Complying with Europe’s data privacy law, the General Data Protection Regulation (GDPR), is complex, nuanced, and difficult.
For boards of US companies subject to GDPR, it should be top of mind. Although the law is still relatively new, the EU has already demonstrated how serious it is about GDPR by its ability to impose significant fines.
As a reminder, GDPR applies not just to organizations headquartered in the European Union. It applies to any company that offers goods and services in the EU. It also applies to companies that process (including monitoring) and hold data of any residents of the EU.
In January of this year, France’s National Data Protection Commission (CNIL) slapped Google with a $57 million fine for violating GDPR.
The agency asserted that Google does not provide information to users about how it uses collected data in an easily accessible way:
Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information.
CNIL also stated that the information Google provides is not easily understandable:
Users are not able to fully understand the extent of the processing operations carried out by GOOGLE … in particular that the purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes. Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company.
In addition, the agency criticized Google’s consent process for collecting data for personalized ads, stating that consent is not “sufficiently informed,” nor “specific,” nor “unambiguous.”
Since GDPR went into effect in May 2018, four fines have been issued including this one—but this is the largest and first for a major US tech company.
While the fine was large in comparison to others, it is far less than what it could have been. As a reminder, GDPR fines could total 4% of a company’s revenue. The New York Times estimated that the fine could have been more than $4 billion if the 4% formula had been used.
Google said it would appeal the fine.
GDPR Risks and Proactive Steps for Boards
GDPR sounds complex—and it is—but handling GDPR risk is in many ways like handling any other regulatory compliance issue.
Boards will want to understand in what way and to what extent GDPR applies to their companies. Note that the EU has an expansive view of its jurisdiction, so boards should ask questions if they are told that GDPR doesn’t apply to them.
For example, if your website target residents of the EU, your company will need to comply with GDPR.
Remember, too, that GDPR fines are extremely large on purpose: They are designed to make non-compliance economically unfeasible.
Board members can and should rely on informed counsel when considering something like GDPR compliance. Having said that, it’s also a good idea for board members to do some personal diligence on the topic.
Checklists, white papers, and other good resources for board members are plentiful. Law firms and accounting firms are especially good resources for this type of information. They are generally glad to send these materials to board members who are trying to educate themselves on the topic.
Various government entities provide resources as well, for example this checklist from the United Kingdom’s Information Commissioner’s Office.
If GDPR compliance is already part of a company’s regulatory compliance framework, board members might consider asking for a quarterly briefing on the topic.
Boards will want the comfort of knowing that inside or outside counsel is considering things like the recent GDPR fine against Google, and is taking steps to avoid being caught in similar cross hairs.
Beyond GDPR compliance, also keep in mind that the US might adopt a single comprehensive data privacy law in the future. Recently, Apple CEO Tim Cook called for similar data privacy laws in the US as in Europe.
Companies have been concerned about the hodgepodge data privacy laws enacted across the various states for a while. Compliance with different state jurisdictions is difficult. Proposals are already in front of congress for a more uniform data privacy law at the federal level.
For more on GDPR, see these articles on Woodruff Sawyer:
- Cyber Insurance vs. D&O Insurance: New Data Protection Officer Requirements Under GDPR
- GDPR Liability and Fines: Will My Cyber Insurance Cover Them?