With California’s new privacy law coming into effect in January, the legal field needs to be aware of how both the CCPA and GDPR will affect their internal and external corporate infrastructure. How?
Recognizing and identifying the organization’s customer base along with targeted and tailored compliance to each and every customer.
Speaking to law students and newer attorneys entering into the field of practice, educating yourself first on GDPR is a must, especially because it will help provide you with a competitive advantage throughout the job market.
Europe’s General Data Protection Regulation (GDPR) is a regulation that came into effect in May 2018 and is enforced by the European Union (EU) and its member states, speaking specifically on how data is to be collected and protected.
The regulation is enforced by the European Data Protection Board, which recently ruled back in March that EU regulators who have the power to enforce national privacy rules for electronic communications are also able to incorporate those powers into GDPR violation considerations.
While there are many who claim to be “GDPR experts,” this isn’t necessarily the case (or the problem). Rather, the focus isn’t centered around the number of “experts,” but rather, the heavy burden of complying with the 99 articles of the regulation. Yes, 99 long, in-depth, and overly complex articles, filled with legal jargon.
Another major issue the GDPR provides is its vagueness with respect to defining “personal information” and other aspects of compliance. This ambiguity and difficulty of this regulation is the primary reason to learn about it now to gain a competitive edge.
The GDPR applies to all individuals within the EU and the European Economic Area. Member nations include the following countries:
Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.
Why GDPR is Necessary
GDPR was and still is groundbreaking because it’s arguably, the only law that was specifically designed and framed to address and improve the overall protection of individual data rights. It also extends to companies and how they handle the data, who handles the data, and what circumstances they should be handling data.
This regulation also extends to the U.S. and any businesses that engage in business with any European citizen. Failure to do so will result in a heavy fine, which we’ve already seen. This authority gives the GDPR sharp teeth. Meaning, it can be enforced and holds weight.
For example, Google was fined $57 million for violating GDPR. These are serious consequences that the corporate world can no longer ignore. It has and continues to force U.S. regulators and lawmakers to consider how they may implement their own state-wide privacy laws, which we have already started to see.
New York Starts Its Debate
In November, New York senators gathered for a five-hour public hearing in Manhattan. The Senate’s standing committees on Consumer Protection and Internet and Technology heard from 11 panels of witnesses. The panel included representatives from leading business groups, consumer advocates, and state government officials.
This gathering, in addition to as California’s Consumer Privacy Act (CCPA) coming into legal effect January 1, 2020, shows the international impact of the GDPR.
The proposed legislation in New York, New York’s Privacy Act, takes the CCPA framework a step further in data use restrictions and transparency requirements. The Act advocates for a national privacy framework. According to WIRED Magazine, it’s “even bolder” than California’s legislation.
Understanding Your Customer’s ‘Right to Be Forgotten’
This regulation gives consumers the option to opt-out of emails and the ‘right to be forgotten.’ Every user has the right to have certain information, removed from the grasps of these companies who have either formally had a relationship with the individual, or those who have “purchased” that information from third-parties.
But, don’t mistake this for a company’s right to engage and email individuals who are still “opted-in” or simply have chosen to not opt-out.
But whether we are talking domestically or abroad, the legal community is still learning how to apply GDPR and how to break its lengthy requirements down into layman’s terms.
Look to case studies, including Google’s hefty $57 million fine, or Facebook’s on-going troubles. There is no “universal” application of the regulation, as each case is unique, which is why now’s the time to educate yourself as much as possible and become familiar with GDPR, the CCPA, and other privacy initiatives U.S. lawmakers are putting into effect.
