A new consumer privacy and data protection law has hit the books in Europe that will give European consumers far more control over how their personal data is used.
European authorities, including representatives from the European Commission, the European Parliament and the 28 EU member states came to an agreement late Tuesday.
The General Data Protection Regulation (GDPR) will shore up Europe’s existing legal framework for consumer privacy rights, 1995’s EU Data Protection Directive.
The upshot: The regulatory environment in Europe is about to get tougher and US companies need to pay attention. [Click here for a solid rundown on the European Commission website.]
For one, companies will be required to appoint data protection officers, and organizations with access to personal data will also be required to get expressed consent from users and to give a clear explanation of what data is being collected and how it will be used.
It’s also a no-no to collect data for one stated purpose and then use it for another. That could prove tricky for companies that engage in online behavioral targeting.
“If you collect data for ‘purpose A,’ you can’t use the same data for different purposes without another legal basis,” a source close to the negotiations told AdExchanger. “When someone goes online and buys something in Europe, you can’t also use that for direct marketing. Simply buying a product online doesn’t mean that a person has also agreed that their data will be used for the purposes of receiving advertising.”
Misuse of consumer data will result in hefty fines. Penalties in the past were negligible. Under the new agreed-upon text, sanctions could run as high as 4% of a company’s annual global revenues.
The new rules will apply to companies who touch European consumer data even if that company isn’t based in the EU.
Consumers will also have the right to be forgotten, aka the right to request that companies do away with data about them that is either out of date or no longer representative.
All of that presents quite a few challenges on the road to compliance.
“We don’t know how to implement those things yet,” said Trevor Hughes, president and CEO of the International Association of Privacy Professionals. “There are not many, if any, online marketing organization that are set up to provide that level of customer authentication and service.”
One silver lining: In the past, EU members states could come up with their own rules, which meant that what applied in one country didn’t necessarily apply in another. That caused a lot of compliance headaches.
The new regulations will replace that legal patchwork and apply the same rules to each member state across the board.
“You don’t want to have to deal with 28 different laws, you want to have one set of laws … so you can scale more easily when you operate in Europe,” said Andrea Glorioso, counselor for the digital economy and cyber issues at the Delegation of the EU to the US, speaking at AdExchanger’s Programmatic IO conference in October.
It will also cut down on costs, said Věra Jourová, EU Commissioner for Justice, Consumers and Gender Equality, at the European Data Protection and Privacy Conference in Brussels on Dec. 10. “Businesses will benefit by saving around 2.3 billion euros per year only in terms of administrative burden and compliance costs deriving from the current fragmentation of national data protection laws,” she said.
Still, technology and Internet companies will have a lot of work to do to ensure compliance. But Hughes advised taking a deep breath – there’s a two-year implementation period before the regulation will be enforced.
“You will hear that the sky is falling, but we do have a long runway before this thing actually takes off,” Hughes said. “However, companies should pay attention to what’s happening. This is important stuff. The complexity is increasing as is the risk for noncompliance and the likelihood that regulators will feel empowered and start looking for cases to demonstrate what’s important under the GDPR.”
Although the new regs show significant differences in how the US and Europe approach privacy, there’s no real difference in how regulators in both places feel about privacy.
“In Europe, there are broad-based, omnibus regulations, while in the US, protections come when harm is identified and then strong enforcement comes from the regulators,” he said. “It’s hard to do a comparative analysis to say where one is better or worse. They’re different. Substantively, though, they recognize the need to protect the same thing.”
But even if the EU is cutting down on member state fragmentation, different approaches to privacy around the world will only get more complex. For example, Russia’s new data localization law could require businesses to store any personal data they have on Russian citizens in databases located in Russia.
There will never be a single global standard, Hughes said.
“This is one of the great tensions we have in the information economy, that different jurisdictions in the world will approach privacy and data protection in different ways,” said Hughes. “The Internet doesn’t pay much attention to international boundaries and data generally flows around the world all the time. It’s not like you can just switch off Russia, for example, so you have to figure out how to manage it.”
