Europe has always had stricter rules than the United States concerning personal data collection, use, and disclosure. Recently, the European Union further strengthened consumer privacy rights, and is considering even stronger data privacy rules that would provide people with greater say about how companies can use their online data. Most significantly, Google has begun to delete search results linking to certain historical content under recent "right to be forgotten" regulation. Could it happen here? And what should your company do if it does?
The United States is not without privacy restrictions, particularly regarding financial and health-care information. Otherwise, companies have a great deal of leeway to define their own personal data policies that consumers rarely read -- let alone understand -- when they are required to provide consent to use the services of a mobile app or website. Europe, in contrast, has explicit statutes and government oversight regarding the collection and use of personal data, and explicit consumer rights to seek remedies for alleged violations.
How to Be Compliant with the European Privacy Laws
U.S. companies that do business in countries in the European Union must comply with the seven principles laid out in U.S.-EU Safe Harbor Framework. They are:
- Notice. You must disclose how you collect and use personal data.
- Choice. You must allow for people to opt out of the use of their personal data for uses other than the specified notice.
- Transfer to Third Parties. Information disclosed to third parties must satisfy Notice and Choice options.
- Access. Users must be able to correct information you hold about them. Inaccurate information must be deleted.
- Security. You must take adequate steps to protect personal data from unauthorized or accidental disclosure.
- Data Integrity. Personal information can only be used for its intended purpose.
- Enforcement. Procedures are in place to verify you are in compliance and there is an independent third party to investigate and resolve complaints. Generally, any complaints against a U.S. company operating in the EU are handled in accordance with U.S. law and any formal legal action is initiated only if private enforcement proves unsatisfactory.
In large part as a response to the Edward Snowden disclosures regarding National Security Administration (NSA) surveillance practices, the European Parliament is recommending even stronger compliance standards. The current recommendations are that any U.S. company must:
- Publish both its own privacy policies, as well as those of any subcontractors, including a detailed description of U.S. privacy laws and how they apply to EU customers, including exceptions to obtain data for law enforcement and national security purposes
- Notify the U.S. Department of Commerce of any transfers of personal data
- Subject itself to regular external audits conducted by the Department of Commerce
- Offer a dispute resolution system to EU citizens.
These recommendations are currently under debate, and the United States has objected to certain provisions, including disclosure of when a company might be subject to national security or law enforcement data access. U.S.-EU Safe Harbor framework participation is voluntary. Companies that feel the cost of implementation and compliance is a financial burden can opt out. The question really becomes whether sales and competitive standing will be affected if a company is not U.S.-EU Safe Harbor compliant.
For now, it's best to assume that Europe will continue to strengthen its privacy laws. Regardless of the eventual outcome, it's good policy to place strict rules on maintaining data privacy and keeping customers informed about how their data is used -- not only to ensure legal compliance, but to maintain the trust of your customers in any country. Compliance eases the path into European markets for businesses expanding outside of the U.S.