Thursday, April 19, 2018
Understanding the EU General Data Protection Regulation
The European Union's General Data Protection Regulation (GDPR) will enter into effect on May 25, 2018 for the 28 members of the European Union. As an EU regulation (rather than a directive), it does not require any national implementing legislation.
The GDPR applies to companies and other organizations located within the European Union and to organizations outside of the EU that offer goods or services to EU data subjects. The GDPR applies to all companies that process or hold the personal data of persons who reside in the European Union, regardless of whether the company is located inside or outside the European Union.
Under the GDPR, companies and other data collectors must advise EU data subjects of what they are doing with the personal data collected, give the EU data subjects the right to do something about how their information is being handled or stored, and then comply with requests made by the data subjects. The GDPR will apply to any organization that processes personal data that is traceable to an identifiable EU person. The data subject to the regulation includes most electronic information of organizations. Penalties for violating the GDPR are severe: for some violations, fines can be imposed up to €20 million or 4% of the worldwide annual revenue of the prior financial year,
Under Article 5 of the GDPR:
- Unless you have specific permission from the data subject, or unless you are specifically authorized by EU law, you cannot use the personal data of European citizens for purposes other than that for which you originally collected the data.
- You cannot simply hold on to data, you must minimize the retention of data
- You need more than a "culture of privacy," you must have written policies and procedures that ensure the integrity and confidentiality of records.
A panel at the Annual Conference of the American Bar Association Section of International Law considered various aspects of the GDPR, including how the new regulation will affect U.S.-bound discovery from the European Union. The panel was called "Is GDPR Article 48 a Catch-22 for Litigants in the United States?"
Pictured here (from left to right) are: Daniel S. Meyers (TransPerfect Legal Solutions); Kenneth N. Rashbaum (Barton LLP); Alexander Blumrosen (Kuckenburg Bureth Boineau et Associes, Paris, France); and Therese Craparo (Reed Smith LLP).
The ABA Section of International Law Annual Conference continues its substantive programming through tomorrow. 900 lawyers, law students, and legal professionals are in New York attending the Conference.