May 21, 2014
If your company touches any Europeans’ data you’d better prepare for what’s coming.
The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.
How to minimize impact and costs of the new regulation
As any other companies processing personal data of European consumers, U.S. organizations should not content themselves with seeking to avoid the imposition of administrative fines. Ideally, companies should embody personal data protection and information security into their business models and processes as inherent parts of the company´s culture, products and services.
In doing so, U.S. companies can benefit from a uniform regulatory framework that saves significant costs compared to the web of 28 national data protection rules. Personal data is becoming the new currency of the information age. The EU regulation mandates the implementation of data protection “by design” and “by default”. Companies should look at this new rules as an effective way to gain consumer´s trust and to establish a competitive edge in the ever evolving internet markets. The best way to minimize the inherent costs of the new legal framework is to implement structured processes that make compliance fail-safe and that greatly reduce the need for short-lived trouble shooting and undesirable – and expensive – disclosures of data breaches.
In Snead’s views, “U.S. companies are not doing themselves any favors by ignoring this law or by ignoring the proposals”. According to Snead it is important for IT professionals to follow what is going in the EU with regard to privacy for two reasons. One is that EU is the largest non U.S. market. Sooner or later you’re likely going to have to comply with these laws. The second is that what is going on in the EU with regard to privacy is reflective of what is going on globally, including in the U.S., with regard to privacy. It reflects the fact that consumers and businesses want more control of their data. They want more certainty about what is going to happen to their data. The European Union is responding to that concern. However, It is not an EU only concern. It is a global concern. Paying attentions to what’s going on in the EU and beginning to prepare for it is going to put organizations that follow this issue ahead. “It’s going to allow them to create compliance strategies that are well thought out and implementable as opposed to compliance strategies that they have to implement 10 minutes after they get a customer.” concludes Snead.
In conclusion, Balboni observes that the “EU, U.S., Canada and numerous other jurisdictions of the Asian and Pacific Economic Cooperation (APEC) still have a number of commonalities. The bottom line is that there is a global common denominator [with regard to personal data protection]. It’s the principle of accountability. If you start implementing this principle in your organization, then you’ll be ready to transition to the new general data protection regulation in Europe.”
Previous: How to prepare for what is coming.
IT-Law, Outsourcing, Cloud Computing, Data Protection & Data Security.
Internet Attorney and co-founder of Internet Infrastructure Coalition
Washington D.C. Metro Area
Founding Partner at ICT Legal Consulting
Milan Area, Italy