because data privacy - ogletree deakins · 2019. 3. 27. · 2019 international practice group...

Click here to load reader

Post on 01-Sep-2020




0 download

Embed Size (px)






    Benjamin Buckley – Rogers Corporation

    Roger James – Ogletree Deakins (London)

    Bonnie Puckett – Ogletree Deakins (Atlanta)



    It has been almost a year since the implementation of GDPR, one of the most significant compliance events for multinationals for many years. So how has the reality compared with anticipated expectations and the warnings of huge fines for defaulting organisations?

    Background The General Data Protection Regulation (GDPR) is an EU wide law which came into force on May 25, 2018. It was intended originally to tidy up and standardize data protection laws across EU countries. In the end it went further than that – not least to reflect how technology has changed since the original data protection laws of the 1990s were written – and GDPR has raised the compliance bar on a number of issues, increased penalties for defaulters, and frustratingly, is still subject to country by country variations to reflect local issues.

    In this article we will look at the story so far.

    Language Before we start here is a recap of some of the Data Protection language to ensure you know your “data subject” from your “data controller,” not to mention your “data processor.”

    A data subject is an individual about whom information may be held by others – so an employee in the employment context. To have rights under GDPR a data subject must be a living person – so not dead and not a company.

    A data controller is someone who holds and controls that information – such as an employer that obtains information such as bank account details, date of birth, address, relevant health records, and so on.

    A data processor is like a data controller and has access to other people’s data, but someone who is being instructed by a data controller – such as a payroll company processing salary on an employer’s instruction.

    Personal data means any information about an identified real person. GDPR only applies to information which can be attributed to a person – either via their name or other similar unique identifier such as a personal identification number. If data is anonymous and cannot be attributed to anyone then it falls outside of GDPR governance.

    A Supervisory Authority is the Government authority in each of the EU countries with responsibility for policing and enforcing GDPR.

    Now we have that clear, let’s look at some of the different aspects of GDPR and how they have developed since introduction in May 2018.

    Subject Access Requests (SARs) A Subject Access Request is a request from a data subject for the personal information you hold on them. It is designed to ensure that they can see what of their personal information is held and correct any errors. In reality, in the employment context, SARs are most often used as a pre-litigation way of getting disclosure of documents such as meeting notes and emails between managers to enable an aggrieved individual to fish for evidence they can use to build a case. Courts have made it clear that SARs cannot be refused, even if motivated by potential litigation.

    SARs existed under previous legislation in similar format (although GDPR reduced the timescale for an employer’s response to one month and abolished the modest administration



    fee employers used to be able to charge). However the prevalence of requests has spiked significantly since GDPR, probably because of raised awareness following the publicity around GDPR. If you receive a SAR, take advice on the exceptions available. In our experience, many employers handling responses without advice reveal damaging documents that they could have retained.

    Data Breach Reporting GDPR introduced a new requirement on data controllers to notify regulators of data breaches – in addition to informing affected data subjects, and bang on cue, a number of big companies were hit by data breaches to test the new system including British Airways and Marriott Hotels. In the UK alone, there have been 500 data breaches a week reported to the applicable regulator – the UK Information Commissioner’s Office (ICO). British Airways have been widely praised for their response to their breach, which was a malicious hack into their IT system through which hackers obtained full credit card details, names, and addresses of hundreds of thousands of BA customers. BA promptly informed the ICO and affected customers – even before the full extent of the consequences of the breach were known, and followed that up with regular updates and reassurance to customers that any financial losses suffered as a result would be reimbursed. Customers were also informed of steps they could take to mitigate the risk of fraud arising through the breach.

    Territorial scope of GDPR GDPR is designed to protect citizens within the EU and applies to organisations based anywhere in the world if EU citizens may be impacted by their activities (for example, a U.S. company with no physical presence in the EU would be caught if selling to EU citizens through a website). Towards the end of 2018, the European Data Protection Board published guidelines for consultation. These are not yet finalised, but as currently drafted they will apply GDPR to businesses that target people based in the EU regardless of their nationality. So by way of example, a U.S. High School Alumni Service interacting with U.S. citizens only who are residing within the EU would fall under GDPR. It would be no excuse to say the data subjects, as Americans, were not EU citizens if they were living in the EU at the time.

