The (Imminent) EU General Data Protection Regulation and (Pending) ECJ Ruling on Safe Harbor: The Impact on US Organizations

The Drinker Biddle Privacy & Data Security team held an exclusive Breakfast Event (and webinar) on Thursday, October 15. To help organizations better understand and prepare for the effects of the looming GDPR on their European data processing activities, Drinker Biddle’s Jeremiah Posedel (Chicago) and Taylor Wessing’s Paul Voigt (Hamburg, Germany) discussed key aspects of the GDPR and their implications. In addition, Jeremiah and Paul discussed the ECJ Advocate General’s recent opinion on the validity of Safe Harbor and the European Court of Justice’s (pending) ruling, which was set for October 6.

The purportedly imminent passage of the EU General Data Protection Regulation (GDPR) and the future of Safe Harbor will have a significant impact on US organizations operating in, or processing personal data within, Europe. The GDPR will apply to both US organizations processing personal data within Europe and service providers processing information on their behalf, regardless of an organization’s industry (e.g., manufacturing, financial services, healthcare/pharma, IT, transportation, insurance, etc.) or its data processing activities (e.g., HR-related activities, employee monitoring, direct marketing, data collection via company website, clinical trials, cloud services, etc.). Further, unlike existing member state laws implementing the Data Protection Directive, the GDPR contemplates significant fines for non-compliance (up to 2 to 5 percent of global turnover!).

Topics discussed included the following:

• The European approach to data protection and the GDPR, and how it differs from the US’s approach;
• Consequential provisions of the GDPR, including the one-stop shop, the right to be forgotten, profiling restrictions, privacy impact assessments, breach notification and the appointment of data protection officers;
• The GDPR’s impact on common data processing activities (e.g., HR– and marketing–related activities) and cross-border data transfers, including transfers under the EU/US Safe Harbor);
• Enforcement and proposed fines for non-compliance;
• Service provider (i.e., data processor) obligations and direct liability;
• Outstanding issues still being debated by European regulators; and
• The European Court of Justice Advocate General’s recent opinion on validity of Safe Harbor and the European Court of Justice’s (pending) ruling, now set for October 6.