As corporate legal departments brace for new European privacy protections set to take effect in May, a top in-house lawyer for Apple Inc. on Thursday predicted the rules—known as the General Data Protection Regulation—will put “heavy processing requirements” on companies that must give consumers more control over their personal information.
Apple vice president and chief litigation counsel Noreen Krall, speaking at the ChIPs Women in Tech, Law and Policy Global Summit in Washington, underscored the challenge companies face as they set up systems to handle consumer requests for the removal of personal data and to obtain consent for the collection of certain information.
“Basically it puts heavy, heavy processing obligations on companies” to deal with requests concerning the handling of consumer data, Krall said. She added: “So the heavy processing requirements on corporations doing business in Europe are just tremendous. It really does pose a challenge.”
The costs of failing to comply with the European Union’s new, uniform privacy regulations can be steep, with a maximum penalty of 4 percent of the violating company’s global sales revenue.
And the regulation is sweeping, Krall said during the Washington panel discussion, moderated by Caroline Krass, a former general counsel to the CIA who now leads Gibson, Dunn & Crutcher’s new national security team.
“The challenge is that it applies to all personal data, meaning any data that can be used, ultimately, to identify who you are. So it’s far beyond your name, your Social Security, your bank account. It’s your IP address, or your device ID, or a reference number to a customer, or a complaint or question that you brought in. For any organization, beyond tech, it just covers just about anything,” she said.
In the aftermath of the Equifax hack, which compromised the personal information of nearly half the adult U.S. population, corporate lawyers and others in the cybersecurity community have been buzzing over the European regulation’s requirement that companies inform regulators within three days of any reported data breach. That measure goes significantly further than what is required in the United States.
In her remarks Thursday, Krall said the European regulation’s standards for obtaining consent to collect and use personal information would be felt by consumers, and perhaps not always appreciated.
“The customer experience is going to be potentially dramatically changed by these regulations. It’s almost as if governments are dictating the enterprise design or system design or consumer experience,” she said.
Krall said she envisioned consumers signing up for a music service and, “all of the sudden you have to give your informed consent on very clear, very visible—’OK, you can track this, you can’t track that. Don’t track my likes, track my plays.’ There’s all of that information.”
“It’ll be interesting to see how it will work when it’s enacted,” she said.
An expert panel at the Association of Corporate Counsel’s annual meeting in Washington this week looked at what companies are doing to prepare for the new rules. One takeaway: get in touch with the regulators.
“As you’re coming up with different ways to tackle different parts of the GDPR, one way to test these potential best practices is to get a meeting with the data protection authority and to walk them through [those],” Lisa Zolidis, privacy counsel for the Americas region at Dell Inc., said on one panel.