How GDPR Will Conflict with Almost Everything

gdpr conflicted compliance cover
Share the knowledge

I was recently interviewed, in my capacity as an Internet law and policy attorney, and head of the Institute for Social Internet Public Policy, for an article sponsored by RSA about the impact that GDPR (the EU’s General Data Protection Rules), which goes into effect in the European Union in May 2018, is going to impact, well, everything. And, in particular, about how it will impact U.S. based businesses, because, trust me, it will.

The result was an article by Evan Schuman titled How GDPR Will Conflict with, Well, Almost Everything, featuring GDPR experts Bret Cohen, Esq., of Hogan Lovells; Barak Engel, CISO, of Amplitude Analytics; Philip Gordon, Esq., co-chair of the privacy and background checks practice, Littler Mendelson; Christoph Luykx, director of government relations for EMEA; and myself.

As Schuman’s article starts out explaining, “As CISOs struggle with preparing to comply with the imminent demands of the European Union’s General Data Protection Rules (GDPR) in May 2018, they are having to deal with some inherent contradictions between Europe’s view of security and privacy and that of the U.S government and industry compliance regulations. Consider the EU’s Right to be Forgotten (internalized within GDPR) versus U.S. Treasury rules for bank financial records to be kept for at least seven years. Or consider the same Right to be Forgotten versus the U.S. Combat Methamphetamine Epidemic Act of 2005, which requires purchasers of the over-the-counter medicine pseudoephedrine, commonly known by the brand name Benadryl (sic) {Ed. note: pseudoephedrine is actually the generic for Sudafed, not Benadryl, however this is a direct quote; we here at the Internet Patrol know the difference between Sudafed and Benadryl}, to be tracked via a federal database. Could an EU citizen demand to have overseas money transfers to a Swiss bank account deleted or to have unlimited access to congestion medications, contrary to U.S. rules or laws? As a practical matter, most observers argue that GDPR regulators will likely bow to reasonable law enforcement concerns such as the drug and financial record examples. But it gives a peek into the rough road many U.S. CISOs will have to travel as they try and become GDPR compliant. That said, the minefield for a multinational company CISO trying to avoid GDPR conflicts is vast, circling U.S. federal laws, federal agency rules, state laws and state agency rules, municipal laws and municipal agency rules and even industry rules such as Health Insurance Portability and Accountability Act (HIPAA) for healthcare and Payment Card Industry Data Security Standard (PCI-DSS) for payments, as well as the same groups of rules/laws in every country, including GDPR conflicts within Europe. For the most part, though, other than some law enforcement data retention requirements, the conflicts are matters of severity (such as how quickly breaches must be reported or how long data should be retained) as opposed to outright conflicts. Much of the controversy involves GDPR’s expansive definition of Personally Identifiable Information (PII).”

The full article on the headaches associated with GDPR has been published on the SC Magazine site, however it is behind a registration wall.

Get New Internet Patrol Articles by Email!

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link


Share the knowledge

2 thoughts on “How GDPR Will Conflict with Almost Everything

  1. GDPR even appears to conflict with itself. Imagine that two people, A and B, are both on a mailing list (operated by company C), and post to it, and thus have access to each others’ personal information.

    A and B both leave the list, but C is required to keep records of their previous membership, so that it can contact them if requested to delete personal information which they may hold because it was sent to the list while the were on it.

    A asks C to delete their personal information. C sees that B was on the list, and asks B to do so. Then C deletes its own records, including that A was on ever on the list.

    Now B asks C to delete their personal information. C no longer has complete records of who was on the list, so they cannot inform A to delete B’s personal information.

    Is that correct, or should C keep that record under the lawful basis, as it’s required to comply with the GDPR itself?

  2. Nice law. But it just cannot be done.
    USA Corps….. will merely concentrate on their country, and start divesting themselves of Europe. And well, EULA.
    The USA will likely insist on trials in the USA.
    USA corps…. will set up Euro-centric Corporations that license the Tech from USA firms. In Europe, they will follow European laws. In the USA, US laws.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.