US Companies Scramble Toward GDPR Compliance

During a Capitol Hill event hosted by the Congressional Internet Caucus Academy, which advises congressional tech staffers, Bastide said companies in the EU and the U.S. have been looking at data, mapping it to consent and determining if collection methods are compliant with GDPR standards. All data collected out of compliance will need to be removed by the enforcement deadline, or companies face major fines, which could also be calculated at 4 percent of a company’s global annual revenue, if higher than 20 million euros ($24.6 million). Bastide said “anyone with a web presence” is struggling to determine the exact GDPR application.

More than half of U.S. multinational companies list the GDPR as their top data privacy compliance priority, said PwC. R Street Institute Director-Innovation Policy and General Counsel Mike Godwin said the GDPR -- which EU Delegation to the U.S. Counsellor Aymeric Dupont called a new baseline on the protection of consumer data in the EU -- will result in the emergence of the data protection officer (DPO). The demand for that position is growing rapidly, as companies need to keep abreast of technology and algorithm strategy. Tech lawyers will be in high demand under this new regime, Godwin said. The International Association of Privacy Professionals said the GDPR will require at least 28,000 DPOs to achieve compliance in Europe alone.

GDPR affects anyone who touches data, which has created a lot of confusion surrounding legal provisions and applications, said Center for Democracy & Technology Policy Counsel Joe Jerome. He said the U.S. sees data as a form of currency, “the new oil,” while the EU views data in the context of consumer rights, where companies have a duty to use it responsibly. The GDPR inverts what has been a compliance regime into a data rights regime. Jerome said the Privacy Shield, an agreement between the U.S. and EU that protects EU privacy, should be an impetus for Capitol Hill policymakers to develop the U.S.’ own data privacy law. In the U.S., he said, companies have had a laissez-faire attitude toward data. That attitude has resulted in an endless stream of headlines about companies violating privacy, he said. In the U.S., people don’t really care about privacy, he added, but the GDPR changes that.

The panelists discussed the EU’s “right to be forgotten,” a practice allowing European citizens to request that online platforms remove content they consider outdated or irrelevant, such as news about crime or other detrimental information from a person’s past. Godwin said the EU is trying to establish a consumer’s right to control data, which is an “interesting change,” since in the U.S., the presumption has been that once information is public, it remains in the public domain. The focus of right to be forgotten is on Google, which has fielded lawsuits from users seeking to clear their past from the internet. The GDPR creates the expectation that online platforms adhere to certain requests, Godwin said. He called the right to be forgotten “a cost of doing business.” That means the incumbents, large companies like Google, will have the resources to determine which takedowns are warranted, but smaller firms will need to take down content that hasn’t been fully vetted, in order to avoid costly penalties.

In February, Google released its latest Transparency Report, which said that since 2014, Europeans have requested that Google delist 2.4 million URLs, and it has delisted about 43 percent of those.