In Europe, many companies and organisations are bracing themselves for the biggest shake up in data protection and privacy for a decade with the forthcoming EU General Data Protection Regulation (GDPR). This one EU Regulation will update the former Data Protection Act Principles and the previous EU Data Protection Directive. Infact, the new EU Regulation is three times longer than the Data Protection Act 1998.
Under GDPR, US-based companies that have never set foot within the EU will face significant fines — between 2%-5% of global turnover — if they refuse to play by the new rules. This may sound like a nightmare scenario but data protection and privacy laws across the largest single trading block in the world are just about to get harmonised.
There are several drivers for these changes and the big one is definitely privacy. The EU Data Protection Directive of 1995, which is still in force until GDPR has been agreed – possibly as early as the end of 2015 – established a broad set of principles with respect to the protection of privacy and personal data. However, each EU Member State was given wide discretion to implement these principles at a national level.
The result was that US companies faced a patchwork of data protection and privacy laws that made it very difficult to work out how to run marketing campaigns across the EU without the fear of falling foul of data protection and privacy laws that varied between different jurisdictions.
The legacy is that today, EU privacy and data protection laws are far from uniform, and their impact on commercial activities varies greatly which is one reason why these will be swept away by the forthcoming GDPR.
At first glance, the concept of uniformity is extremely attractive. This new EU regulation has been regularly promoted as a means to simplify conducting business in Europe. However, the devil is in the detail, especially with respect to how GDPR will be implemented.
A central driver behind introduction of the new EU regulation is to affirmatively enhance protections for individuals and their data — which will entail an inevitable, and in some cases, potentially dramatic increase in the regulation of companies, not to mention very substantial increases in the potential financial penalties.
US companies will be the controllers of personal data that belongs to the data subject and will also be responsible for directing the use of that data by processors.
There may be situations where US companies will be working jointly with processors for different purposes. Legal liability for ensuring protection of the data typically rests with the controller, although controllers may have claims against processors data misuse and breach.
The GDPR proposes a significant change in this framework, establishing that controllers and processors may be jointly and severally liable for personal data breaches or other unauthorised use and/or disclosure of personal data, including direct claims by the affected data subjects.
From a commercial perspective, this new approach has the potential to immensely complicate routine transactions.
A vivid example of the impact on commercial operations can be seen in last year’s Google Spain v AEPD and Mario Costeja González case in the EU Court of Justice that effectively established the concept of “the right to be forgotten” now part of the forthcoming GDPR. A Spanish citizen filed a suit when a Google search of his name disclosed publicly available information regarding past financial reverses, alleging that he had the right to be forgotten for such ancient events.
EU Court of Justice agreed and forced Google to implement a process for individuals to request that information be deleted from search results, which is a daunting task since the opinion provided little guidance on the limits of the “right to be forgotten.”
However, as of now, the results of the same Google search conducted in the US and in the EU may be different.
Internet marketing, the very model that’s inextricably embedded in countless commercial practices and increasingly sustains commercial activity on the internet, is at risk under the GDPR.
Specifically, “profiling,” the practice of developing a snapshot of an individual’s preferences, browsing history, purchases, etc., would be prohibited unless necessary to perform under an agreement, authorised by law or has been explicitly consented to by the individual.
Behavioural advertising, targeted marketing or remarketing, email solicitations and other direct marketing practices will be less effective if they can’t be targeted using individual profiles, and therefore less valuable.
The collection of information on individuals as a basis for displaying personalised ads, one of the largest tools in the current toolbox of e-commerce, could suddenly disappear.
The question is not whether, but when, and just how the EU regulation is going to pass. Currently, the European Commission, the European Parliament and the Council are attempting to reach agreement on the final wording of the GDPR behind closed doors. But all indications are that agreement could be reached as early as the end of November this year and then US companies will need to change how they market under the two-year transition period.
So, if you’re reading this and are based in the US, then time is of the essence.