Europe’s New Data Protection Regulation
By: Patrick Del Duca and Gediminas Ramanauskas, Zuber Lawler & Del Duca LLP, Los Angeles, California

Submitted by the International Law PAC

Europe has been a leader in privacy and data protection initiatives for the last 45 years. In reaction to state surveillance practices in some countries during and following World War II, Europe today protects privacy as a fundamental human right. European law accordingly mandates that use of personal data of Europeans conform to specific requirements of privacy law.

After four years of deliberations, on April 27, 2016 the European Parliament and the Council of the European Union (EU) adopted the General Data Protection Regulation 2016/69 (the “Regulation”), redefining the protection of the fundamental right to privacy of European citizens. Published in the EU Official Journal May 4, 2016, the Regulation provides a two-year grace period, until May 25, 2018, for businesses and others to achieve compliance. The Regulation is directly applicable; unlike the heretofore applicable Directive, the Regulation does not require national implementing action for its implementation. The Regulation’s scope extends beyond European borders: it will apply to any business targeting European customers or processing European employees’ data, even businesses without a European-based data manager or use of European-based technology to handle personal data. The Regulation can be enforced with hefty fines, up to 4% of a business’s annual worldwide revenues per breach.

Major Changes

1. “Privacy by design” and other core privacy principles such as data minimization, accuracy, storage limitation, and accountability must become part of product, technology and software development stages, and project management practices. This requires review of data protection management strategy, notices and consents, website terms and conditions, data retention policies and procedures.

2. In line with the European Court of Justice’s May 13, 2014 Google Spain ruling, privacy policies and daily practices must incorporate the right “to be forgotten”. The Regulation requires a data manager to address a data subject’s reasonable request to identify, locate and delete personal data and links to it.

3. Data breaches must be communicated to the data protection authority within 72 hours of creation of significant risk for the data subject.

4. A Data Protection Officer must be appointed when processing of personal data is a core activity and where sensitive data is processed on a sufficient scale.

5. Technical and organizational measures to ensure security appropriate to the risk are required. Adherence to an approved code of conduct or an approved certification mechanism may demonstrate compliance.

6. For the first time data processors, i.e. businesses handling personal data solely for and on behalf of data controllers, will be liable for failure to comply with obligations related to accountability, engagement of sub-processors, data security and data breach notification.

7. A business processing personal data of residents of multiple EU Member States will be subject to a lead Data Protection Authority, generally that of the Member State in which it is headquartered, and will deal with that authority on compliance matters generally.

8. The Regulation establishes a consistent, common and directly applicable body of privacy rules intended to ensure more consistent and effective privacy enforcement procedures within the EU. In furtherance of this goal, the Regulation will eliminate often cumbersome and distinct systems of notification of data processing activities in the EU Member States. In contrast, the Regulation focuses on a uniform obligation to maintain accurate internal records of major data processing activities.

What Should Companies Do?

Global businesses, not just European businesses, should:

1. understand how the business may be subject to the Regulation, which deepens the substance and geographic reach of EU privacy law;

2. conduct an internal gap analysis of current privacy and data protection management practices relative to the new requirements and data subject rights under the Regulation; and,

3. develop a broader global privacy and data protection compliance program that incorporates attention to the Regulation.

The Regulation’s adoption coincides with the new draft of an EU-US Privacy Shield on Cross-Atlantic Data Transfers, proposed by the US Department of Commerce. This document, pending approval of the European Commission, has attracted both criticism and support of the European data protection authorities, businesses and European citizens. An example of the many factors that the European Commission will assess in determining whether the Department of Commerce’s proposal of a safe harbor set of parameters governing EU/US data transfers is the US Supreme Court’s April 2016 modification of Federal Rule of Criminal Procedure 41 to broaden the ability of federal judges to issue warrants remotely to search computers even outside the territorial jurisdiction of the court, a modification that will take effect December 1, 2016 absent Congressional action.

We inhabit a world of daily international transfers, cloud computing, big data and online behavioral advertising. The Regulation seeks to facilitate greater accountability, transparency, efficiency and control for individuals to manage their personal data. Since the Regulation will apply extraterritorially to data managers and data processors targeting European customers, early implementation of a privacy and data protection compliance program consonant with the Regulation should serve to mitigate the risk of significant enforcement consequences, as well as to maintain a solid corporate reputation. The two-year period from the Regulation’s publication to its effectiveness is now counting down, offering a useful but closing window to develop a comprehensive cross-border privacy and data protection management strategy and program.

Patrick Del Duca, a partner of Zuber Lawler & Del Duca LLP, has advised publicly-traded and closely-held entities, within the United States, Europe and Latin America, on compliance issues. Trained in both common law (Harvard) and civil law (Bologna), he is fluent in French, Italian and Spanish and reads Portuguese, and earned his Ph.D in law from the European University Institute in Florence, Italy.

Gediminas Ramanauskas, is a European attorney working with Zuber Lawler & Del Duca LLP. He focuses on cross-border data privacy and cyber security matters. He has extensive experience, spanning the EMEA countries, with privacy audits, IT security risk reduction, web compliance, Trans-Atlantic data processing agreements, and the Privacy Shield. He is a certified information privacy professional, and privacy program manager in the United States and Europe (CIPP/US/E, CIPM). An LL.M graduate of UCLA Law School and recipient of advanced training at the Munich Intellectual Property Law Center, his languages in addition to English include fluency in his native Lithuanian and Russian, as well as proficiency in Spanish.