Comply or Else: New Data Rules Stoke the Need for More Privacy Lawyers

With new regulations being adopted around the world, companies are looking to legal experts to keep them from paying hefty compliance fines.

by Kate Galbraith, San Francisco Chronicle / July 23, 2018
Shutterstock

(TNS) — Salesforce is hunting worldwide for lawyers focused on data privacy. So is Google. Newly public Okta, a San Francisco software firm, also wants to hire a privacy-oriented lawyer. Same with cloud service Twilio.

The list goes on.

Data privacy, once a second-order subject in Silicon Valley, has rocketed to the fore thanks to a battery of new laws. Europe’s groundbreaking data-privacy rule, the General Data Protection Regulation, took effect in May and requires continuing vigilance. Last month, Sacramento lawmakers piled on with a hastily passed law called the California Consumer Privacy Act directed at companies pulling in at least $25 million in annual revenue.

Among the big winners in the scramble to comply? Lawyers and corporate information-technology firms.

The issue of privacy “has virtually taken over my practice,” said Cynthia Cole, a special counsel with Baker Botts who is well-versed in Europe’s new GDPR regulations. For example, she said, some of the disclosure paperwork in mergers and acquisitions — specifically, the data privacy representation of a company being bought — has grown from a few lines a year or so ago to three pages, as companies list topics like the various laws they have complied with.

Interest has surged particularly as companies implement technology such as blockchain and artificial intelligence, because many of them touch on data privacy issues, according to Brandyne Russell, a managing director at Major, Lindsey & Africa, a global legal recruiting firm.

“Where certain companies may have had a lawyer who wore a few hats including privacy, many companies are now creating dedicated roles for that (and) building small teams,” said Ray Everett, a longtime privacy expert who manages consulting projects for TrustArc, a San Francisco compliance and risk-management company.

For companies, compliance can be costly. “It can go well, well into the millions, depending on the size of your company,” Cole said.

And American companies may spend more than their European counterparts.

Over the years, U.S. firms have dealt with discrete privacy rules, like the specific laws governing health care records or the identity data guidelines in financial services, but have not had to contend with any overarching regulations.

By contrast, European companies “have been dealing with data privacy since the ’80s ... so this is not new for them,” Cole said. “To comply with GDPR, they didn’t have to go back and revisit their entire business model.”

Tech firms, too, have seen increasing interest.

Ray Everett said his consulting team had grown five-fold during the past 18 months, as its number of projects has ballooned. (TrustArc, whose products and services help companies review their compliance and develop policies around privacy, is stocked with technical experts and lawyers but does not practice law.)

There been “a change in the nature of the work,” Everett said. While law firms have long worked on privacy aspects of contracts, notices and other documents, now firms’ needs are expanding to new areas, like developing processes and technologies to manage data flows and compliance reporting across the company.

There are plenty of pickings for lobbyists, too. California’s privacy law, for example, was passed with such speed — roughly a week start to finish, as part of a deal to head off a tougher ballot measure on the same subject — that it will probably be amended before it takes effect in 2020. And while Congress seems unlikely to move quickly on privacy, other states are looking to pass rules. Colorado’s governor, for example, recently signed a data privacy law.

“It will sort of be like county liquor laws,” predicted Cole of Baker Botts, who expects more cities and states will move on data privacy.

Another major European regulation, known as the ePrivacy Regulation is in the pipeline, governing the use of web-tracking devices like cookies.

The work, in other words, is “very much continuing,” Everett said. “The realization is that many organizations thought GDPR was a finish line they had to cross in May, and they’re realizing it’s very much of a lifestyle.”

©2018 the San Francisco Chronicle Distributed by Tribune Content Agency, LLC.