Legal expert: EU regulation changed how businesses view privacy worldwide

Companies around the world doing business with Israeli companies can be on the hook with how Israeli companies use the shared data.

A picture illustration shows a Facebook logo reflected in a person's eye (photo credit: REUTERS/DADO RUVIC/ILLUSTRATION/FILE PHOTO)
A picture illustration shows a Facebook logo reflected in a person's eye
The EU’s General Data Protection Regulation (GDPR), which went into effect in May, has changed the way businesses worldwide view privacy and will continue to do so, an Israeli legal expert told The Jerusalem Post.
Public records have indicated that multiple social media giants currently face multi-billion dollar lawsuits in the EU – and some mega companies have blamed the GDPR for causing them to lose millions of users.
In an interview this week, Adam Snukal, Shareholder in Technology and Intellectual Property at Greenberg Traurig, Israel, discussed the overall picture, telling the Post that the writing had been on the wall.
“Leading up to May 25, I had described the GDPR as the beginning of a wave of new privacy regulations,” he said, adding with a dose of seriousness and humor that now this has been “manifested globally – it is a global reality… my ‘prophecy’ has very much come to fruition.”
He said that since the GDPR went into effect, new privacy laws have been unveiled in Japan, Brazil and the US, and many other countries are seriously discussing new laws.
There is still a significant difference between the EU and most other countries, he said. In the EU, privacy is a fundamental right of its citizenry whereas there is no such right in Japan, the US, Canada or other countries.
The EU will continue to be the leader on privacy issues which will only continue to expand in their impact, he said.
However, across the globe, “the GDPR is laying the foundation for a new era in which privacy is coming to the forefront of all aspects of our lives,” he proclaimed.
SNUKAL SAID that since the May 25 deadline to comply with the regulation passed, he is “seeing greater attention and efforts made than before… to become GDPR compliant. We are getting calls from companies that didn’t do anything before May 25.”
“There has still been a relatively low number of companies adopting and trying to be GDPR” compliant for three main reasons. “One is a lack of education among small and medium size companies. Two is the great deal of uncertainty people have regarding the regulations, how they will be interpreted… and implemented. It is still sort of a black box that no one has cracked,” he stated.
He said that in this area, even the largest companies are “no smarter than a start-up company about how the law will be enforced.
Many companies are taking the position that they will do the absolute minimum or stand on the sidelines until there is more direction… about how the GDPR fits into their company’s essence.”
The third issue is the lack of enforcement.
“What drove thousands of companies to implement GDPR programs was the fear…of penalties – whether 2% or 4% of revenue or 20 million euros – this was the greatest motivator.” For big companies, he said some were worried that violations could literally end their company.
But after all of this fear, “we have seen very little enforcement” according to what has been disclosed publicly. Snukal said that one of the major reasons for lack of enforcement could be that the EU privacy commission is understaffed and under-resourced.
And yet there are crucial exceptions where enforcement has captured the headlines.
TWO DIFFERENT groups of lawsuits by private citizens, one coming from citizens in Belgium and one from citizens in Austria, which are moving forward against some of the major social media giants despite the EU privacy commission’s lackluster enforcement.
Both groups hope that at some point the EU will jump on their bandwagon, but legally they can initiate suit on their own.
According to public records, the maximum total these plaintiffs could be awarded against the social media giants could run up to a game-changing $9.3 billion. Even if they win a lower amount, any fine in that range would motivate much greater GDPR compliance across a variety of industries.
In terms of Israel, Snukal said that the GDPR along with new Israeli privacy law regulations, which went into force in May, have companies generally taking local privacy laws more seriously than ever before.
He now gets “questions on a regular basis about how to comply with Israeli privacy laws” since they now “believe Israeli authorities are taking the laws more seriously, monitoring markets and looking to hand out fines.” He added that, with big lawsuits and headlines about social media giants and privacy in the news, there is generally just a much more elevated “awareness and concern about privacy.”
Moreover, “companies around the world, especially if they are tuned into the GDPR and privacy generally, realize they are not merely liable for their own actions, but are also liable for actions of third parties who they do business with.”
This means companies around the world doing business with Israeli companies can be liable how Israeli companies use the shared data.
Continuing, he said, “A ‘data controller’ is responsible not only for its actions, but also for its service providers, vendors and contractors. Israel for the most part is service providers and vendors. That includes smart video, big data, cybersecurity, [and] enterprise software.”
Finally, he said that companies are realizing that at some point they are “likely to get audited. You cannot throw things together overnight when you get audited,” without risking breaching contracts and being reported to EU regulators. “It could have a significant material adverse effect on your stock performance.”