Impact of international privacy laws on U.S. companies

Published Mar 16, 2016

Co-chairs of the Jeffer Mangels Cybersecurity and Privacy Group, Robert E. Braun and Michael A. Gold, discuss Impact of international privacy laws on U.S. companies. The other videos in this 4-part series include: Why companies need a cybersecurity training program; First steps to take when there’s a data breach at your company; and Cybersecurity for middle market companies.

Bob Braun: Let me ask you this–another challenge that you and I have talked about a lot and we've agreed that it's not necessarily addressed, is the challenges of international privacy and security requirements.

Michael Gold: International is huge. You'll recall that last year when we began to have more and more dialogues with clients and perspective clients about international privacy and data security, very often what we would be met with is, "Look, I don't do business in Europe. I've got an office in the San Fernando Valley or I've got an office in downtown Los Angeles or in San Francisco. I don't do business in the European Union. I don't do business in any number of places where you say we have to be compliant with local data security and privacy law." It turns out that it's the rare company these days that doesn't have some international cybersecurity law exposure. It can be very, very complex because cybersecurity law throughout the world is not uniform. You've got the rather comprehensive, principle-based, very robust European Union data privacy law. But you go to other regions of the world and there's either no privacy law, or the privacy law is criminal-based as opposed to civilly-based. You got very fragmented laws. Japan is a good example of that. In comparison to the United States where there is no comprehensive cybersecurity law; where the law is incredibly fragmented and sectorial. International has been big; even when people didn't realize it was major. And it's going to get bigger and bigger and bigger. And I'll ask you some questions about the upcoming changes in European Union data privacy law that are going to create some enormous pressures on American businesses that actually conduct business or control or process the personal data of European Union residents and citizens.

Bob Braun: You know, it's true. Europe has been working under a data protection regime since 1995. It's been out there for 20 years. And it is something that's become increasingly fragmented because it requires every member of the EU to adopt the policy. But those policies are somewhat different. And it's created a lot of problems in the United States because is not considered, and should not be considered, a data-safe country. However, sometime in the next 12 to 24 months, it's likely that the EU is finally going to adopt a comprehensive data privacy regulation. The biggest change there, is that it is going to subject any company that does business in Europe – where it collects information from EU citizens – to their regime. You can actually become liable in the EU without stepping outside your door in the San Fernando Valley or in downtown Los Angeles. And I think that's going to go the same way that data breach policies in the United States have gone – where the existence of 48 data breach policies have led us to look to the lowest common denominator to figure out where your liability is. We're going to be looking toward Europe, and Europe is effectively going to create data security regulation in the United States because we're going to comply with it.