    International Data Transfers GDPR (and predecessor legislation) requires that data is not transferred out of the European Economic Area (being the EU plus a handful of other European countries) to countries that have inferior data protection laws. Countries with suitable laws are deemed by the EU as “adequate” and include Canada and New Zealand. The U.S. is not deemed adequate. This means companies must take extra measures before transferring data to the U.S. The main options in this regard are (1) utilising the “Privacy Shield” framework which replaced “Safe Harbor” – which turned out not to be safe being torpedoed by a court decision, (2) using so called Standard Contractual Clauses – essentially signing up to a set of contractual commitments approved by the EU, or (3) using Binding Corporate Rules.

    Since the commencement of GDPR, the European Parliament has called for the suspension of Privacy Shield because of concerns about its compliance with GDPR and the U.S. Department of Commerce’s failure to appoint a permanent privacy ombudsman to oversee U.S. participation in the scheme. However these issues are being addressed and Privacy Shield remains an acceptable approach to data transfers, for now at least.

    Enforcement The potential fines of up 4% of global turnover (or €20million if higher) have been a strong incentive for companies to ensure compliance with GDPR, and also led to some debate over



    whether fines would reach these levels in reality. That question has been answered, at least in France, with a major technology company fined €50million for violations. Whilst an eye watering figure, it still only represents 0.0005% of the company’s annual turnover for 2017! In another case, a Portuguese hospital was fined €400,000 for two GDPR violations relating to inappropriate access to patient data. So far these are two of just a handful of the first decisions that have been handed down, but that trickle should develop to a more constant stream as cases commenced post-May start to work their way through the enforcement system.

    Enforcement investigations can be initiated by the applicable country’s Supervisory Authority or triggered by a complaint from a data subject. Not all violations will lead to a fine as reprimands may also be used in minor cases. The applicable sanction will depend on the sensitivity of the data, the nature of the violation, the risk of harm to data subjects, and the data controller/processor’s attitude towards compliance.

    There has been a significant increase in complaints of breaches from data subjects – 6,000 in the UK alone in the first three months of GDPR, up 160% on the same period the previous year. The ability to complain about breaches existed pre-GDPR, and the spike in complaints is again probably because of the greater awareness created by GDPR publicity. Across the EU as a whole, there have been over 95,000 complaints since implementation of GDPR in May 2018.

    The most common complaints have been about telemarketing, promotional emails, and CCTV/surveillance.

    Incomplete introduction of legislation Although GDPR has direct effect in all EU countries and therefore came into force in each country automatically in May 2018, further legislation is required in each country to supplement GDPR with country specific data protection laws (the detail of which can vary from country to country). So far, 10 of the 28 EU countries have not completed that process – mainly because of disputes over detail relating to the obligation to appoint a data protection officer, sanctions for non-compliance, and age of consent issues. This means a confusing patchwork of laws across the EU and uncertainty in the countries that are still deliberating.

    Avoiding GDPR compliance issues A small handful of companies have responded to GDPR by deciding to get out of doing business in the EU altogether, including certain U.S. publications that have made their content inaccessible to EU readers! Their rationale is that the business is better off losing readers compared to investing in compliance.

    Many other businesses have reduced their risk of GDPR compliance problems by destroying unnecessary information and cutting back to the bone the information requested of customers and employees.

  • 1

    Ben Buckley (Rogers Corp.)

    Roger James (London)

    Bonnie Puckett (Atlanta)

    “Because Data Privacy”Where data protection and the real world collide

    The DP Invasion

    • GDPR• Europe’s implementing legislation

    • Other countries’ legislative frameworks

    • U.S. Privacy Shield

  • 2

    “Overly Conservative Advice”

    “Many businesses had followed ‘extremely conservative’ advice from their lawyers, [chief executive of marketing association DMA Group Chris Combemale] said, and sought to gain consent – or even double consent – to retain customer details…‘The legal profession had a considerable misunderstanding of how this legislation could and should apply to the marketing sector.’ He gave one example of a lower-league football club which had 100,000 supporters on its database before May 2018, but followed its lawyer’s advice to gain double opt-in. The club’s signups dropped over 97%....

