'Piece-by-Piece' US Is Catching Up With the GDPR, Says Squire Privacy Co-Chair

It’s not just oceans separating the European Union and the U.S. Some would say that the U.S. is lagging behind the EU because it doesn’t have a national data privacy law while the EU has the broad General Data Protection Regulation (GDPR). But Squire Patton Boggs’ recently promoted data privacy and cybersecurity group co-chair Rosa Barcelo says upcoming U.S. data privacy laws aren’t all that far apart from the GDPR.

In her new role, Barcelo will expand the firm’s international data privacy team, which she joined in October 2018 as a deputy chair. Before coming to the firm’s Brussels office, she served as deputy head of the cybersecurity and digital privacy unit of the Directorate‑General for Communications Networks, Content and Technology (DG CONNECT), which carries out the European Commission’s digital economy and society, culture and media policies.

During a discussion with Legaltech News, Barcelo discussed how cookies, privacy shields and contractual clause rulings will impact clients, and how the U.S. may have a GDPR-lite on its hands. This conversation was edited for clarity and brevity.

Legaltech News: Do you think there will be any repercussions from last week’s Court of Justice of the European Union’s Google de-referencing ruling?

Rosa Barcelo: It’s a case that in my view is focused on search engines. It will have repercussions for Google, but for the moment I think it’s extremely focused on the specifics of this case. There are not that many search engines around that you can easily apply it to. … I don’t see it as a ruling that overly affects other areas.

Do you think the court’s proportionality could be applied in other cases?

I think the European Court of Justice has applied the same sort of principle in other cases in the past. I think it’s a principle the European Court of Justice will continue to use.

Are there any pending rulings in the European Court of Justice you are watching closely?

One needs to remember the cases that are pending before the European Court of Justice about the validity of the Privacy Shield and also the standard contractual clauses because these are the elements that allow data to move from Europe to the U.S. We have two cases that are supposed to be decided around January next year. [The rulings are] also something that is important when advising clients because if we tell them to use these tools, it’s important to say, ‘Yes, these tools may be perfectly valid, but there are some question marks.’

Following yesterday’s ruling on website cookies, what issues around consent are clients are struggling with?

I think that where companies are asking for guidance is how you should ask for consent. In the past, you would see some websites that would say, ‘If you continue browsing this means you are giving consent.’ I think there’s some pushback from regulators, and we will see whether these types of actions are affirmative and true expressions of consent of the individual or the individual wanted to continue browsing but didn’t necessarily mean he wanted to consent.

Can you say, ‘Well, unless you give us your data, we will not let you in’? When you make money out of the data and your business model is based on the data you collect, you might want to restrict access or otherwise you don’t get the remuneration that was coming from this data.

How are you seeing data protection laws and regulations evolving in the European Union, U.S. or globally? 

I found that you in the U.S. are having a great moment. … I understood that the person who proposed the CCPA, Alastair Mactaggart, is now supporting a new initiative that will [include] an authority enforcement similar to a European data supervisory authority that will be able to enforce the CCPA more.

I was thinking in the U.S. they will piece-by-piece end up with a sort of GDPR. The U.S. is catching up. I wouldn’t say the CCPA is like the GDPR but there are many elements. One of the elements that the CCPA doesn’t have is a supervisory authority European-style. But when I saw California [may] have something similar, bit-by-bit the U.S. is marching along and is starting to look like the GDPR, at least in California.