Today I attended The Master's Conference in Manhattan at the Benjamin N. Cardozo School of Law School of Yeshiva University. One of the events at the conference was a discussion entitled, Achieving GDPR Compliance : A Finish Line or a Starting Line? The panel consisted of Kenneth Rashbaum, a partner with Barton LLP, and an adjunct professor at Fordham University's School of Law; Rachel Sims, an associate with Blank Rome LLP, who helps clients manage data privacy risks; Debbie Reynolds, a Data Privacy Officer for Eimer Stahl LLP, an adjunct professor of the eDiscovery Certificate Program at the Cleveland-Marshall College of Law; and Jonathan Wright, QPharma's Chief Legal Officer. The moderator was Tom Matzen of The Matzen Consulting Group.
The group used common acronyms related to the GDPR as jumping off point for a wider discussion on the implications of the GDPR.
DPIA - Data Protection Impact Assessment
DSAR - Data Subject Access Request
SA - Supervisory Authority
DPO - Data Protection Officer
BCRs - Binding Corporate Rules
PS - Privacy Shield
Rashbaum began the discussion by emphasizing that any company doing business in Europe will be covered by the GDPR. Rashbaum used to specialize in HIPAA regulations, and he noted that it was based on European data privacy regulations.
Sims noted in that in her experience many companies have difficulty understanding that under the GDPR in the European Union individuals, not businesses, have control of their own data. She noted that the definition of personally identifiable information includes IP addresses; email addresses; and web tracking data, such as cookies. Matzen noted that in France information about one's union membership could quality as PII as well.
Rashbaum emphasized that stricter national legislation passed under the prior European data privacy regulations (which only specified a minimum standard) would remain in effect under the GDPR. The GDPR is not a cost center, it's a business opportunity. European clients will insist that GDPR standards be met or take their business elsewhere.
Reynolds pointed out that becoming GDPR compliant was not simply a matter of checking off clear requirements on a list. Some people she works with make the mistake of thinking that a country's position on a whitelist of jurisdictions deemed adequate for overseas data transfers means that GDPR compliance has been achieved.
Matzen talked about how a DPIA should consist of more than just a data map, but that such a map might be essential to the assessment. Rashbaum recommends that clients perform a gap analysis (differences in performance between information systems to determine whether business requirements are being met). He said that many of his clients find that 'off the grid' apps are a problem. Individual departments purchase software applications that collect data without the rest of the organization being aware of it.
Matzen stressed that companies have to get rid of data they are not legally required to keep, or having an ongoing business use for. Retaining data for possible future analysis is not acceptable.
Reynolds finds that some IT people are not candid with her about the existence of back-up tapes, because they are concerned they will get into trouble for not compiling with information governance regulations.
Wright discussed the incident involving WhatsApp in which it was found to lack an Article 27 representative. An Article 27 representative acts as the point of contact for both the EU authorities and customers. The panel discussed the potential liability of Facebook, which owns WhatsApp.
Matzen noted that the high fines a company can be required to pay under the GDPR have already been the motivation for ransomware attacks.
Reynolds observed that there are six lawful purposes for processing data under the GDPR, (these are consent; contract; legal obligation; vital interests of the data subject; tasks carried out in the public interest; and other legitimate interests that are not overridden by individual rights.) which may come into conflict with the needs of electronic discovery. She worked on a case collecting data in France where she was restricted to email messages sent in a one year period, and only those which were marked as having been read. She hoped that the proposed CLOUD Act would resolve such problems for American courts.
Rashbaum's experience as a lecturer for the Federal Judicial Center taught him that there is a lack of knowledge about cross border discovery among legal authorities, and judges are very impatient at the limitations of such discovery. Rashbaum stressed the importance of bringing up cross border discovery issues in the Rule 26(f) conference. Blocking statutes are not specifically mentioned in the GDPR, but blocking statutes in France and Switzerland prevent their citizens from complying with discovery orders. Companies should be worried about actions taken directly by the Irish Data Protection Commission; France's Commission Nationale de l'Informatique et des Libertes (CNIL), or Italy's Data Protection Authority (Garante per la protezione dei dati personali). Recently Rashbaum has found that Britain's Information Commissioner's Office has been more aggressive about enforcing privacy regulations than CNIL.
Reynolds anticipates that the 72 hour data breach notice requirement of the GDPR will adopted more widely, and Rashbaum said it was already in effect in New York State and Colorado, and New Jersey was already considering such legislation.
There was also some discussion about the status of attorney client communications that may be subject to cross border discovery. Rashbaum noted that in France attorneys are no longer considered practicing members of the bar when they become in=house counsel. He referred to Magistrate Judge James Francis' decision, In re Rivastigmine Patent Litig., 237 F.R.D. 69 (S.D.N.Y. 2006) which discusses privilege laws in 37 different countries.
Reynolds concluded with an observation that the other members of the panel agreed with: companies such as Facebook and Google will get fined under the GDPR not because they receive poor legal advice but because they have trouble executing the data protection measures they know they need.