Law students at American law schools take property, torts, and contracts during their first year. It is difficult not to view consumer privacy interests through one or more of those lenses, particularly when U.S. consumer privacy law has been based on a notice and consent, enforced by principles of fairness and non-deception reflected in the Federal Trade Commission Act and state consumer protection laws. For the most part, being explicit in a privacy statement about how consumer data is used, shared, and kept secure, and then living up to those promises while not acting in a way that would surprise or be unfair to a consumer, sums up the basics of U.S. consumer privacy law (nuance notwithstanding).
Given the broad jurisdictional scope of the EU General Data Protection Regulation, many U.S. attorneys are now struggling to interpret and counsel their employers and clients in how to comply with the law. Indeed, the Regulation’s complexity has been cited by nearly one in four U.S. organizations as the biggest compliance barrier by the May 25, 2018 GDPRenforcement deadline.
One other reason complying with EU data protection law is difficult, from my perspective as the IAPP’s data protection officer and a U.S.-trained attorney, is that the notion of data protection from the consumer’s point of view does not fit neatly into property, contract, or tort law principles. Instead, the GDPR paradigm reflects consumer rights and freedoms, bundles of interests that the consumer owns when they arrive to purchase a company’s goods and services and that may not easily be negotiated away.
While working to prepare an updated internal privacy policy for the IAPP, then, I did what Eduardo Ustaran suggested in an early 2018 tweet about how to start off the new year: “Read the GDPR. Read it again (Recitals and all).” As I read, I kept notes of key provisions that — more than others — seemed to me to reflect the foundational elements of the GDPR. What follows here is my “letter to the staff,” which is an attempt to translate parts of the GDPR to an American audience who will need to understand the Regulation to do their jobs.
Perhaps you will find this useful as you go about trying to explain the GDPR to your own staffs in the United States and around the world.
The nature of personal data
First, we need to get used to the term “personal data” instead of…
