A sweeping measure to enhance safeguards for European Union (EU) citizens relating to how their personal data is used, stored, defined and handled goes into effect on May 25, 2018.". The new privacy law, the General Data Protection Regulation (GDPR), provides enhanced safeguards for personal information and takes full effect immediately across the 28-country member states of the political and economic union. The ripple effect from the GDPR will have a significant impact in the United States. 

Under the GDPR, an EU citizen's personal data will no longer be transferable, sharable, salable, storable or otherwise usable without that individual's explicit, informed consent.  

If an EU citizen consents to having his or her data collected, "processed" or stored and the terms of that agreement change, then the entity in control of the data must get the party's explicit, informed consent to the new use. Consent given for one use does not extend to other uses even if the parties to the agreement are the same. Consent can be withdrawn at any time.

EU citizens will have the right to review their personal data to ensure it is correct and to demand that errors be corrected across all platforms. Parties will also have data portability, allowing them to reclaim their data from a vendor - i.e., Facebook -and take it to a competing service. They can ask that their data be deleted from everywhere it is being stored or retained - also known as "the right to be forgotten." That request might not be honored in every circumstance, depending on factors such as relevance and whether the data is of sufficient legitimate interest to the public.

As outlined in the GDPR, Personal data includes biometric and genetic data, digital identifiers or "fingerprints" such as cookies, IP addresses and location data. 

A party that has the means of, and purpose for, collecting the personal data of an EU citizen is the "data controller," and is responsible for the security and handling of that data. If the data is turned over to a vendor for processing - the "data processor" - the data controller is responsible for the vendor's work as it relates to the EU citizen's personal data. If the data processor outsources some of the work, the data controller is responsible for that vendor, and so on downstream. 

If an entity that holds personal data of EU citizens is hacked, those whose personal details are compromised must be informed within 72 hours of the data breach.  

The GDPR has wide-ranging implications for New York lawyers, because lawyers are, by default, data controllers.

If you regularly represent clients who are EU citizens, you must comply with the GDPR, regarding any personal data you have about your clients and how the matters you handle for them intersect with the data of other EU citizens. And, you probably have been working diligently over the past two years to ensure that you are in compliance with the new regulation.  

If you regularly represent clients who are EU citizens, but you represent them only regarding New York matters, you also must comply with the new regulation because you have control of their personal data. 

If you are a New York litigator representing New York clients and you are conducting e-discovery before trial, if the personal data of EU citizens is gathered in that process, you must comply with the GDPR with regard to the handling of that data. If you hire a vendor to process the data, you are responsible for the vendor with regard to that data.

If you are not sure, perform a client assessment. Create a spreadsheet of your clients, the matters you are handling for them and actions being taken, and determine if there are any EU connections and whether you may be in possession of any EU citizens' personal data.

If you are in possession of the personal data of any EU citizens for a legitimate legal purpose, you are unlikely to run afoul of the GDPR because it includes such carve outs. However, once the matter no longer requires use of that data, the data must be deleted. This is one point on which EU and New York rules may clash, because under certain circumstances New York law may require longer periods of retention.

If you are handling a matter that requires collection and processing of the personal data of EU citizens, consider hiring local counsel to do so. The security of data being transferred across borders was one of the issues that led to the GDPR. There are new provisions for such transfers but, for most lawyers, it is best to avoid cross-border transfers entirely if possible. 

Even if none of this now affects you or your clients directly, changes in the way personal data is handled in the United States may be on the horizon. Under heavy fire for allowing an app to "scrape" the data of about 87 million users and pass it on to Cambridge Analytica to use to influence the 2016 elections, Facebook CEO Mark Zuckerberg indicated his company would offer some level of GDPR privacy and data controls. 
That could force Google and others to follow suit, which may result in a higher level of data protection for US citizens. If that happens, it would likely mean new and greater responsibilities for anyone who is a data controller.

Stay tuned.

For more information - and 2.0 MCLE credits - view NYSBA's March 13th program "The GDPR and How It Might Affect the Practice of Law in New York," which featured a stellar panel of experts in the field. Purchase here: http://www.nysba.org/store/detail.aspx?id=VFD14

On Wednesday, April 25th, NYSBA's "Internet Law Update 2018: Understanding the Legal and Tax Environment of the Web-Based Business" will examine internet- and technology-related laws and regulations, focusing on privacy and cybersecurity developments in this ever-changing area of law. Sign up for the live program in New York City or the webcast, and earn 7.5 MCLE credits: www.nysba.org/InternetLawUpdateCLE/ 

Watch for NYSBA's Fall lineup on technology, which will include up-to-the-minute analysis on the internet of things, ethics, employees and their e-data, and what's up with the GDPR. Follow the CLE calendar: www.nysba.org/CLE