While the European Commission and the DOC have agreed upon a new arrangement, known as the “Privacy Shield,” and that arrangement has just received formal approval, there remain a number of concerns and issues in relation to it. And responses from various data protection authorities across Europe have diverged which is likely to continue with the new problem of interpreting and applying the Privacy Shield requirements.
Technology companies now find themselves in a suddenly undefined EU marketplace in which data fines can vary by enormous amounts depending upon the jurisdiction. The clearest example of this is the case of Google. The Italian Data Protection Authority had previously hit the company with a €1 million fine for its Street View/Google Car activities in Italy. Because Google’s 2015 revenue was in the region of $74.5 billion, new EU fine levels being proposed could mean the company will face a fine of a whopping $3 billion.
As a result of the uncertainty that now reigns, organizations need to protect themselves now by reviewing their existing compliance levels across the board. It is crucial to verify the types of data that are held, what needs to be disclosed in relation to particular cyberthreats and whether this can be restricted or curtailed sensibly so that rights of action for data subjects do not arise, either in the U.S. or in the EU.
Steven Rubin is a partner with Moritt Hock & Hamroff LLP in New York, where he serves as chair of the firm’s Patent practice group and as co-chair of its cybersecurity practice group. Stephen Milne is a consultant with Memery Crystal LLP in London, where he focuses on business law and commercial contracts, including outsourcing, agency and distribution agreements, joint ventures, tender responses, franchising, marketing, introduction, reseller and maintenance and support agreements and key ancillary issues such as data protection and cybersecurity.
Sign up for CIO Asia eNewsletters.