Blockchain Companies Bracing For Europe’s GDPR Rules – US Lawmakers Watching

News, Regulation | May 4, 2018 By:

The European Union’s General Data Protection Regulation (GDPR) has a May 25 deadline, and it’s sending companies scrambling to comply with the new privacy regulations governing interactions with European residents. Severe financial penalties apply to those who do not implement the new regulations, and there’s no shortage of litigious actors waiting in the weeds for the compliance deadline.

Block Tribune talked with Antoine Guilmain, a member of the privacy/information protection group with leading Canadian law firm Fasken, about what to expect in the coming weeks.

BLOCK TRIBUNE: Give me a thumbnail definition of what the General Data Protection Regulation is attempting to do.

ANTOINE GUILMAIN: GDPR is the new piece of legislation in the EU, and the main idea is really to harmonize all the systems between member states of the EU. It’s the key goal of this regulation. In the past, we already had directive dealing with the protection of personal data, but it was applied differently in the member states. The GDPR is then a binding legislative statute, which must be applied in its entirety across the EU.

BLOCK TRIBUNE: Okay, and the companies that will be most affected by this, are they in any particular sector? In other words, there’s a number of identity companies out there now but what would be affected I guess would be the question?

ANTOINE GUILMAIN: That’s a good question.

First, since it really covers all kinds of personal data, we have many fields affected by this GDPR. That being said, companies primarily concerned in the GDPR are obviously those based in the EU. However, the reason there is so much attention around the new regulation in Canada and in the U.S. is because the scope of application of the GDPR is wider than only having operations in the EU.

In short, if you are currently offering, or have an intention to offer, goods or services to EU citizens, your business could be subject to the GDPR, even if you don’t have any operations in the EU.

BLOCK TRIBUNE: How would that work? Would they sue you in the Hague or something like that?

ANTOINE GUILMAN: Potentially, yes. We are still waiting for precedent from EU privacy commissioners. But yes, potentially even though you are not based in the EU, they could sue you and find a way just to make you pay a sanction. You may have seen the crazy amounts with the administrative sanction of the GDPR, it could go up to 20 million euros or higher. Unfortunately, we are not currently in a strong position with the exchange rate between Canadian dollars and euros, so it is even more expensive in dollars.

BLOCK TRIBUNE: So, what should a company do to prepare for this onset of this law?

ANTOINE GUILMAIN: In the past month alone, I have received calls from at least 50 companies and organizations within Canada wondering what they should do to comply with the GDPR. The first question has been whether a specific company is subject to the scope of application of the GDPR. Organizations want to know if they need to designate a dedicated representative in the EU.

The second question is whether companies need to be compliant as a matter of reputation, whether or not they are bound by the regulation. That’s because when you are conducting business with European partners or European clients they would expect you to be compliant. Assuming the answer is yes, your first step is to assess the scope of your data and undertake a thorough mapping of the data you’re currently collecting from EU citizens. You want to know exactly your flows of personal information, and the way you use it, store it, share it, and so on. Once you’ve done that, you want to review all of your policies. It’s not only a privacy statement on your website, you want to review your data retention policies, along with your data processing agreements with customers or third-party service providers. There’s a legal aspect to those policies.

Equally important, you want to be sure that all relevant stakeholders are involved in the process. Because privacy is much greater than a legal issue. You want to involve people handling technical aspects, marketing, risk management, customer relations, etc. All of them need to work together to comply with the GDPR. 

BLOCK TRIBUNE: Does the EU have a way that they’re going to be auditing companies for compliance?

ANTOINE GUILMAIN:  Absolutely. As you may know, the regulation came into force two years ago, and becomes applicable starting on May 25th. There’s a difference between coming to force and being applicable, which is why May 25th is so important for companies. We are still waiting for a real precedent but my own guess is that it will take some months to see the first decision and perhaps sanction resulting from noncompliance. As a number of reports have indicated, many companies both inside and outside the EU are not ready for the GDPR. This does not reflect a lack of willingness to comply – rather it’s because it’s such a massive piece of legislation. It’s like a huge elephant. And when you want to go about eating an elephant you do it bite by bite and you need a plan. It could take several months or even years to execute. You want to establish a process within the company and incorporate this larger idea of privacy by design.

