The General Data Protection Regulation (GDPR), agreed upon by the European Parliament and Council in April 2016, will replace the Data Protection Directive 95/46/ec in Spring 2018 as the primary law regulating how companies protect EU citizens’ personal data. Companies that are already in compliance with the Directive must ensure that they’re compliant with the new requirements of the GDPR before it becomes effective on May 25, 2018. Companies that fail to achieve GDPR compliance before the deadline will be subject to stiff penalties and fines. Choosing the right advisors to navigate through the regulatory maze can spell the difference between thriving and flailing. To meet this business imperative, Barton LLP has created its GDPR Compliance Group.
The GDPR, which will be fully implemented on May 25, 2018, is a data protection law for all 28 EU Member States that effects all organizations that create, receive, store or in any way use electronic information concerning individuals who reside in the European Union (“E.U.”). In effect, then, the GDPR applies to every US company with a website that markets to, has facilities in or does any business over the internet in the 28 countries of the E.U. The GDPR asks a lot of these companies, in the interests of transparency, concerning how companies will use, store and disclose data they obtain about customer and employees. Obligations, which must be documented, comprise a data privacy impact assessment; preparation of policies and procedures prepared with privacy by design; protocols for cybersecurity; processes for obtaining consent for data uses and withdrawal of consent; review revision of vendor agreements; a vendor management procedure; and security incident response and breach notification protocols.
Violation of the GDPR is punishable by fines that can reach 4% of annual gross revenue, or €20 million, whichever is greater. Courts in Europe, like data protection authorities, have joined the data protection initiative. The Court of Justice of the European Union invalidated the EU-US Safe Harbor program for data transfers to the US in 2015, and on September 5, 2017 the Grand Chamber of the European Court of Human Rights (which has jurisdiction over virtually every country in Europe, including Russia and Turkey) ruled in Barbulescu v. Romania that employers must provide detailed notice to employees before employee email and electronic message use is monitored. The notice, the court held, is required to protect workers’ privacy rights pursuant to Article 8 of the European Convention On Human Rights. The Court, in overruling Romanian courts and even a prior decision of the Court of Human Rights itself, set forth detailed criteria for the required notice. A business rationale for the monitoring must be stated, safeguards for the privacy of the employees must be clearly explained and implemented, and any penalties stemming from the surveillance including penalties must proportionate (i.e., termination for first-time minor violations may violate the Court’s criteria).
“Our clients in Europe as well as the U.S. with business interests in Europe have told us that GDPR compliance is a top-of-mind business concern,” said Managing Partner Roger E. Barton. “The formation of this practice group was driven by these client needs.” Ken Rashbaum, head of the practice group, added “It’s easy for a company to become ensnared in these regulations. Because of our depth of experience in this area across a spectrum of industries and within the litigation, transactional and compliance frameworks, we can provide a uniquely tailored solution aimed at advising, coordinating and managing GDPR regulatory compliance initiatives. These include data risk and privacy impact assessments, review of vendor contracts with revision as necessary, development of breach response protocols and coordination of digital information management in a way that doesn’t interfere with the business operations and, in fact, enhances business opportunities by showing potential customers that the company takes privacy and security seriously and can be trusted with customer data.”
Members of the GDPR Compliance group also include Jason A. Cohen, a partner with extensive experience in large scale project management focused on data management and coordination, as well as regulatory defense and litigation; Associate Liberty McAteer, a technology-focused transactional attorney with deep and current coding credentials and experience; and Elise Balaban, an associate with both transactional and regulatory experience. Originating with practice head Ken Rashbaum, this uniquely aligned group of attorneys will bring to bear a tool set of skills organically developed from their respective practices in compliance, litigation, transactional and project management and coordination settings.
It is easy to see how a US company, with little experience in relations with European employees, could inadvertently violate this ruling with a US-style broad policy that states generally that the employer may monitor email at any time. The Barton GDPR Compliance Group will monitor court and regulatory rulings and advise its clients so that they won’t trip over GDPR and other privacy snares while doing business in Europe and with European citizens.
For additional information on the GDPR Practice Group, please contact Kenneth N. Rashbaum or Jason A. Cohen.