the eu's general data protection regulation (gdpr)...the eu's general data protection...


1 - Enforcement Actions, Regulatory Priorities and the Current State

Increased Enforcement Powers under GDPR

Enforcement Overview

Previously, fines vary by Member State, and are comparatively low (ICO maximum fine is 500k GBP).

The GDPR significantly increases the maximum fine to €20 million, or 4% of annual worldwide turnover, whichever is greater.

National data protection supervisory authorities are also expected to coordinate supervisory and enforcement powers across the Member States, likely to lead to a more pronounced enforcement impact and risk for businesses.



Actions by Privacy Advocates

Nyob.eu La Quadrature du Net Privacy International

• On May 25, 2018, nyob.eu submitted a complaint against Facebook, Instagram, WhatsApp and Google alleging “forced consent.”

• Source: nyob, GDPR: nyob.eu

filed for complaints over “forced consent” against Google, Instagram, WhatsApp and Facebook (May 25, 2018).

• Privacy complaint submitted against Google (Gmail, YouTube, and Search), Apple, Facebook, Amazon, and LinkedIn.

• Source: La Quadrature Du Net,

Dépôt des plaintes collectives contre les GAFAM! (May 28, 2018).

• Using SAR rights, sends letter to Acxiom, Criterio, and Quantacst to understand how companies are handling personal data under GDPR.

• Source: Privacy International, Privacy International launches campaign to investigate range of data companies that facilitate mass data exploitation Press Release (May 25, 2018).



Number of Complaints Received by Supervisory Authorities in the First 40 Days

400 426

113

385 176

756

145 102

Czeck

Republic

(26 Days)

France

(24 Days)

Greece

(34 Days)

Ireland

(32 Days)

Netherlands

(14 Days)

Poland

(37 Days)

Romania

(14 Days)

Slovenia

(25 Days)

Source: IAPP’s The Privacy Advisor, Cataloging GDPR complaints since May 25 (June 25, 2018)



UK Data Protection Complains More Than Doubled: Number of Complaints Received Between 25 May and 3 July

2417 6281

2017 2018

Source: EMW Law LLP, Data Breach Complaints to ICO More than Double on Year-on-Year After GDPR (August 28, 2018)



Regulatory Actions for Pre-GDPR Violations

Facebook with Cambridge Analytica (ICO)

• “Due to the timing of certain incidents in this investigation, civil monetary penalties have to be issued under the previous legislation, the Data Protection Act 1998. The maximum financial penalty in civil cases under former laws is £500,000."

• Source: ICO, Findings, recommendations, and actions from ICO investigation into

data analytics in political campaigns (July 10, 2018).

Thedoor Gilissen Bankiers (AP)

• Bank fined €48,000 for failing to timely respond to customer’s request to access data (SAR request).

• Source: Autoriteit Persoonsgegevens, TGB pays penalty payment after not

meeting the request for perusal (August 9, 2018).


2 - GDPR - Back to Basics

General Data Protection Regulation

The Basics The EU Commission presented its proposal in January 2012 as a replacement of the current Data Protection Directive 95/46.

The GDPR came into force on May 25, 2018.

It is a regulation and not a directive: its provisions are directly applicable in all Member States after this date even if there is no implementation law.

While the objective is to harmonize date protection laws, Member States retain the ability to introduce derogations in certain situations.

https://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwiH_9OgmtjZAhVGaFAKHTRsBdoQjRx6BAgAEAY&url=https://en.wikipedia.org/wiki/Game_Boy&psig=AOvVaw0k2jayJina9V-E3rlSKX1v&ust=1520443148446437



Extra territoriality - Who does it apply to?

A non-EU Business Must Comply with GDPR if:

1. Has an establishment in the EU, where personal

data is processed in the context of the activities

of the establishment, regardless of whether the

data is actually processed in the EU;

OR

2. Does not have an establishment in the EU, but

activities are related to the offer goods or

services to or monitor the behavior of individuals

in the EU.



Key Definitions (Art. 4)

“Personal Data” “Processing”

• “Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

• “Any operation or set of operations which is

performed on personal data or on sets of

personal data, whether or not by automated

means, such as collection, recording,

organisation, structuring, storage, adaptation

or alteration, retrieval, consultation, use,

disclosure by transmission, dissemination or

otherwise making available, alignment or

combination, restriction, erasure or

destruction.”



