An unprecedented new data privacy and security regulation goes into effect in the European Union on May 25, triggering requirements on every U.S. company that handles EU citizens’ data and stoking concerns among policymakers over U.S. businesses’ awareness and preparation for the looming rules.
That concern seems well-placed: A recent survey by the information technology trade association CompTIA found that U.S companies were largely unfamiliar with the requirements they could face under the EU’s General Data Protection Regulation, or GDPR.
The new regulation spells out rules for handling and protecting consumers’ data, backed by potential fines equaling up to 4 percent of a company’s revenue. But almost two-thirds of U.S. firms surveyed by CompTIA were unaware of the staggering potential penalty if they suffer a breach that compromises personal data of EU citizens.
It also requires companies to notify consumers within 72 hours of a breach, a more aggressive timeline than required under the panoply of breach notification laws in the 50 states. There is no federal breach notification standard in the U.S.
“We’re getting a lot more questions from clients” on the impact of GDPR, said one source in the U.S. insurance industry, which provides coverage for fines related to cybersecurity incidents. “These questions are coming pretty late in the game. We’re going to see a lot more breaches disclosed in Europe and a lot more insurance claims based on fines and regulatory actions.”
The European Union is several steps ahead of the United States, where data privacy requirements have yet to be spelled out in a comprehensive way. The Federal Trade Commission is the U.S. enforcer of privacy standards, determining on a case-by-case basis whether companies put in “reasonable” efforts to protect consumers’ data.
“Policy around privacy right now is a train wreck,” said Richard Ford, chief scientist of the Texas-based security firm Forcepoint. “We need to have a well-informed, slow conversation to discuss what the general principle is here.”
Ford added, “I’m a big fan of GDPR. It’s a great opportunity for us to get our own house in order and have this conversation about whether I should collect and hold all this data.”
Commerce Department officials have been appearing before U.S. business groups to raise awareness of the EU rules, and to offer some assurances that an existing structure governing transatlantic data exchanges known as “Privacy Shield” will help companies comply.
Privacy Shield is a mechanism for certifying that U.S. companies are complying with privacy standards at home that are functionally equivalent to the standards in the EU.
Over 2,800 U.S. companies have obtained Privacy Shield certification, which replaced an earlier arrangement on data transfers between the two jurisdictions that was struck down by the European Court of Justice — in the aftermath of the Edward Snowden leaks on U.S. surveillance activities — as inadequate to protect the personal information of European citizens.
The impact of Privacy Shield certification on U.S. companies’ compliance with the separate GDPR continues to be a matter of debate and speculation.
“Saying that Privacy Shield equals GDPR compliance is overly optimistic,” said John Holmes, Forcepoint’s general counsel. “If you get Privacy Shield certification, that puts you ahead of the curve, but you’re not there yet.”
The FTC points out that Privacy Shield is not meant to make a company compliant with GDPR.
Still, U.S. officials have stressed the Trump administration’s commitment to Privacy Shield as the foundation for addressing U.S.-EU privacy and data security issues.
National Economic Council official Gail Slater, at an April U.S. Chamber of Commerce event, agreed that GDPR is a “real concern” for U.S. business but suggested that it should be viewed “in terms of Privacy Shield” commitments that companies have already made.
“The U.S. government has a strong interest in portraying Privacy Shield as being as strong and effective as possible. They wouldn’t want to say, ‘but there are a whole lot of other things you’ll need to do under GDPR,’” one privacy attorney noted. “There’s a fine line between being an advocate for Privacy Shield and being realistic about GDPR requirements.”
The attorney said neither document provides much detail, giving “both flexibility and uncertainty” to companies and leaving open questions such as what constitutes “reasonable” security efforts.
“Maybe the most effective role the U.S. government can play is to focus on Privacy Shield, help companies comply and put in place things like privacy oversight boards — things under our control,” the attorney said. “That doesn’t really help in gaining certainty on what GDPR means, but it keeps the Privacy Shield process and dialogue with the EU alive, and that’s important.”
Forcepoint’s Holmes said there would a “significant cost factor” to complying with GDPR, requiring “additional tools and resources” beyond what U.S. companies have devoted toward Privacy Shield certification.
“The GDPR provides some guidance but it defers on specifics,” Holmes said, adding that “it’s going to take years for the GDPR to find the proper balance of interests. We’ll need to see enforcement actions and guidances to see how regulators will define these balances,” he said.
“We’re guessing a little bit right now,” according to Holmes. But pointing to the recent Capitol Hill appearances by Facebook CEO Mark Zuckerberg, Holmes predicted “we’re going to see more GDPR-type regimes across the world.” In the U.S., he suggested this would likely translate into “piecemeal” policy development in areas such as breach notification.
