Do I really have to worry about the new European privacy rules?

Is it finally time to pay attention to European efforts to regulate privacy? At least according to pwc, the answer is yes.

Let’s face it – many Europeans regarded the former “Safe Harbor” as a loophole big enough to drive a truck through, and many US companies quietly agreed by effectively ignoring it. The GDPR is an attempt to address that more effectively, at least with respect to American companies with assets in Europe, particularly behemoths like Google and Facebook. As of May 25, 2018 most processing of European personal data will have to comply with the GDPR (General Data Protection Regulation), including processing by US-based companies. There are a few reasons for US companies to be more concerned about the GDPR than previous efforts to regulate privacy:

  • The GDPR has the effect of law, without the need for individual (and often inconsistent) country legislation.
  • All businesses which “target” EU nationals are subject to the regulation, no matter where they are based.
  • The fines have been increased significantly and can be tied to worldwide revenue, to ensure that they are meaningful for even the largest of companies.

Of course, it’s easy for EU officials to threaten Google, which has at least four data centers located in the EU, each presumably worth many millions of dollars. It’s a little harder for them to penalize US companies which don’t have assets on the ground in the EU, particularly given that US courts are likely to be skeptical of attempts to enforce the regulation against companies with no offices in Europe. So, how do you know if you should be worried about the GDPR? If you answer yes to any of the following you need to start getting your privacy house in order:

  • Do you have assets in Europe? As already noted, you should be GDPR compliant unless you’re willing to kiss those assets goodbye without compensation.
  • Do you have personnel in Europe? Even with limited assets on the ground, you need to consider the risk to your employees, and the subsequent risk to your company if they are penalized and decided to sue.
  • Is the European market is important to you, or is it expected to be important to you in the future? Obviously, an adverse judgement in the EU could result in loss of any European-based revenue, to say nothing of the loss of customers due to bad publicity.

Notwithstanding the hype, companies with no footprint in Europe and minimal aspirations of success in the European market probably have little to fear from the GDPR. That being said, given increasing concern over privacy on this side of the ocean, even those companies may want to consider implementing some of the GDPR requirements, to minimize any penalties and to make compliance easier if and when it becomes necessary. Besides, better privacy practices may well make business sense for a lot of US companies.

How about Estonian law with your morning cuppa’

DailyTimes screengrab

It’s like the Hotel California, you can subscribe any time you like but you can never leave.

It’s not often you start the morning with an international legal dispute, and that before one’s morning coffee. This morning, from the kitchen, I was treated with the dulcet tones of my wife arguing with the London Times about cancellation of her online subscription. It turns out they only accept cancellations from the US via passenger pigeon on odd Tuesdays which have a full moon, and then only when written in the blood of a recently slain unicorn. Ok, not really, but as we haven’t actually figured out how one successfully cancels a subscription, that may in fact be the cancellation policy. Pro tip – don’t subscribe to the London Times.

Anyway, the interesting thing about that kerfuffle is the degree to which the average consumer worldwide is entering into contracts with companies in other countries, ostensibly under the laws of those countries. As consumers, however, those individuals remain protected under the consumer protection and other laws of their respective countries (or, in the case of the US, an odd patchwork of federal, state, and local laws). As a result, even as simple transaction as a newspaper subscription or Facebook registration can give rise to significant legal cases with an international impact.

Many of those cases involve privacy and the EU-US privacy shield. Europe isn’t alone in its concern for the privacy of citizens, however, with a new decision extending the protections of Canadian Privacy to data disseminated outside of Canada (hat tip to Daniel Solove). While the US doesn’t really care as much (or perhaps at all) about privacy, there are laws like the Speech Act which attempt to protect US residents (in this case writers) from the effects of foreign laws which are against US public policy (in this instance, the right to free speech).

There are a host of other issues which arise from these contracts, however. Do companies like the Daily Times understand and follow US legal requirements like the Fair Debt Collection Practices Act or, in the case of selling (and upselling), the Telephone Consumer Protection Act? Even if they do, how does one collect a relatively small debt in a foreign country in an efficient and cost-effective way? In the other direction, Europe has extended its controversial “right to forget” worldwide, creating a compliance nightmare for Google and other big US tech companies, and an unresolved conflict for others without as much skin in the game in Europe.

The Internet makes international business possible from your kitchen table. What that means for public policy and protection for the consumer remains largely unresolved.

EU votes to impose restrictions on US travel

IMG 1376  1

While the big news in US travel has been President Donald Trump’s travel ban, there are indications that travel to the US has become more difficult for travelers from all around the world, including valuable trading partners like Western Europe and Asia. While much of that has been anecdotal, reports of overzealous border controls and immigration raids would appear to be impacting travel to the US. The Economist reported that searches for flights to the US dropped 17% since Trump became president, with business travel dropping 3.4% in the week following the order. Based on our office’s experience, travel to the US, even for business travelers from Europe, has become a more unpredictable experience than before.

Now it looks like the EU is preparing to make American travelers to Europe share in the pain. According to a report in the Independent, the EU has passed a non-binding resolution recommending that US citizens no longer be permitted to travel within the EU visa-free. If implemented, US travelers could be forced to apply for visas for travel within Europe within a little over one years’ time. The EU has also been considering a registration requirement for US travelers to Europe which would presumably be similar to the US ESTA program. While both changes have been under consideration for some time, the timing certainly suggests that US policies have bolstered support for actions which might otherwise hurt the European travel industry.

Whatever the long term results of this resolution, business travelers from both sides of the Atlantic can reckon with more bureaucracy and less flexibility when planning travel, at least until tensions between the US and EU lessen. Travelers to the US, even from visa waiver countries, should consider applying for a visa before traveling, particularly if they’ve traveled to the Middle East or other areas with connections to terrorism.