Last Christmas, I read an amusing article on Santa Claus and whether he would need to comply with European Union (EU) Data Protection Laws. While amusing, it’s really a cautionary tale. The North Pole entity in the story initially sees no link between what it does and EU laws, only to later find out that those laws have wide-reaching impact. Looking at your own business, this could be scary.
The EU Data Protection laws are 20 years old, and yet U.S.-based companies are still struggling with when these laws apply to us and how to best comply with them. And while U.S. marketers work through those issues, the laws are going through a revision process.
The proposed regulation, replacing the former less forceful directive, is called the EU General Data Protection Regulation (GDPR). You’ve probably seen articles about it, and if you’re like me, you’re waiting to see the final product before you get too excited. Like any law-making process, it’s hard to predict the timeline. The EU Council of Ministers could agree on a position as early as June, but most pundits think we won’t see a new framework until 2017. The Global Legal Post says on June 24, EU ministers began discussions.
There are some positives in the revisions, like moving from 28 separate rule-making bodies to a single set of rules, and there will most likely be a seal program which could clarify compliance. But there also are areas of concern, such as moving an already conservative approach to consent to an even more onerous standard, and setting fines as high as 5 percent of worldwide profit. But we’ll have to wait and see.
But while we wait, we can’t ignore the current trends. What happens in the EU is putting significant pressure on the U.S. to strengthen our Safe Harbor program. The EU’s dissatisfaction with Safe Harbor has been growing during the last five years, but the revelations of Edward Snowden that the U.S. government had gained access to data on EU citizens has created a new firestorm of activity:
- The EU made 13 recommendations for cleaning up Safe Harbor in 2013. This is still an open issue.
- The FTC has brought and settled cases against a number of U.S. companies who have either claimed Safe Harbor status without having it or have let their Safe Harbor credentials lapse, while still claiming certification.
- The Center for Digital Democracy has filed a complaint with the FTC against 30 more companies, claiming they are not in compliance with the claims of their Safe Harbor certifications.
- A lawsuit has been filed in the Court of Justice of the European Union against Facebook about the storage, security and treatment of European citizens’ data, the outcome of which could find Safe Harbor to be inadequate in meeting EU data protection requirements.
- The EU would like to expand its ruling on the Right to Be Forgotten (RTBF) to .com websites and to all data on EU citizens in the U.S.