What is Personal Data?

e.g. Household / family members (i.e.

third parties), friends, colleagues

e.g. HR records - information on

disabilities/absence/maternity &

paternity leave etc.

e.g. support or sales e-mails, texts, phone

numbers, recorded calls, letters (content &

traffic data)

e.g. Payment and purchase history and

other analytics captured in Poynt HQ

e.g. Purchases made, store

location

e.g. Name / address, email address, bank

account details

Just because you can’t identify an individual by name, it does not mean that it’s not personal data – anything generated about an individual and linked

to a device ID/user name is personal data

e.g. Consumed media (music,

games, apps), including social

media



Key players

Data Processor Processes “on behalf” of controller

Data Controller Determines “purpose and means”

Data Subjects Subjects of the personal data



Key Data Protection Principles (Art. 5)

• Principles from previous law:

– Lawful, fair and transparent (tell people how you will use their data)

– Purpose limitation (only use data for specified purposes)

– Data minimisation (only collect the data you need for specific purposes)

– Accuracy (keep data accurate and up to date)

– Storage limitation (only keep data for as long as you need it for the specified purpose)

– Integrity and confidentiality (keep it secure)

• New principles of accountability, privacy by design & privacy by default



What should you do now? Useful GDPR Checklist


3 - Business Impact of GDPR

Response to GDPR: Blocking Access



Response to GDPR: EU Subscription



Response to GDPR: European Experience

Source: Express.co.uk, How the EU is blocking your access to legitimate internet new sites (August 13, 2018).



Response to GDPR: European Experience

USA Today when accessed from the EU USA Today when accessed from outside the EU



Facebook: GDPR and Cambridge Analytica Fallout

Source: MarketWatch, Facebook stocks drop roughly 20%, loses $120 billion in value after warning that revenue growth will take a hit (July 26, 2018).



Impact on business

B2B

Being selected, i.e. competitive advantage

Smoothing deal friction/accelerated closing

Trust

B2C

Trust impacting Brand /PR

Increased customer satisfaction

General health

New uses of data, improving data mapping and data classification

Better and rationalised processes inc. better security

Know your customers and partners



The Ripple Effect - Global Impact of GDPR

• On June 28, 2018, California passes California Consumer Privacy Act of 2018 (CCPA), effective January 2020.

• On August 6, 2018, refinements proposed to the CCPA by the California legislature.

• On August 24, 2018, CCPA further amended • Brazilian General Data Protection Law (LGPD),

effective February 2020. • India’s Personal Data Protection Bill, 2018 submitted

for consideration to the Ministry of Electronics and Information Technology.

• On July 17, 2018, Japan and EU successfully conclude negotiations on reciprocal finding of an adequate level of data protection.


The EU's General Data Protection Regulation (GDPR) - What is it, how does it affect me?

Speakers

Laura Berton Partner M: + 1 650 276 6039 E: laura.berton @fieldfisher.com

Laura is an European IP &Tech transactions lawyer based full-time in Silicon Valley. Over the past 15 years she has represented a wide array of companies in complex business transactions, innovative technology licensing and other technology-related contracts such as outsourcing, Cloud, SaaS, software development, digital media, e-commerce and data protection. She also often works with GCs helping them navigate their move into new jurisdictions, smoothing the expansion process and adaptation to local legal practices. She has extensive experience of coordinating and managing foreign counsel and advising on multi-jurisdiction IP and technology projects.

A European lawyer based in Fieldfisher's Silicon Valley office, Gemma practises across both data protection and general employment law. Gemma works closely with international household-name companies based in the US, advising on their global privacy strategies, management of data subject rights requests, data breaches, international data transfers, privacy notices, handling regulator queries and investigations. Gemma has significant experience in both contentious and non-contentious advice employment advice. She advises U.S. headquartered companies on all aspects of employment law from day-to-day queries, the practical implications of TUPE, performance management issues, discrimination cases, and large scale redundancy and dismissal processes.

the eu's general data protection regulation (gdpr)...the eu's general data protection...

Documents