Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

July 2018
The EU is expected to deliver this additional offering soon.
The EU’s 72-hour rule has stateside lawyers scratching their heads.
Bart Huffman
Bart Huffman is a partner in Reed Smith’s IP, Tech and Data Group. Given his expertise in privacy and information security, it almost goes without saying that he’s been advising clients about the European Union’s General Data Protection Regulation (GDPR) for nearly two years now. And just as his clients start to get comfortable with the GDPR, there’s another gift on the way: the EU’s forthcoming ePrivacy Regulation. Ready for it? This is Part Two of an interview that began last month.

CyberInsecurity: There are two areas in the GDPR that seem particularly tricky for companies to navigate. One is how they handle the right to be forgotten. And [Office1] the second is the 72 hours to report a breach. Have these new requirements proved to be difficult for companies to wrap their arms around?   
Bart Huffman: I think these are difficult subjects. Let me start with breach response. Certainly 72 hours is not a realistic time frame for even assessing whether there has been a breach, much less coming up with a full response. That said, it seems like the actual expectation is early notification to the regulators, known as supervisory authorities, of significant incidents, which may or may not ripen into an actual breach. So I think these early notifications will be carefully worded. They will be somewhat tentative in nature, and there will be a lot of learning by experience in terms of what the regulators collectively expect to be notified about. The message is that “we the regulators want to be notified right away, even while you’re still figuring it out.” There’s a similar approach in Vermont, which requires notice to the attorney general within 15 days of a breach. That is too short a period of time, for most significant breaches, to come up with a full formal notification. But the idea is that there should be a prompt assurance to the regulator that there has been a potentially significant incident that’s being handled appropriately. One thing that will be important for a practicing attorney is the notion of confidentiality. You worry in the United States about things like the Open Records Act laws, and so Europeans want to work through confidentiality concerns, because obviously you’re much more cautious about disclosures if you’re not able to keep things confidential when you’re reporting about an ongoing investigation.

CI: And the right to be forgotten? 
BH: One of the important things to remember about the right to be forgotten, like some of the other data subject rights, is that it’s not an absolute right. Nonetheless, the data controller has to take into account the request of the data subject, and it has to treat it seriously. And that also means that the controller has to have mechanisms in place with its service providers who are data processors. Specifically, the controller has to ensure that in its contracts with processors there is a provision for honoring data subject rights. As we move to GDPR 2.0 here, past the May 25 implementation deadline, the data subject rights are one of the more interesting areas. The companies that have been working on being compliant have been making their beds. And now the public at large gets to peek under the sheets and see what it looks like, and how companies are going to implement the procedures that were put in place to address data subject rights, such as the right to be forgotten.     

CI: Now that information governance has taken center stage, are more companies hiring information officers? And should everyone?
BH: I think so. In today’s Information Age, not having somebody in charge of your information is in many cases like not having someone in charge of your finances. The central function of information officers is, to a certain extent, risk management, but they also have to take into account governance of the information—things like data classification schemes, data retention schemes, and any number of centralized policies and procedures that bear on the appropriate handling of information, which is both a tremendous asset and a tremendous source of risk. Appropriately coordinating all those efforts is key. It’s no longer the case that a company can rely on a bunch of well-managed technical procedures maintained within the IT department.  

CI: What is the EU’s ePrivacy Regulation? When does that go into effect?  Who needs to comply?
BH: The ePrivacy Regulation was supposed to come into effect at about the same time as the GDPR. It is expected to have a similar remedy structure—very big potential fines for noncompliance. But finalizing the ePrivacy Regulation continues to be controversial. Two of the main topics of ePrivacy in the EU are cookies and electronic marketing communications. Any business in the EU that has a website and is involved in email communications cares about ePrivacy, or should care.
  One of the challenges is that there have been ePrivacy laws in the various member states of the EU for some time, but they haven’t been enforced much. So what we’re looking at is a single set of rules that actually will be enforced. And that’s causing a lot of debate and careful thought around the associated restrictions of, and implications for, commerce that flows from the cookies requirements and eMarketing laws. Remember also that ePrivacy regulation is a separate set of requirements from those in the GDPR. So to the extent that the ePrivacy Regulation might not require consent for some particular data processing activity, such as email communications or cookie collection, that doesn’t mean that you don’t have to look to see if it’s required by the GDPR. And vice versa.

LBB: Generally speaking, what are the organizational challenges for companies in this still-emerging Information Age?
BH: There needs to be more of a formal internal structure for assessing and managing the risks of processing data, including the creation and enforcement  of data handling policies. Companies are starting to see that there needs to be an interdisciplinary team or a set of teams that focuses on these issues and reports up.

CI: What are some of the important legal issues for in-house lawyers to focus on?
BH: Having policies in place that are actually followed is important with respect to information governance, and that entails getting real review and buy-in from the various stakeholders. As key building blocks, a solid understanding of the company’s various data practices and something akin to the processing inventory we discussed with respect to the GDPR are really important. Understanding the processing that is going on is key if a company wants to avoid piecemeal attempts to comply or is repeatedly trying to address issues after the fact. It’s also very important to maintain open lines of communication in the contracting process with vendors and service providers. And, of course, there’s the whole cybersecurity topic as well. There’s some overlap with privacy, but these days it’s at least as important to be aware of and on top of security in the cyber world as it is in the real world.     

CI: How might evolving privacy laws affect business models?
BH: Consumers and other individuals increasingly demand respect for their privacy, even as they realize that they have less privacy in the normal sense. So the focus is on demonstrating responsible behavior, and being open and honest about data practices. For data practices to stand, a company should be ready to demonstrate the value associated with the decisions that the company has made about how it approaches privacy.
  There is an old way of doing things—having a privacy policy and getting away with whatever the privacy policy doesn’t really speak to—and there is the new way of being up-front about the value associated with the processing of the data and what the consumer gets in return. There is this classic problem with the privacy bargain, in which people exchange their privacy and data in return for free services. I think we will see more emphasis on historical fair-trade practices about disclosing the actual terms of the deal to individuals, helping them to understand what exactly the bargain is, and perhaps giving them the option to pay for a service or use a service with different features in exchange for less collection and use of personal data. Of course, appropriate disclosures and choices have to be balanced with the goal of not overwhelming the consumer with too much detail.
  There’s also plenty to be done in the privacy engineering field in terms of privacy-enhanced technologies, including clever ways of advising and giving choices to people and coming up with uses of data that are minimally invasive. Especially in the face of next-generation privacy laws such as the GDPR and the forthcoming ePrivacy Regulation, we’re going to have to see some of the same creative ingenuity applied to the privacy field that has been applied to the development of apps, and of the internet in general.
Companies are grappling with the old way of doing things and the new way of handling matters involving consumer privacy.