Three unintended consequences of data privacy rules

Robust regulations, however, are not without their drawbacks. Some will argue a strict privacy regime will have a negative effect on growing companies, create conflicting requirements in other instances, and potentially cause impediments to corporate investigations. We explore all three below … 

Slowing innovation among smaller companies

Will national and international consumer data privacy laws hit the brakes on what has been a years-long period of rapid innovation?

From a big business perspective, at least one CEO emphatically says no. In October, Apple CEO Tim Cook, speaking at the International Conference of Data Protection and Privacy Commissioners in Brussels, said his company supports a national U.S. data protection law that mirrors Europe’s General Data Protection Regulation.

Cook added that critics who claim data privacy legislation will hinder technology innovation are “not just wrong,” but “destructive.”

In written testimony for the U.S. Senate’s Commerce Committee in September, Keith Enright, chief privacy officer at Google, expressed concerns with various proposals for regulatory regimes, but added that there was a corporate benefit in ensuring public trust. “Collection and use of personal information can create beneficial and innovative services,” he wrote.

While large corporations can boast about the benefits of transparency and consumer trust, the current wave of data privacy laws, which include state efforts like California’s, run the risk of stifling innovation and overall growth at small- to medium-sized companies that lack the resources and manpower needed for compliance.

This effect, the National Association of Manufacturers wrote, commenting on data privacy rules under consideration by the U.S. Commerce Department, would be exponentially exacerbated if they do not statutorily preempt conflicting state laws. It also called for “international solutions to harmonize the U.S. rules with those in other regions of the world.”

Researchers are also putting some numbers to the problem and parsing the unintended effects of GDPR.

In a working paper published by the National Bureau of Economic Research, Jian Jia and Liad Wagman of the Illinois Institute of Technology and Ginger Zhe Jin of the University of Maryland studied “The Short-Run Effects of GDPR on Technology Venture Investment.”

“The negative effects manifest in the overall dollar amounts raised across funding deals, the number of deals, and the dollar amount raised per individual deal,” they wrote.

The paper notes that public concerns over the use of personal data have increased. Recent Pew surveys found that 91 percent of respondents believe they have lost control over how personal information is collected, and 66 percent said current laws are insufficient for protecting their privacy.

The enactment of GDPR, however, while satisfying these concerns, will have a negative effect on growing companies, particularly when it comes to venture capital and funding needed to innovate, produce, and expand. This manifests itself, particularly for start-ups, in the overall number of financing rounds and the overall dollar amount raised across rounds.

Their findings suggest a $3.38 million decrease in the aggregate dollars raised by EU ventures (per state, by industry category), a 17.6 percent reduction in the number of weekly venture deals, and a 39.6 percent decrease in the amount raised [by European companies] in an average deal following the rollout of GDPR,” the paper says.

The researchers later add: “One may argue that higher compliance costs may have a positive effect on innovation. We demonstrate that younger firms are particularly susceptible to the consequences of data regulation.”

—Joe Mont

Conflict between KYC and privacy regulations

For years, financial institutions have had to walk a regulatory tightrope, striking the right balance between compliance with regulations governing anti-money laundering with that of conflicting global data protection laws. But the far-reaching impact of GDPR creates further tension between these two compliance priorities.

On the one side, AML regulations require financial institutions to collect and process a vast array of personal data on entities and individuals during the onboarding process, or before engaging in certain business transactions with them, to defend against money laundering and terrorist financing practices. Know-your-customer (KYC) due-diligence procedures are a critical component of a robust AML compliance program.

Even as regulators around the world continue to expand the scope of financial institutions’ obligations to identify and verify their customers’ identities, the GDPR significantly restricts how they acquire and manage that customer data, creating numerous sticking points in a firm’s overall AML compliance framework.

“It might seem like those two things are in conflict when, in reality, they’re not,” says Stephen Ritter, chief technology officer at Mitek Systems, a firm that specializes in digital identity verification and mobile capture. The GDPR doesn’t prevent firms from satisfying their KYC obligations, but rather establishes requirements on how to do so in a secure fashion, he says.

Satisfying AML and GDPR obligations is possible—and, in fact, necessary—but it requires both a change in mindset and in the way that financial institutions operate. Start by understanding where AML regulations overlap with the GDPR, and then adjust AML and KYC policies and procedures accordingly.

At a  high level, firms should have in place data-driven policies and procedures that comply with the GDPR’s enhanced data-subject rights; make changes in the way they manage and interact with customers on a consent-based level; and implement data security controls and monitoring and auditing procedures, all of which can—and should—be automated with the newest privacy technologies that enable compliance with both GDPR and KYC obligations.

—Jaclyn Jaeger

Limitation on corporate investigations

Differing data privacy regulations from country to country and corporation to corporation could seriously impede internal investigations.

Prior to the 2015 Schrems decision by the European Court of Justice, which invalidated the Safe Harbor provision for transfer of personal, private data from Europe to the United States, U.S.-based law firms could use and analyze information from investigations conducted in Europe. That decision, however, along with the implementation of the U.S. Privacy Shield Framework and the enactment of the EU’s GDPR, has brought several internal investigation concerns—especially those around data privacy—into the light.

Unlike data privacy rules for U.S. corporations, employee e-mails and other types of employee data in EU and U.K. companies are covered by the privacy rights afforded to individuals and are not considered company property. Under the GDPR, the ability of a U.S. corporation to access that information and take it back to the United States is therefore hindered.

To move forward, a company must obtain the consent of the person being investigated. Obtaining such consent, however, raises a host of other problems. For example, for consent to be considered valid it has to be fully explained or, in legal parlance, informed consent. Consent cannot be a condition of employment. This means the company must inform the person whose data is being collected that it could be turned over to the U.S. Justice Department and the person could be subject to extradition to the United States under a criminal indictment.

Moreover, when the EU line of employee privacy rights is coupled with the new Foreign Corrupt Practices Act Corporate Enforcement Policy, trouble brews for any company seeking cooperation credit, as it will be required to turn over any and all information to the Justice Department as soon as possible. And, even if companies are able to gather facts and data through internal investigations by using local law firms, they might still not be able to get that information back to the United States to use.

Further, EU and U.K. prosecutors will likely be unsympathetic to people whose investigations are conducted in violation of EU privacy laws. The U.K. Serious Fraud Office has already lost one bribery prosecution in which a U.S. firm conducted an investigation that did not align with then-U.K. privacy laws. A corporate investigator will need a lot of careful thought to structure data transfers and even to structure interviews.

What does all of this mean for corporate compliance programs?

If one cannot use two of the key components in a best practices compliance program, based on the Justice Department/Securities and Exchange Commission Ten Hallmarks of an Effective Compliance Program or another related standard, it will put significant pressure on other parts of the program. A compliance program will have to be structured more rigorously to prevent compliance violations through the use of internal controls and transaction monitoring tools. Chief compliance officers and other compliance practitioners will also have to be more involved and have more visibility into the entire lifecycle of transactions so they can determine how to begin to move from prevention to proscription—a task easier said than done.

—Tom Fox