EU society generally prefers more government regulation of business than US society. Europe is less starry-eyed about the benefits of capitalism than most in the USA. While EU citizens recognise the benefits businesses can bring, they don't see business as an alternative to government, and most believe that unregulated markets are harmful. EU citizens rely on their governments to kept business in check. The default assumption in the EU is therefore that data protection is a natural, necessary, positive step. The debate is thus focused on what form the regulation should take, not whether there should be any.
Historically each EU country has been left to develop their own data protection regulations, within a general range of requirements set out by the EU. US companies could gather data on EU citizens, provided the US company had signed up to the Safe Harbor Agreement. This was a US voluntary code which aimed to restrict use of personal data to the limits set out by EU requirements. In other words, Safe Habor was an attempt to ensure EU data in the USA would be treated the same way as it would be in the EU.
This has now changed. First, the EU courts determined that Safe Harbor was useless, because US government surveillance regulations did not extend legal protection to non-US citizens. Because of this, the US government could legally take EU citizen's data from US companies in a manner which violated Safe Harbour. The instant this happened, all transfer of personal data from the EU to the USA became illegal under EU law.
More recently, the EU has moved to put all the different national privacy regulations on the same level. Each EU country now has 2 years to change its individual data protection regulations to match.
How do the regulations affect US businesses?
Do you sell to EU citizens? Do you hold records on EU citizens?
The big change is over what is at stake - from data location to citizenship. Previously what was covered was data stored or processed on computers inside the EU. Now it's the citizen. It doesn't matter if you are based in Mongolia, France or New Jersey, if you have offer services or products to EU citizens, or process data about EU citizens, the EU claims jurisdiction. This may sound odd, but it is in accord with the principles of international law, whereby a country may claim jurisdiction over extra-territorial matters which affect its society or citizenry. You don't need any premises in the EU, or any legal entities in the EU, you only need to work with EU citizen's data.
Forget any idea that this will be undone by the courts. The rules about this have been very carefully drafted and are considered a masterpiece of legal wording by many lawyers.
Previously, each country could determine its own penalties for non-compliance. That's also changed. Now the fine will be 4% of global revenue. Facebook is clearly and obviously violating the new regulations, so it could be fined $500 million on its 2014 turnover. Google would have to pay $2.6 billion for what it currently does.
New forms of data.
The regulations add new forms of data, which require new forms of treatment. For example, health information gets a new special status, and is treated as especially sensitive. It will require its own unique treatment inside the organisation.
It's not your information anymore.
The central belief within the regulations is that data about a person is their property, not yours.
You can't sell it to anyone. You can't reuse it for new purposes. They can force you to delete it anytime.
You can only hold or process data about an EU citizen as part of providing the service you offered to them.
You must get explicit consent to gather data, explaining what you will use it for. You must get clear and obvious consent. An "OK to Cookies" button, a "click to accept our T&C's" and long complex privacy policies are all out. No one believes they constitute informed consent, as we all know. Now the trick of a mere nod to the idea is over. If you want to process data about people in order to deliver targetted advertising, you'll need to get people to agree to it, and you'll have to tell them - in advance - every single advertiser or outlet who will have access to that data. If you acquire new advertisers who want to use that data, you'll have to go back to the citizen and ask their permission first. Will this harm the online advertising market? Absolutely! Do EU citizens care? Not in the slightest.
Do you have a choice here? Not really. The regulations explictly forbid the "take-it-or-leave" approach. You can't say "these are our terms, if you don't accept them don't use the service." You can't offer a service to an EU citizen on the basis they agree to give up their legal rights. If you make such an offer, and they accept, you're still bound by the regulations anyway.
Under the regulations, the minimum age of consent is 13. This means you cannot offer any service to anyone 12 or younger without the explicit consent of their legal guardian. Neither can you process data about children without their guardian's consent.
The actual age of consent here may vary from country to country. The regulations allow for each country to choose any age between 13 and 16. So you'll have to know the age of data consent in each of the EU's 27 countries.
No one in Europe has any idea how an online business would get formal and explicit consent of parents. But they don't care about that. The general attitude is that if you're processing data about children, you're probably up to no good, so it's your problem. The response that "this will kill my business" is generally met with - "let's hope so".
This doesn't prevent advertising or selling to children. It only prevents targetting, filtering and personalisation.
Limits on Data Processing
If you obtain data about EU citizens, you must tell them exactly what you will do with it. And you must do so in a language tuned to them. So if you process children's data, you'll need to use language a child would understand. Most likely this information will have to be published in every language used in the EU, if you're doing business in all EU countries. Note this will include Irish, Welsh, Catalan, and many other local languages which are currently supported by local laws. For example, all government publications in Ireland must be available in both English and Irish, so you can expect data notifications to go the same way.
You'll also have to say where the information came from, how long you're holding it for, and what - in detail - you're going to do with it.
You must provide a mechanism for EU citizens to check all the data you hold on them. You may not charge a fee for this.
An EU citizen can order you to stop processing their data if they have a legitmate concern (ie: can show possible harm) or if the data is going to be used for direct marketing. Let's be clear here, because it really shows the EU's attitude to advertising - the use of personal data for direct marketing is, in and of itself, considered a legitimate reason to block use of the data.
Combined with the need for explicit consent, I think this will seriously harm, maybe even kill, the entire profiling business. You simply can't get informed consent from someone for information you purchased from another company. Gather data on people yourself, under these rules, or simply go without.
Right to be forgotten
You must delete all information about someone if they ask and:
- You are no longer using it for the purpose it was provided.
- The person withdraws consent, and you can't show a legitimate need for it in order to meet remaining contractual obligations to them.
Profiling is Illegal. Personalisation is mostly illegal.
You may not change prices or make many other forms of offer to people based on their personal characteristics unless this personalisation was done by a human. In other words, systems which analyse personal data to fine-tune offerings are explicitly banned, unless you get prior - explicit - consent. For example, systems which use personal data to determine what interest to charge on a loan become illegal unless a human approves the process on a per-person basis. Big Data in the EU? Not if it's going to affect people in any substantial way.
You've got two years to prepare - MAX. Bear in mind the regulations say each country must have new laws in place by end of 2017, latest. In reality regulations will be changing at different speeds in different countries, starting within a few months.
There's no point moaning about this, or protesting it will "harm innovation" or damage your existing business, or that it sets the digital economy back 10 years. The EU doesn't believe it will harm innovation, or that the digital economy is dependant on personal data. The EU thinks a single set of regulations across all countries is good for business. They believe these regulations will increase people's trust in online services. In the EU, these regulations are seen as pro-business. If this damages your business, no one in the EU will care, they'll just assume you were making money unethically and are now being stopped. Privacy is a much more important issue in the EU than it is in the USA. There's no benefit in wishing the EU was different.
What this can represent is a massive opportunity. Companies which can learn how to profit from these changes will leap past companies which try to ignore them. There will be plenty of ways these limits can be turned to advantages. The future belongs to businesses which can move with the times. The message from the EU to US business is clear - do it our way or get out.