EU Gives Thumbs-Up On Stricter Data Privacy Laws

EUregsA new consumer privacy and data protection law has hit the books in Europe that will give European consumers far more control over how their personal data is used.

European authorities, including representatives from the European Commission, the European Parliament and the 28 EU member states came to an agreement late Tuesday.

The General Data Protection Regulation (GDPR) will shore up Europe’s existing legal framework for consumer privacy rights, 1995’s EU Data Protection Directive.

The upshot: The regulatory environment in Europe is about to get tougher and US companies need to pay attention. [Click here for a solid rundown on the European Commission website.]

For one, companies will be required to appoint data protection officers, and organizations with access to personal data will also be required to get expressed consent from users and to give a clear explanation of what data is being collected and how it will be used.

It’s also a no-no to collect data for one stated purpose and then use it for another. That could prove tricky for companies that engage in online behavioral targeting.

“If you collect data for ‘purpose A,’ you can’t use the same data for different purposes without another legal basis,” a source close to the negotiations told AdExchanger. “When someone goes online and buys something in Europe, you can’t also use that for direct marketing. Simply buying a product online doesn’t mean that a person has also agreed that their data will be used for the purposes of receiving advertising.”

Misuse of consumer data will result in hefty fines. Penalties in the past were negligible. Under the new agreed-upon text, sanctions could run as high as 4% of a company’s annual global revenues.

The new rules will apply to companies who touch European consumer data even if that company isn’t based in the EU.

Consumers will also have the right to be forgotten, aka the right to request that companies do away with data about them that is either out of date or no longer representative.

All of that presents quite a few challenges on the road to compliance.

“We don’t know how to implement those things yet,” said Trevor Hughes, president and CEO of the International Association of Privacy Professionals. “There are not many, if any, online marketing organization that are set up to provide that level of customer authentication and service.”

One silver lining: In the past, EU members states could come up with their own rules, which meant that what applied in one country didn’t necessarily apply in another. That caused a lot of compliance headaches.

The new regulations will replace that legal patchwork and apply the same rules to each member state across the board.

“You don’t want to have to deal with 28 different laws, you want to have one set of laws … so you can scale more easily when you operate in Europe,” said Andrea Glorioso, counselor for the digital economy and cyber issues at the Delegation of the EU to the US, speaking at AdExchanger’s Programmatic IO conference in October.

It will also cut down on costs, said Věra Jourová, EU Commissioner for Justice, Consumers and Gender Equality, at the European Data Protection and Privacy Conference in Brussels on Dec. 10. “Businesses will benefit by saving around 2.3 billion euros per year only in terms of administrative burden and compliance costs deriving from the current fragmentation of national data protection laws,” she said.

Still, technology and Internet companies will have a lot of work to do to ensure compliance. But Hughes advised taking a deep breath – there’s a two-year implementation period before the regulation will be enforced.

“You will hear that the sky is falling, but we do have a long runway before this thing actually takes off,” Hughes said. “However, companies should pay attention to what’s happening. This is important stuff. The complexity is increasing as is the risk for noncompliance and the likelihood that regulators will feel empowered and start looking for cases to demonstrate what’s important under the GDPR.”

Although the new regs show significant differences in how the US and Europe approach privacy, there’s no real difference in how regulators in both places feel about privacy.

“In Europe, there are broad-based, omnibus regulations, while in the US, protections come when harm is identified and then strong enforcement comes from the regulators,” he said. “It’s hard to do a comparative analysis to say where one is better or worse. They’re different. Substantively, though, they recognize the need to protect the same thing.”

But even if the EU is cutting down on member state fragmentation, different approaches to privacy around the world will only get more complex. For example, Russia’s new data localization law could require businesses to store any personal data they have on Russian citizens in databases located in Russia.

There will never be a single global standard, Hughes said.

“This is one of the great tensions we have in the information economy, that different jurisdictions in the world will approach privacy and data protection in different ways,” said Hughes. “The Internet doesn’t pay much attention to international boundaries and data generally flows around the world all the time. It’s not like you can just switch off Russia, for example, so you have to figure out how to manage it.”

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!

1 Comment

  1. I’m surprised by the tone of the article and the lack of accuracy. When talking about consent for example, the current version of the regulation mentions “unambiguous” and not “explicit” so using the term “expressed consent” here is rather misleading.
    The article goes on about not being able to use data for another purpose than for which the data had been collected for in the first place. Isn’t that kind of normal? If I, as a normal human being with a choice, decide to share my data with a company for something specific, which we both agree upon, why should this data then be used for anything else? aren’t I allowed to be informed about such subsequent use? the idea that Big Data might be killing one of the cornerstones of Privacy aka Purpose is rather passé.
    The article also fails to talk about a surprising evolution of the new regulation: requiring parental consent up to the age of 16 in Europe, and not 13 like in the US, under COPPA.
    Let’s face it folks, this law has been 4 years in the making and it’s time to be slightly more responsible with the data being collected and re-purposed. The carrot for adapting is indeed fines that might go up to 4% of global turn-over so let’s try to get our facts straight, set-up those required processes to make sure we keep within the limits of compliance and take on some responsibility for the data driven decision making we are all striving towards.