Will Europe raise the privacy bar?

A look at Europe’s sweeping privacy law and what it means for global real estate firms and other businesses

May.May 09, 2019 12:56 PM
The flag of the European Union and the Lower Manhattan skyline

The flag of the European Union and the Lower Manhattan skyline

Since Europe’s data protection law went into effect in May 2018, regulators have received reports of more than 59,000 personal data breaches, a February study from the global law firm DLA Piper found.

The General Data Protection Regulation, or GDPR, requires organizations that are based or do business in the European Union to report privacy breaches within 72 hours, among several other mandates. While figures are scarce on which kinds of companies have been impacted by the new law, experts say it has serious implications for all businesses that collect personal data, including real estate firms.

Related: Real estate’s surveillance state

“This is a complete overhaul of EU data protection law, and it does make people nervous because we don’t know exactly how certain things will be impacted,” said Chloe Kite, an attorney at DLA Piper in London.

GDPR also impacts companies in the U.S. that deal with people in the EU. International players like the Blackstone Group already have GDPR notices on their sites. And many believe it’s a matter of time before similar federal legislation works its way to the States.

But experts say it’s still too early to tell exactly how regulators will apply Europe’s sweeping law, and whether they’ll look for high-profile cases to make examples of. According to the DLA Piper report, only 91 fines have been doled out since GDPR took effect — a low figure that indicates regulators may already be stretched thin.

In the meantime, companies have become compliant by mapping out what kinds of data they collect and how long they keep it. Patrick Wheeler, head of the intellectual property and data protection practice at the London-based law firm Collyer Bristow, said one of the key principles to consider is the law’s requirement of data minimization. That rule requires companies to keep only as much data as they need for business purposes, and to be ready to spell out what those purposes are.

“Indeed, one of the questions is, if you want to reduce the risk that you face in relation to data breaches, you should really ask yourself the question, ‘Do I need to have all this data?’” Wheeler said.

Related Articles

(Image by Wolfgang & Hite via Dezeen)

Hudson Yards megadevelopment inspires a new line of sex toys

Cammeby's International Group founder Rubin Schron and, from top: 194-05 67th Avenue, 189-15 73rd Avenue and 64-05 186th Lane (Credit: Google Maps)

Ruby Schron lands $500M refi for sprawling Queens apartment portfolio

Wendy Silverstein (Credit: Getty Images)

Wendy Silverstein, co-head of WeWork’s real-estate fund, is out

Council member Rafael Espinal (Credit: Twitter, iStock)

For the birds: NYC buildings told to use flight-friendly materials

From left: 1 West End Avenue, 161 West 13th Street and 66 Ninth Avenue (Credit: StreetEasy and Wikipedia)

Porter House penthouse among NYC’s 5 priciest homes to hit the market last week

From left: Sam Chang, 52 William Street and New York Hotel & Motel Trades Council's Peter Ward (Credit: Google Maps)

$2M suit against Sam Chang tied to hotel union drama

15 East 90th Street (Credit: Google Maps)

Lonely townhouse finds a match after years on market

From left: Jeff Cohn and Gary Keller

Gary Keller walks into Berkshire Hathaway’s backyard and takes its top team