search

The Real Deal Logo

Trending

Bushburg buying Rudin’s half-empty FiDi office building for $160MBushburg buying Rudin’s half-empty FiDi office building for $160MDevelopers have a new tax break. Now they must figure it outDevelopers have a new tax break. Now they must figure it outMichael Stern pays $61M for Brickell site of Dolce & Gabbana supertallMichael Stern pays $61M for Brickell site of Dolce & Gabbana supertallGlossier founder is buyer of $22M Brooklyn townhouseGlossier founder is buyer of $22M Brooklyn townhouse
New York

Will Europe raise the privacy bar?

A look at Europe’s sweeping privacy law and what it means for global real estate firms and other businesses

The flag of the European Union and the Lower Manhattan skyline
The flag of the European Union and the Lower Manhattan skyline

Since Europe’s data protection law went into effect in May 2018, regulators have received reports of more than 59,000 personal data breaches, a February study from the global law firm DLA Piper found.

The General Data Protection Regulation, or GDPR, requires organizations that are based or do business in the European Union to report privacy breaches within 72 hours, among several other mandates. While figures are scarce on which kinds of companies have been impacted by the new law, experts say it has serious implications for all businesses that collect personal data, including real estate firms.

Related: Real estate’s surveillance state

“This is a complete overhaul of EU data protection law, and it does make people nervous because we don’t know exactly how certain things will be impacted,” said Chloe Kite, an attorney at DLA Piper in London.

Sign Up for the undefined Newsletter

GDPR also impacts companies in the U.S. that deal with people in the EU. International players like the Blackstone Group already have GDPR notices on their sites. And many believe it’s a matter of time before similar federal legislation works its way to the States.

But experts say it’s still too early to tell exactly how regulators will apply Europe’s sweeping law, and whether they’ll look for high-profile cases to make examples of. According to the DLA Piper report, only 91 fines have been doled out since GDPR took effect — a low figure that indicates regulators may already be stretched thin.

In the meantime, companies have become compliant by mapping out what kinds of data they collect and how long they keep it. Patrick Wheeler, head of the intellectual property and data protection practice at the London-based law firm Collyer Bristow, said one of the key principles to consider is the law’s requirement of data minimization. That rule requires companies to keep only as much data as they need for business purposes, and to be ready to spell out what those purposes are.

“Indeed, one of the questions is, if you want to reduce the risk that you face in relation to data breaches, you should really ask yourself the question, ‘Do I need to have all this data?’” Wheeler said.