The E.U.’s General Data Protection Regulation will have a far-reaching impact on U.S. companies and recent data abuse scandals have highlighted the lack of regulation in the U.S. to date. Kirk Nahra, a partner at Wiley Rein who focuses on privacy and information security litigation, shared his take on what’s likely to be in store with the onset of GDPR.
Hear more from Nahra at the 2018 Bloomberg Law Leadership Forum on May 23 in New York, where corporate counsel from Fortune 500 businesses and leaders from top law firms will gather to discuss trends in trade, regulation, and technology.
Will GDPR implementation move the regulatory environment in the U.S. more toward privacy norms in the E.U.?
I don’t have any real sense that the GDPR will drive legislative or regulatory activity in the U.S. We’ve never really gotten close to broad national privacy legislation here, and if the array of massive security breaches and the hullabaloo surrounding Facebook aren’t enough to drive this legislation, I don’t think GDPR will. However, what I do see is that many companies are facing a choice as to whether to implement GDPR operationally on a more wide-ranging level, either because of greater public pressure or because it may be too challenging to operate in multiple environments. I think this “efficiency” concept will drive more GDPR behavior than new U.S. laws or regulation.
What are the immediate risks that implementation poses to your clients and what is the strategy to address the directive?
The companies that face short-term enforcement risks are those that have a prominent public-facing presence and that can provide E.U. privacy regulators with low-hanging fruit on enforcement. We may see more immediate operational impacts from companies that focus on “secondary uses” of data—data brokers, advertisers, and other kinds of analytics firms—as their sources of data may shrink or the contractual pressure may put more roadblocks into current activities. I do expect some short-term test cases on enforcement (that likely will take some time to work out) and the best advice for most companies that are not generally high on the enforcement radar screen is to avoid doing stupid things that will draw the attention of regulators.
What sectors of the U.S. economy are likely to feel the most significant impact of GDPR?
Obviously, big technology companies with significant data assets are facing enormous challenges. Since many of these companies are public-facing to consumers, we can expect lots of regulatory and enforcement pressures on them. One key niche area with particular challenges is technology companies and other “unregulated” companies (such as app developers and wearables companies) that are moving into the health care space. This may also include employers and companies who engage in broader wellness programs.
Beyond that, I expect real challenges for industries that focus on research activities, particularly involving sensitive data (like the pharmaceutical industry). Advertising companies will have real pressures, both online and otherwise. Data brokers in general will face challenges, both from regulators and from customers and data sources who may be scared off from more aggressive use of this data. We’ve already seen tensions between the possibilities of big data and privacy legislation and best practices, and the E.U. The GDPR will only make these pressures and tensions worse.
For the 4th year, the Bloomberg Law Leadership Forum is the premier event for legal industry leaders to gain insights and discuss how global economic and regulatory changes impact their business.
The 2018 Forum features an update on current regulatory priorities, a look at where corporate risk is rising, and an exploration of the technology and management tools legal counsel need to respond effectively.
Click here to request an invitation to the 2018 Bloomberg Law Leadership Forum.
Leadership Forum Speakers Include:
- Chairman Jay Clayton, U.S. Securities and Exchange Commission
- Deputy Attorney General Rod Rosenstein, U.S. Department of Justice
- Marcy Cohen, Managing Director and Chief Legal Officer, ING Americas
- Noah Perlman, Global Head of Financial Crimes, Morgan Stanley
- Katherine Choo, Chief Investigative & Anti-Corruption Counsel, GE