BLOCK TRIBUNE: Do you anticipate that there are a number of litigious plaintiffs just waiting for May 25th to act? Is there going to be a land rush on that date, or will it unfold gradually?

ANTOINE GUILMAIN: That is definitely possible. I think the privacy commissioners in Europe realizes that the regulation represents a huge change for companies to comply with the GDPR. So, one hopes officials overseeing GDPR will be realistic in rushing to enforcement in consideration of the reality of many businesses getting to compliance. Companies want to do their best in adhering to the rules but at the same time it’s a question of time and money to invest in the process of being fully compliant.

BLOCK TRIBUNE: How will this affect the growth of the blockchain industry?

ANTOINE GUILMAIN:  I think it will impact the field indirectly, at least at first. That’s because there aren’t specific requirements in GDPR for dealing with the blockchain. However, going forward, it is likely that some provision could have an impact in the field. Of course, blockchain by its nature is supposed to enhance data security and information behind transactions supported by the chain.

BLOCK TRIBUNE: If I could make you the head of the EU right now and give you the power to tweak this law, what would you do?

ANTOINE GUILMAIN: Thank you for the promotion! I think I would give more guidance in refining and defining the scope of the GDPR. There are areas where it’s not yet clear enough for companies on how to conform, especially for businesses outside of the EU. The European Commission really wants to protect EU citizens in safeguarding their personal data. For companies based in Canada and other non-EU countries, they want to do their best, but I don’t believe there is enough of a specific roadmap to really incorporate and follow the rules of the road just yet. So, I would probably be more specific and clear regarding the precise scope of application of the GDPR.

BLOCK TRIBUNE: Are there any other regions, countries, areas that are looking into similar laws to the GDPR?

ANTOINE GUILMAN: People might say, “Well the GDPR, it’s the only uniform legislation in privacy across an entire region,” – this is definitely misinformation. In Canada and in the U.S., there is an increasing set of laws and standards regarding privacy. But there’s a different approach regarding the protection of personal information. I think the GDPR is unique in this way, but businesses certainly have to confront the laws in the field no matter where they operate – including Asia and South America. I can point to PIPEDA, which is the federal privacy statute in Canada. 

BLOCK TRIBUNE:  What exactly will happen on May 25th?

ANTOINE GUILMAIN: That is a good question and it’s uncertain how the early days will go in terms of oversight and enforcement. Here’s an example: a few years ago, we saw the introduction of an aggressive anti-spam law in Canada called CASL, which allowed for private right of action against companies that were in violation. It was pretty much just a concept. And at the outset, businesses were bracing for a flood of lawsuits, but it did not quite turn out that way. It may well happen in the EU, but my view is that you should not penalize a company simply because they’re uncompliant with one minor aspect of the GDPR.

I do think companies are right to feel anxious about potential enforcement and litigation. But for companies that can demonstrate they have a plan for compliance and are making a genuine effort to follow the regulation and take into account the requirements, it could mitigate their liability and exposure to enforcement. We’ll have to see in coming weeks how quickly the battle lines are drawn.

BLOCK TRIBUNE: Are US lawmakers going to be looking closely at GDPR as a model for future action?

ANTOINE GUILMAIN: The answer is yes, and certainly in Canada as well, where the legislators take a close look at the adoption of laws in Europe. GDPR will be viewed as a new standard of privacy protection and that will have an impact on laws in other countries. When you look back at the public testimony of Facebook’s CEO earlier this spring, he took effort to reference the change coming in Europe. Right now, lawmakers in America and elsewhere will be considering whether to follow the European approach. At the same time, the protection of personal information is way more than just legal code. It is also really a matter of culture. Instead of trying to create a monolithic legislation all over the world, I believe each country, each jurisdiction should have specific laws regarding privacy within their borders. Even though data security and privacy are a worldwide concern, the laws have to fit the culture and expectation of the people living in each country.