NewsOK Q&A: U.S. businesses react to newly enforced EU privacy law

oklahoma city health care attorney mary richard

Mary Richard is recognized as one of pioneers in Oklahoma healthcare law. She has represented institutional and non-institutional providers of health services, as well as patients and their families. She also has significant experience in representing providers in regulatory matters.

In this article, Oklahoma City healthcare attorney Mary Holloway Richard discusses GDPR, a newly enforced EU privacy law.

Q: What is the General Data Protection Regulation (GDPR)?

A: It’s a law regulating data protection and privacy for all individuals within the European Union (EU). It gives control to individuals over their personally identifiable information. It both standardizes the requirements throughout the EU and bolsters protections available to individuals amid well-publicized, costly data breaches in Europe. It’s a regulation rather than a directive, which means national governments within the EU don’t have to pass enabling legislation for these requirements to be effective. Rather, the regulation is directly binding on the members of the EU. The spirit of the General Data Protection Regulation also is embodied in recent legislation in the United Kingdom, providing consistency across Europe even though the U.K. withdrew from the EU effective in March. The regulation, passed two years ago, became effective May 22. Because of the length of time between passage and enforcement, there’s no transitional or grace period before compliance is required.

Q: How is this relevant to American businesses?

A: In certain circumstances the General Data Protection Regulation also applies to organizations and other businesses based outside of the EU if they collect and/or process personally identifiable information located within the EU. For example, U.S. companies offering a website to market their products or services to individuals within the European Community or scientific concerns actively engaged in recruiting individuals within the European Community to be subjects in clinical trials are required to comply. It’s important for such commercial concerns to act quickly to determine if they are covered by the General Data Protection Regulation as processors of data or collectors of such data from individuals within the EU. Concerned about the potential burden of compliance on foreign businesses, some international websites have taken steps to block EU users on the effective date, thereby removing the need to comply and ensuring against potential liability under the regulation. USA Today’s international website redirected users to simplified sites limited in scope. Other U.S. newspapers with European editions made them temporarily unavailable to readers in the EU. In another example of responses by U.S. companies, Instapaper, a read-it-later app, temporarily shut off access to European users to allow sufficient time for compliance.

Q: What type of data is protected by the General Data Protection Regulation and how’s it protected?

A: Personally identifiable information is anything that allows a living person to be identified directly or indirectly. Such data elements include name, email and home addresses, medical information, bank or other financial information, computer IP address and photos. A data processing officer must be appointed by businesses involved in processing or collecting data who is similar to a compliance officer with special information technology proficiency in managing and securing personal and sensitive data as well as a local representative for the company. Individuals have the right to the portability (access) of their stored data, erasure of data in certain circumstances, the right to file complaints with the data processing authority and the right to contract automated decision-making made on a solely algorithmic basis. Data breaches must be reported in a manner similar to the Health Information Portability and Accountability Act of 1996 and its amendments (HIPAA).

Q: You mentioned HIPAA. Is informed consent required for American businesses engaged in business in Europe similar to that required for HIPAA?

A: Personally identifiable information may be lawfully processed under the General Data Protection Regulation with informed consent or with a legal basis for doing so which ranges from legitimate interests of the entity collecting the data or a third party performing a task under official authority in the public’s interest, in compliance with the controller’s legal obligation, in fulfillment of a contract with a data subject, and to protect vital interests of a data subject or another person. There are some similarities to the HIPAA informed consent and the various exceptions to the consent requirement including the requirements of clarity and the opportunity to withdraw consent. As with HIPAA, individuals must be apprised of their privacy rights and their ability to withdraw consent at any time under the General Data Protection Regulation.

Q: Are there exceptions or limitations to an individual’s right of access to information?

A: Limitations to disclosure and the individual’s right of access to protected data exist for overriding interests such as national security. Further, in recognition of the importance of providing health care across country boundaries and clinical research to fight disease, the General Data Protection Regulation doesn’t apply to statistical and scientific analyses. A recognition of the need to maintain the integrity of clinical research resulted in the limitation of the erasure right of the individual. The strengthened data protections of the General Data Protection Regulation are limited in the face of requirements of good science although companies engaging in clinical research, including patient recruitment in the EU, will need to evaluate their data compliance plans considering the requirements of the newly enforced law. In addition, the General Data Protection Regulation doesn’t apply to data related to employer-employee relationships.


Published: 7/20/18; by Paula Burkes
Original article:

Roth: It’s twilight in Great Britain and the sunset is near

By Jim Roth, Director and Chair of the Firm’s Clean Energy Practice Group. This column was originally published in The Journal Record on June 27, 2016.

Jim Roth is a Director and Chair of the firm’s Clean Energy Practice.

Jim Roth is a Director and Chair of the firm’s Clean Energy Practice.

It’s twilight in Great Britain and the sunset is near

“The empire on which the sun never sets” is a phrase used for centuries to describe certain global empires that were so large that at least one part of their claimed territory was always in daylight.

This phrase was originally used for the Spanish Empire, mainly in the 16th and 17th centuries, and its most notable use has been in reference to the British Empire, mainly in the 19th and 20th centuries, when the British Empire spanned a global territorial size larger than any other empire in history.

Famously, the independence of the 13 colonies and the founding of the United States caused Britain to lose some of its most important territory, but its dominance across the globe continued strong into the 19th century with the Industrial Revolution and the power of the imperial British navy.

But much has changed since those days and not just through the independence of former British sovereigns such as India, Zimbabwe (last colony in Africa), Belize (last colony in the Americas) and Hong Kong (last in Asia) in the late 20th century, but also economically as the world economy has blurred the lines of sovereign nations and made regional and global trade a universal currency.

Gone are the days when Great Britain could rely upon steady supply lines of raw materials from all corners of the globe to feed its booming industrial complex and grow its economy. For decades its waning global dominance has perhaps been shrouded by its involvement in the European Union, where 28 member states, accounting for just 7.3 percent of the world’s population, constitute 24 percent of the global gross domestic product in one single market across its members. This combined market advantage has made Europe an economic amalgamation that has proven much stronger together than separate economies that were ill-suited for events like the Great Recession and financial crisis of 2007-08.

Yet, this past week’s Brexit vote for Great Britain to leave the European Union has perhaps hastened the sun setting on this once great power, forever. Gone are the territories in every region of the world, together with a once-dominant naval presence to move goods across the globe. Gone too are the manufacturing sectors and industrial output that once could have allowed Great Britain to better stand alone and even build its own military if required to defend itself as it did in much of the first half of the 20th century in Europe. Today, 74 percent of Britain’s GDP is the service economy, including the financial services sector, but much of which is reliant upon relationships with foreign investment and investors in the EU and beyond. And now gone soon will be the regional economic, political and military advantages that come with the European Union and Great Britain will stand alone, from sunup to sun down with a shrinking role in the world.

And for what? Because many aging British retirees fear the current economy and impacts to their government pensions? Because many lesser-educated and rural citizens and those with blue-collar jobs are mad at the immigration influx creating a more competitive workforce? They want “Great Britain first.” Those demographic distinctions are what actual polling results have revealed from the Brexit vote.

So older, less-educated, mostly rural citizens wanted to “take their country back” and “make Great Britain Great Again” and they have pushed their once great, global empire faster and further into the twilight of their own setting sun.

Does that fear sound familiar?

Jim Roth, a former Oklahoma corporation commissioner, is an attorney with Phillips Murrah PC in Oklahoma City, where his practice focuses on clean, green energy for Oklahoma.