Do I really have to worry about the new European privacy rules?

Is it finally time to pay attention to European efforts to regulate privacy? At least according to pwc, the answer is yes.

Let’s face it – many Europeans regarded the former “Safe Harbor” as a loophole big enough to drive a truck through, and many US companies quietly agreed by effectively ignoring it. The GDPR is an attempt to address that more effectively, at least with respect to American companies with assets in Europe, particularly behemoths like Google and Facebook. As of May 25, 2018 most processing of European personal data will have to comply with the GDPR (General Data Protection Regulation), including processing by US-based companies. There are a few reasons for US companies to be more concerned about the GDPR than previous efforts to regulate privacy:

  • The GDPR has the effect of law, without the need for individual (and often inconsistent) country legislation.
  • All businesses which “target” EU nationals are subject to the regulation, no matter where they are based.
  • The fines have been increased significantly and can be tied to worldwide revenue, to ensure that they are meaningful for even the largest of companies.

Of course, it’s easy for EU officials to threaten Google, which has at least four data centers located in the EU, each presumably worth many millions of dollars. It’s a little harder for them to penalize US companies which don’t have assets on the ground in the EU, particularly given that US courts are likely to be skeptical of attempts to enforce the regulation against companies with no offices in Europe. So, how do you know if you should be worried about the GDPR? If you answer yes to any of the following you need to start getting your privacy house in order:

  • Do you have assets in Europe? As already noted, you should be GDPR compliant unless you’re willing to kiss those assets goodbye without compensation.
  • Do you have personnel in Europe? Even with limited assets on the ground, you need to consider the risk to your employees, and the subsequent risk to your company if they are penalized and decided to sue.
  • Is the European market is important to you, or is it expected to be important to you in the future? Obviously, an adverse judgement in the EU could result in loss of any European-based revenue, to say nothing of the loss of customers due to bad publicity.

Notwithstanding the hype, companies with no footprint in Europe and minimal aspirations of success in the European market probably have little to fear from the GDPR. That being said, given increasing concern over privacy on this side of the ocean, even those companies may want to consider implementing some of the GDPR requirements, to minimize any penalties and to make compliance easier if and when it becomes necessary. Besides, better privacy practices may well make business sense for a lot of US companies.

How about Estonian law with your morning cuppa’

DailyTimes screengrab

It’s like the Hotel California, you can subscribe any time you like but you can never leave.

It’s not often you start the morning with an international legal dispute, and that before one’s morning coffee. This morning, from the kitchen, I was treated with the dulcet tones of my wife arguing with the London Times about cancellation of her online subscription. It turns out they only accept cancellations from the US via passenger pigeon on odd Tuesdays which have a full moon, and then only when written in the blood of a recently slain unicorn. Ok, not really, but as we haven’t actually figured out how one successfully cancels a subscription, that may in fact be the cancellation policy. Pro tip – don’t subscribe to the London Times.

Anyway, the interesting thing about that kerfuffle is the degree to which the average consumer worldwide is entering into contracts with companies in other countries, ostensibly under the laws of those countries. As consumers, however, those individuals remain protected under the consumer protection and other laws of their respective countries (or, in the case of the US, an odd patchwork of federal, state, and local laws). As a result, even as simple transaction as a newspaper subscription or Facebook registration can give rise to significant legal cases with an international impact.

Many of those cases involve privacy and the EU-US privacy shield. Europe isn’t alone in its concern for the privacy of citizens, however, with a new decision extending the protections of Canadian Privacy to data disseminated outside of Canada (hat tip to Daniel Solove). While the US doesn’t really care as much (or perhaps at all) about privacy, there are laws like the Speech Act which attempt to protect US residents (in this case writers) from the effects of foreign laws which are against US public policy (in this instance, the right to free speech).

There are a host of other issues which arise from these contracts, however. Do companies like the Daily Times understand and follow US legal requirements like the Fair Debt Collection Practices Act or, in the case of selling (and upselling), the Telephone Consumer Protection Act? Even if they do, how does one collect a relatively small debt in a foreign country in an efficient and cost-effective way? In the other direction, Europe has extended its controversial “right to forget” worldwide, creating a compliance nightmare for Google and other big US tech companies, and an unresolved conflict for others without as much skin in the game in Europe.

The Internet makes international business possible from your kitchen table. What that means for public policy and protection for the consumer remains largely unresolved.

A cold wind on privacy

AMadison screenshot

Not just your moment; yours, Verizon’s, Amazon’s …

Standing outside in the chill of what passes for “spring” these days, with a cold breeze numbing the end of my uncovered ears (it’s SPRING for God’s sake), I listened to my fellow soccer parents discussing the merits of the Senate’s recent vote to rescind the FCC’s as-yet unimplemented rules on privacy for ISPs. Overall, I think most of the parents were pretty ok with the loss of some privacy in exchange for the perceived benefits of data sharing. Most of that had to do with the cool things technology can do when provided with access to data, like make sure your latté is ready before you actually arrive at Starbucks in the morning.

Listening, I was trying to think of why I’m not on board with that logic (other than the fact that I’m not a huge latté fan). Aside from the many concerning ways in which ISPs can and have used data, the bigger problem would seem to be that there’s no real guarantee that the data will remain with the ISP or their marketing partners.

First of all, big companies of all stripes are pretty terrible at keeping data secure. That means that, in addition to that cool relocation feature which allows you to pre-order a late on the drive to that early-morning soccer tournament, you may be letting hackers from the Ukraine into details about your life which may (or may not) allow them to hack into your bank accounts or determine the content of that highly sensitive e-mail you received.

Secondly, as lawyers well know, data of all types is discoverable in litigation, so those “innocent” late night visits to Ashley Madison may not be as private as you think they are. While much of that data is already available and discoverable from your e-mail provider or home computer, giving ISPs an incentive to keep and distribute that data certainly won’t improve matters any. Increasing the amount of data available also means more data available to the government, and while it’s nice to believe that only matters if you’ve done something wrong, that’s not always true. In Europe, the public and the courts have been fighting against mandatory data retention rules, even as the US arguably incentivizes the private collection of data.

For or against, there’s not much you can do to protect yourself against data collection – most Americans have limited choice in ISPs, and some have no choice at all. Short of running everything through a VPN, or simply not using the internet, it looks as though consumers have to get used to the idea that their traffic will be collected and shared by ISPs, the government, and pretty much everyone else who has access to it.