I think it’s fair to recognize that GDPR is synonymous with big business – from lawyers to business consultants of all types, there is no shortage of self-proclaimed experts offering GDPR-related services. However, how many of these “experts” are really experts in EU law and legally admitted to practice law in the EU? And why is this so important in the context of advising companies on how to comply with GDPR?
In this article, I explain why getting the right lawyer on board – and ensuring that that lawyer is trained as a EU lawyer and admitted to practice in the EU – is key to maximizing your chances of being deemed compliant with GDPR, including the “national derogations“, as well as with other EU privacy laws and regulations.
Ever since the EU has adopted the new Regulation in April 2016, and granted a 2-year transition period for complying, all sorts of service providers have invaded the space to offer their services to companies that collect personal data of EU residents. With GDPR coming into force on May 25, 2018, many companies fear the huge fines that the EU will impose for the breach of the new regulation, and these companies are looking for expert assistance with GDPR compliance.
Law is a profession that is eminently local and whose practitioners are ill-prepared to advise on foreign pieces of legislation unless such local practitioners are also trained in and admitted to practice law in the foreign jurisdiction. Like any piece of legislation in any part of the world, the GDPR is the intellectual product of a specific culture and of a unique legal and regulatory environment. Its drafters were themselves trained as EU lawyers, the EU supervisory authorities that will be tasked with enforcing it are composed of EU experts, and the courts that will be asked to interpret the regulation are staffed with judges who are also trained in EU legal concepts and admitted to practice law in the EU. The same way that U.S. legislation is very much influenced by the U.S. cultural environment and frame of reference, EU legislation is the quintessential product of a very European approach to regulation and, particularly in the context of GDPR, a very civil law-based approach to regulation. The definition of privacy the drafters of the GDPR used in the regulation is a European definition, and is very different from the U.S. definition of privacy. The European definition is founded on rights and freedoms that are not only deeply rooted in European history, and particularly WWII, but which are also recognized in another very European piece of legislation, the European Convention on Human Rights. This definition of privacy, and the legal and regulatory framework in which privacy rights of EU residents are enforced, are very difficult for U.S. lawyers to understand, appreciate, and anticipate in connection with any advice they give on GDPR unless they have themselves also been trained as EU civil law (as opposed to common law) lawyers.
Being able to advise on GDPR, or on any EU piece of legislation for that matter, is much more difficult and complex that simply being able to read the English version of the regulation – which anyone can do. Apart from the distinct cultural foundations upon which GDPR was drafted, GDPR is also the result of intense political negotiations between the 28 Member States of the EU. As much as the GDPR was designed to uniformise a broken and unpredictable EU privacy regulatory framework comprised of a patchwork of often contradictory 28 national legislations, in the end the GDPR did not reach that level of perfect unanimity and Member States will still need to adopt their own law around GDPR. As a matter of fact, more than 50 areas addressed by the new regulation aren’t actually settled by GDPR, and the GDPR expressly invites the Member States to legislate these areas in their national law.
Like any lawyer currently advising on other pieces of EU privacy legislation such as the EU Privacy Directive 95/46/CE (which will be replaced by the GDPR) or the ePrivacy Directive 2002/58/EC (which remains untouched by the GDPR), a lawyer advising on EU privacy law, and the GDPR implementation in particular, cannot limit himself or herself to simply reading the text of the GDPR and ignoring not only the current 1995 and 2002 legislation as well as overlooking all current and future GDPR-accompanying national legislations in the area. Contrary to the GDPR, the national legislation – for the most part – is in the local language and is built on local legal and regulatory framework that only a locally-trained lawyer versed in principles of the civil law and being able to read the text in the local language can fully understand and advise on. Whenever personal data of residents of the EU is collected and processed, applicable law will be the interplay of national law, sometimes even regional privacy law and consumer law, and EU law. Any lawyer who advises on the impact of processing personal data in the EU will therefore need to advise on the EU text as well as on the various applicable national data protection and consumer laws applicable to where the data subjects whose personal data is collected are based.
Clients who respond to an offer of assistance by or solicit the services of a U.S. lawyer on GDPR compliance should therefore check to ensure that that U.S. lawyer is also trained as a European lawyer and admitted to practice in the EU, that he or she has privacy experience in the EU or, if he or she has none of those credentials, that he or she works with a EU-admitted privacy counsel in connection with the advice that the U.S. lawyer is giving. The knowledge and experience of an EU trained and licensed lawyer is key to not only protect the client but also the U.S. lawyer from a possible malpractice claim.
As a European and U.S. lawyer advising U.S.-based companies in their compliance with EU laws, including the GDPR, I personally find current times very exciting from a privacy law standpoint. Privacy lawyers on both sides of the Atlantic Ocean have in GDPR and accompanying legislation – current and yet to be produced at both the EU and EU Member State levels – enough to keep them busy for years to come. The International Association of Privacy Professionals (IAPP) has predicted that GDPR will lead to the creation of 28,000 Data Privacy Officer (DPO) positions at the EU level, while the Commission Nationale de l’Informatique et des Libertés, the French Data Protection Authority, anticipates thousands more just in France alone, and many of these new roles are being filled by lawyers. Despite Brexit, Elizabeth Denham, the UK Information Commissioner, has conveyed the country’s determination in implementing the GDPR within its national law despite the UK leaving the EU in March 2019.
I am confident that with proper collaboration between U.S. lawyers and EU trained legal counsel, U.S. companies will be successful in meeting and complying with the requirements of the GDPR. We’re all in the same boat, so let’s get to work! If we can assist let us know!