An American Perspective on the GDPR One Year In

By Justin P. Webb and Sarah A. Sargent

©2019. Published in Landslide, Vol. 11, No. 5, May/June 2019, by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association or the copyright holder.

On May 25, 2018, the General Data Protection Regulation (GDPR)1 went into effect in the European Union (EU), and over the course of the last year, companies and attorneys alike have learned more about the regulation. Upon the regulation’s passing in 2016, it caused immediate panic and made companies across the world pay attention—in varying degrees, as reflected by the current level of compliance even one year in—given its unique extraterritorial applicability and steep fines. Since then, the GDPR has led to a series of mistakes in interpretation, unnecessary e-mails requesting data subject consent, revised privacy policies, and wholescale retooling or the establishment of privacy programs at companies across the globe, whether required or not. It has also caused headaches and unintended consequences for EU regulators and exposed understaffing on the issue of privacy across the globe. However, as companies have moved toward some semblance of compliance, much of the panic has transformed into pragmatism, both for companies subject to and not subject to the GDPR and for the regulators tasked with overseeing the GDPR, including the European Data Protection Board. This article discusses some of the lessons learned one year after the GDPR went into effect, with a particular focus on the GDPR as applied to American entities.

Premium Content For:
  • Intellectual Property Law Section
Join - Now