A recap from Lowenstein Sandler and ACC New Jersey’s 4th Annual Cyber Day Conference.
On October 10, I was delighted to welcome an overflow crowd of in-house counsel for lively discussions on navigating this increasingly complex regulatory and business landscape. As Chair of Privacy & Cybersecurity at Lowenstein, I see first-hand how new U.S. state and federal data protection laws have created a “one-two punch” for companies implementing GDPR (which became effective on May 25 of this year), and imposed new obligations on companies that are out-of-scope for GDPR. Aryeh Friedman, VP, Associate GC and CPO of Dun & Bradstreet, and I addressed these key takeaways on our panel.
GDPR Compliance is a Work in Progress: Surveys show that about 12% of US entities and 27% of EU entities surveyed believe they are ‘fully compliant’ with GDPR. Putting aside for the moment that there’s no consensus on exactly what ‘fully compliant’ means for GDPR, many US-based entities are still in process, and others are just coming to the realization that they are in-scope.
New California Law is a Game-Changer: It’s not a “mini-GDPR,” but the California Consumer Privacy Act (“CCPA”) reflects similar principles and grants broad control to California residents over their personal information. Entities that comply with GDPR need a gap analysis to determine what’s required of them under CCPA, and non-GDPR entities must evaluate their data practices in light of CCPA. With substantial fines and a private cause of action for data breach, CCPA challenges the status quo. US states are acting to fill the void created by the absence of comprehensive federal data protection laws (25% of the states recently adopted new or amended statutes). At this pace, state data protection statutes could go the way of data breach laws – 50 different laws across the country.
Get Ready For More Disruption: A year from now the data protection landscape is likely to be vastly different. Among other things –
- GDPR started a global trend, with Brazil and India already falling in line and there’s more to come.
- The Privacy Shield’s second annual review is happening now, and its future is not assured. Just shy of 4,000 companies currently depend on Privacy Shield to transfer data from Europe to the US. If the Privacy Shield is invalidated there are very few other options especially for B2C businesses. At the same time, standard contractual clauses (a/k/a, Model Contracts) are the subject of a hotly contested legal challenge by Max Schrems (of Safe Harbor fame) against Facebook.
- Brexit is targeted for March 2019, and the EU is unlikely to issue an adequacy decision (regarding the protection of personal data) for the UK until Brexit is a reality. While other treaties may mitigate the impact, without an adequacy determination the UK (and UK affiliates of US companies) will be required to rely on model contracts, consent or other approved data transfer mechanisms as we do in the US.
- Finally, foreign entities or individuals seeking to invest in US companies now have another hurdle -- The US Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) expands the jurisdiction of the Committee on Foreign Investment in the United States (CFIUS) to include non-passive investments in any company that deals with “sensitive personal data of US citizens that may be exploited in a manner that threatens national security.” We are still awaiting regulations, but indications are that “sensitive personal data” will be broadly interpreted resulting in many more transactions being subject to these rigorous reviews.