In 2016, new privacy, cybersecurity and/or data security legislation passed or became effective in a number of countries, some adopting data security measures for the first time. Several countries adopted cybersecurity focused measures with criminal penalties, hoping to more effectively combat cyber-attacks. Other countries implemented or strengthened regulations on the collection and handling of their citizens’ personal data. Some countries adopted rules regarding cross-border data transfers, the use of big data analytics and the in-country storage of residents’ personal data. Still others adopted mandatory data breach notification laws for the first time.
The new legislation approved in 2016 that is likely to have the most impact on U.S. companies doing business globally is the European Union’s General Data Protection Regulation (GDPR). Effective in early 2018, the GDPR affects any business selling goods and services in Europe, specifically those that store, process or transfer of any kind of personal data of EU citizens, from posts on social media to payroll processing to medical records. Key GDPR provisions require businesses to implement (i) an inventory and record keeping system to process all personal data of EU citizens and (ii) a process to identify and erase personal data, upon the request of an individual EU citizen’s to be “forgotten.” A business will need technology and data mapping to successfully implement requests to be forgotten as required by GDPR. Once this technology is in place, many advocates wonder if businesses will offer U.S. citizens the right to be forgotten. In 2017, look for data security protection leading states like California and Massachusetts to consider whether a right to be forgotten mandate should be adopted for their residents.
GDPR also mandates businesses to have data protection officers, who inter alia conduct regular privacy impact assessments, and includes breach notification provisions, which is an import from the United States data protection regime. Under GDPR, businesses will be required to notify EU residents when a security breach occurs involving their personal data. These GDPR breach notification provisions are likely to have a tremendous impact, not unlike California’s initial breach notification law did when it took effect in 2003. The publicity of breach events in the EU is expected to result in increased litigation, including class actions.
To prepare for GDPR, a business doing business in the EU should be conducting comprehensive risk assessments in 2017 to identify and fill gaps in its data protection program. Some companies may need a full year to remediate, implement and test GDPR compliant procedures and policies, which may include purchasing new technology.
Also new this year for US companies doing business in the EU is Privacy Shield, which governs the transfer of EU citizens’ personal data to the United States. Privacy Shield replaced the EU/US Safe Harbor framework, which was struck down by the European Court of Justice. While several US companies are nonetheless forging ahead with Privacy Shield certification, many are implementing established alternative protections, such as model clauses and binding corporate rules, to satisfy EU data protection agencies. The alternative measures are being adopted because Privacy Shield has already come under court challenge for many of the same reasons that killed the Safe Harbor. These court challenges are expected to play out in 2017.
Lastly, for companies marketing to customers and prospects across borders, in 2017 look for continued global legislation, enforcement activity and litigation regarding the interplay between telemarketing, email marketing and text message marketing and data protection laws and regulations, particularly as it relates to wireless cell phones.
2016 legislative changes mean that companies doing business internationally have to be knowledgeable about laws governing data collection, use, security and transfer in countries where they have employees, are selling goods and services, or storing and processing personal data. Expect more changes in 2017, as countries continue to adopt key components of data protection and cybersecurity law from each other.