Will Europe raise the privacy bar?

A look at Europe’s sweeping privacy law and what it means for global real estate firms and other businesses
By Rich Bockmann | May 09, 2019 12:56PM
The flag of the European Union and the Lower Manhattan skyline

The flag of the European Union and the Lower Manhattan skyline

Since Europe’s data protection law went into effect in May 2018, regulators have received reports of more than 59,000 personal data breaches, a February study from the global law firm DLA Piper found.

The General Data Protection Regulation, or GDPR, requires organizations that are based or do business in the European Union to report privacy breaches within 72 hours, among several other mandates. While figures are scarce on which kinds of companies have been impacted by the new law, experts say it has serious implications for all businesses that collect personal data, including real estate firms.

Related: Real estate’s surveillance state

“This is a complete overhaul of EU data protection law, and it does make people nervous because we don’t know exactly how certain things will be impacted,” said Chloe Kite, an attorney at DLA Piper in London.

GDPR also impacts companies in the U.S. that deal with people in the EU. International players like the Blackstone Group already have GDPR notices on their sites. And many believe it’s a matter of time before similar federal legislation works its way to the States.

But experts say it’s still too early to tell exactly how regulators will apply Europe’s sweeping law, and whether they’ll look for high-profile cases to make examples of. According to the DLA Piper report, only 91 fines have been doled out since GDPR took effect — a low figure that indicates regulators may already be stretched thin.

In the meantime, companies have become compliant by mapping out what kinds of data they collect and how long they keep it. Patrick Wheeler, head of the intellectual property and data protection practice at the London-based law firm Collyer Bristow, said one of the key principles to consider is the law’s requirement of data minimization. That rule requires companies to keep only as much data as they need for business purposes, and to be ready to spell out what those purposes are.

“Indeed, one of the questions is, if you want to reduce the risk that you face in relation to data breaches, you should really ask yourself the question, ‘Do I need to have all this data?’” Wheeler said.