    Solicitor Peter Wright, managing director of cyber-law specialist Digital Law and former chair of the Law Society Technology and Law Reference Group, agreed lawyers have been too cautious. ‘People have got funny ideas that GDPR is all about consent and it’s absolutely not,’ said Wright.” Hyde 4 March 2019)

    Living in the Gray

    • GDPR is new

    • GDPR compliance does not guarantee global data privacy compliance (and vice versa)

    • DP compliance program is only as good as a company’s ability to administer it

    • Data privacy is not always the best “risk driver”

    • Overcome the impulse to “just do something” because data privacy

  • 3


    • Often more important than the raw text of privacy laws• Actual enforcement

    • Policy statements

    • Common sense

    • Data security

    Reconciling Regimes



    Middle East / Africa


    • U.S.: HIPAA; state laws

    • Canada: provincial laws

    • Latin America: databases, etc.

    • GDPR

    • Implementing legislation

    • Non-EU countries (and Brexit)

    • Many countries without comprehensive laws

    • China cybersecurity Consent-based legislation

  • 4

    Business Feasibility

    • What are the biggest tensions among data protection laws worldwide?• Treatment of “consent” (particularly re: employee data)

    • Challenges in administration• Additional burdens on finance, IT, marketing

    • What happens when local subsidiaries interpret data privacy issues differently from HQ and each other?

    • “Translating” GDPR-driven concepts

    • What can and can’t be harmonized?• Registration of databases? DPO?

    “Because Data Privacy”: Ask Yourself…

    • Does data privacy law really require it?• Do multiple provisions apply? Which is more relevant?

    • Do data privacy best practices really warrant it?

    • What are the consequences of a “because data privacy” approach here?• Has the data privacy issue ever actually been enforced?

    • Will this approach lose substantial business, jeopardize contractual relationships, or undermine the integrity of an analysis?

    • What are the consequences of the alternative?

    • How to push back on “because data privacy”?

    • How to handle pushback on “because data privacy”?

  • 5

    Because “Can’t Collect There”

    • When EU residents call ethics line, stern voice says “If you are calling to report harassment or conduct of this nature, PLEASE HANG UP NOW.”

    • Employer collects certain information everywhere but EU and then uses it for succession planning and diversity, effectively excluding EU from diversity initiatives.

    • Call center decides not to record calls from Europe, effectively excluding Europe from quality assurance.

    • Employer fires a whistleblower for recording his boss engaging in illegal conduct.

    Because “Can’t Transfer”

    • Netherlands vendor refuses to provide data to U.S. in-house counsel.

    • Target company refuses to provide names of employees in due diligence.

    • UK veterinarian refuses to tell kennel medical information about a cat in the kennel.

    • Germany campsite refuses to tell a family member whether the person they reported missing was staying there (but was willing to “provide them a message if they were hypothetically staying here”).

    • Research organization’s third-party client asks research organization to get a second consent from research subject to transfer the data to the client (and will not transfer data of those who do not opt in).

  • 6

    Because “Data Subject Access”

    • Company anonymizes data to be transferred, but provides “key” to transferee so that data subjects can exercise their “right to be forgotten.”

    Because “Confidential Investigation”

    • Company tells subject of an investigation who requests the entire report that it cannot send due to others’ personal data.

  • 7

    Because “Data Controller Liability”

    • IT department required to fill out long and tedious questionnaires before engaging any vendor, becomes backlogged on IT requests.

    Because “There’s Some Random Hypothetical Touchpoint to Europe Somewhere”

    U.S. university undertakes massive data privacy audit, data-mapping, etc., because some of its alumni listserv may reach EU residents.

    U.S. company sets up geotethering for limited data in its one Europe location for its one Europe employee (in a country where geotethering is not required).

  • 8

    Because “Brexit” in Your DP Documents?

    • Is this necessary?

    • What reasons might there be not to include?

    “Any references to the EU are deemed to include the United Kingdom…[parties] shall comply with any changes to this [Agreement] that are necessary under [applicable law] as a result of the United Kingdom’s departure from the European Union and/or the European Economic Area.”


  • 9

    Ben Buckley (Rogers Corp.)

    Roger James (London)

    Bonnie Puckett (Atlanta)

    “Because Data Privacy”Where data protection and the real world collide

  • Benjamin Buckley serves as the Divisional General Counsel and Corporate Director of Global Compliance & Integrity of Rogers Corporation. Benjamin started at Rogers Corporation in October of 2014. Benjamin currently resides in the Hartford, Connecticut Area.

  • Roger JamesPartner  ||  London

    Roger is a London based partner and member of Ogletree’s International

    Practice Group. He has a particular niche in international issues and

    alongside his UK workload he oversees the challenges of employing

    people in multiple jurisdictions for multinational clients.

