Data privacy attorneys have their hands full helping clients adjust to a sweeping European Union data protection regulation six months after it took effect.
Firms are hiring to accommodate the additional work and grappling with provisions of the General Data Protection Regulation, which include expanded definitions of personal data, “the right to be forgotten” and new data breach notification rules.
At Jones Day, business has been so strong that the firm hired two new GDPR attorneys in Brussels and several more data protection lawyers in the U.S. to meet the broader demand for services that the regulation has created around the world.
“We’ve brought in additional expertise, not just lateral expertise, to support the demand,” Jones Day partner Mauricio F. Paez said.
“We expect to see continued growth in Europe for data protection, in particular as we start to see more and more data breach notifications and investigations,” Paez said.
The rule went into effect on May 25 and applies across the globe to all companies doing business in the EU and processing Europeans’ personal data.
Other law firms have beefed up their data protection practices in the United States. Latham & Watkins and Greenberg Traurig, for instance, both scooped up data privacy experts for their San Francisco offices this year, and Polsinelli hired an attorney with expertise in EU law in its Denver office over the summer.
Dorsey & Whitney is running most of its GDPR work out of its London office, but the firm is in the process of hiring an associate based in the United States to help U.S.-based companies with compliance, according to partner Robert Cattanach.
He told Bloomberg Law many “second-tier and third-tier” companies are just now figuring out whether and how they’re subject to the regulations.
“There’s a nuanced grey zone, where you’re not clearly in, you’re not clearly out,” he said. “As we understand how GDPR is really being enforced and interpreted, there’s a lot more context and some decisions are a lot less black and white than originally anticipated.”
McGuireWoods partner Janet Peyton said many U.S. companies didn’t begin their compliance efforts until after May 25. She said part of the problem may be the type of data protected by the regulation.
“GDPR defines personal information in a much broader way, picking up simple contact information such as names, emails, and street addresses of customers and even IP addresses,” Peyton told Bloomberg Law. “These are not the kinds of data that U.S. companies are used to treating with much caution.”
As a result, she said, getting buy-in from marketing teams and employees has been difficult for many of her clients.
Consequences for violating GDPR may be dire. Penalties are set at up to 20 million Euro or 4 percent of a company’s annual turnover, whichever is greater.
Because of its huge reach, GDPR has effectively become the new global standard for data protection.
“The demand in compliance work triggered by GDPR triggered significant changes in other jurisdictions,” said Paez. He noted Jones Day has spent time training all of its privacy attorneys on GDPR compliance, not just those based in Europe.
New questions will also arise as the regulation is interpreted by the agencies tasked with enforcing it.
In late October, the French data protection authority CNIL sent a warning letter to the ad tech company Vectuary, interpreting the GDPR to mean that tech companies can’t transfer user consent through contracts with each other. In other words, users must always give informed consent for their data to be used.
“What the decision highlights is there are still questions of how to implement in practice some of the GDPR requirements,” said Paez. “You may not have knowledge that consent was informed.”
Paez said the biggest remaining question for his clients isn’t about what GDPR requires, but about how to actually meet those standards. He said some of his clients are still lagging behind on implementing compliance programs, but most of the changes they still need to make are fine-tuning existing policies and practices as GDPR’s application is refined.
“They’re not trying to catch up but they’re trying to adapt,” he said.
To contact the reporter on this story: Stephanie Russell-Kraft in New York at firstname.lastname@example.org
To contact the editor responsible for this story: Rebekah Mintzer at email@example.com