (L 281)(EC)).
6
See infra Part VI. This framework divides the pathways of legal strategy into stages of
increasing legal strategy. The stages are (1) avoidance, (2) compliance, (3) prevention,
(4) advantage (or value), and (5) transformation.
7
As Schwartz and Solove recognized, “‘Personal data’ is a central concept in privacy regula-
tion around the world. This term defines the scope and boundaries of many privacy statutes
and regulations.” Reconciling Personal Information,supra note 4, at 878. See also W. KUAN HON,
DATA LOCALIZATION LAWS AND POLICY:THE EU DATA PROTECTION INTERNATIONAL TRANSFERS
RESTRICTION THROUGH A CLOUD COMPUTING LENS 10 (2017) (commenting on the concept of
“personal data” being critical under EU legislation); Christopher Wolf, Envisioning Privacy
in the World of Big Data,in PRIVACY IN THE MODERN AGE:THE SEARCH FOR SOLUTIONS 204, 207–
08 (Marc Rotenberg et al. eds., 2015) (commenting on the central nature of personally
identifiable information (PII) in information privacy and the lack of uniformity of PII defi-
nitions in this area).
8
See,e.g.,The Cost of GDPR Compliance, HIPAA JOURNAL (May 4, 2018), https://www.
hipaajournal.com/the-cost-of-gdpr-compliance/.
9
See infra Part III.F.
2019 / Personal Data GDPR 289
To continue reading
Request your trial