    Roger’s clients are across all sectors and range from global

    multinationals to SMEs. His work covers all aspects of employment law

    across multiple jurisdictions including in particular:

    Executive hiring and firing

    RIFs and restructuring

    acquisition, due diligence and harmonisation

    investigations and litigation

    union and industrial action issues

    Roger qualified in ���� and joined Ogletree in May ���� from an

    international firm where he had headed the Employment Team and split

    his time between the firm’s UK and Singapore o�ces. As such Roger has

    particular expertise dealing with labour and employment law issues in

    Europe and Asia.

    Roger prides himself on giving practical, commercial, proportionate

    advice on what you can do and how to achieve it in the most sensible

    way – and not to just quote law, sit on the fence or cite problems

    without solutions.


    Universi� of Wolverhampton Law School, ����

    Universi� of Wales, ����

    Admi�ance to Practice

    United Kingdom[email protected]://

  • Bonnie Pucke�

    Shareholder  ||  Atlanta

    Bonnie Pucke� leads the firm’s Asia-Pacific practice, advising on all

    �pes of cross-border and global employment ma�ers within the Asia

    region and worldwide. Some of her major work includes preparing

    contracts, handbooks, and corporate policies designed for worldwide as

    well as country-specific use. Bonnie develops business-practical

    solutions for employers confronting various international challenges

    from onboarding, to compensation structure, to performance

    management, to transactional diligence and post-transaction workforce

    integration, to reductions in force. Guiding employers through

    international expansions and divestitures, Bonnie develops sta�ng

    solutions and helps clients manage costs and risks e�ectively, including

    those associated with tax, payroll, data, and employment-law

    compliance. Bonnie counsels employers regarding protection of

    proprietary information, data privacy, and administering restrictive

    covenants worldwide, helping clients achieve and administer global

    procedures as well as local compliance.

    Global mobili� and expatriate workforce comprises a significant focus

    of Bonnie’s practice. She designs and executes customized global

    mobili� programs and cross-border immigration risk profiling, and

    prepares all expatriate-related documentation including cross-border

    remote worker arrangements, assignment agreements, intercompany

    service agreements, expatriate packages and documentation, and tax

    equalization policies. She regularly oversees outbound immigration

    ma�ers, with extensive experience in Canada, China, and Hong Kong.

    Bonnie routinely helps clients navigate di�cult issues and conflicting

    regulations involving border operations (in particular, Canada-U.S. and

    China-Hong Kong), and executives and sales employees with

    responsibili� for multiple countries.

    An experienced litigator, Bonnie helps clients resolve disputes involving

    current and former overseas employees, defending companies in

    complex United States-based litigation with international issues and

    providing strategic direction on litigation overseas in countries such as

    China, Hong Kong, Japan, and the Philippines. She advises on cross-

    border dispute resolution issues and procedural requirements, such as

    multi-country litigation, service of process in foreign jurisdictions,

    personal jurisdiction over foreign defendants and venue arguments,

    conflicts of law, and judgment enforcement. Bonnie has litigated state

    and federal wage-hour class and collective actions and discrimination

    lawsuits under statutes such as Title VII and the ADA.

    Bonnie has extensive experience handling ma�ers throughout the Asia-

    Pacific region, including China, Hong Kong, Taiwan, Japan, Korea,

    Singapore, India, Australia, New Zealand, Malaysia, Vietnam, �ailand,

    and Indonesia; her regular practice also involves Europe (including

    Spain, Italy, and the Netherlands) and the Middle East (with particular[email protected]://

  • expertise in the United Arab Emirates and Israel). Bonnie assists

    government contractors with sta�ng and mobili� decisions involving

    an expatriate workforce in hazardous locations.

    Bonnie writes and speaks regularly on workforce management in Asia,

    as well as other topics relevant to the global employer such as mobili�,

    global compliance, international restrictive covenants, investigations,

    gender equali�, contingent workforce issues, and data privacy.

    Bonnie clerked for the Honorable Beverly B. Martin at the United States

    District Court for the Northern District of Georgia. While in law school,

    she was an Articles Editor for the Universi� of Michigan Law Review.


    J.D., cum laude, Universi� of Michigan Law School, 

    B.A., , Linguistics, magna cum laude, Cornell Universi�, ����

    Admi�ance to Practice


    New York

    Georgia Court of Appeals

    Georgia Supreme Court

    U.S. District Court, Middle, Northern and Southern Districts of Georgia

    U.S. District Court, Eastern and Southern Districts of New York