Transatlantic commerce is about to get turned on end, thanks to looming legislation in the EU that affects us all.
In less then two years, dramatic changes in data protection law will take effect in the European Union. Worldwide, companies who have any interaction whatsoever with EU citizens will be bound by the world’s strictest laws in data security.
How EU Laws Can Have Global Reverberations
“Interaction” includes, among other practices, selling products to, marketing to, and offering services to anyone who resides within the borders of the EU (and, most likely, post-Brexit UK as well). In fact, any item of data that’s derived from (or about) these protected citizens will be subject to what amounts to the strongest set of data protection laws the world has ever seen.
As you can see, our friends across the pond are very serious about privacy protection and where their data is sent around the world. In Europe, the right to data protection is held in high esteem, right up there with the right to privacy. In fact, it’s built right into the charter documents that established the European Union:
“Everyone has the right to respect for his or her private and family life, home and communications.”
-Charter of Fundamental Rights of the European Union
And Article 8, word for word:
Protection of personal data
“Everyone has the right to the protection of personal data concerning him or her.
Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
Compliance with these rules shall be subject to control by an independent authority”
This is mainly why the Safe Harbor framework, the U.S.-E.U. data protection standard agreement, was recently declared invalid by the EU: not strong enough. That begs the question: our new agreement with the E.U., Privacy Shield: will it survive or go the way of Safe Harbor?
What is the GDPR?
The new regulation is called General Data Protection Regulation (GDPR) and if you haven’t already heard about it, now’s the time to find out what this powerful new legislation means. If you own a business with an online presence, chances are you’ll be affected by the GDPR. And if you do any type of digital marketing, it’s almost certain you’ll need to know about the GDPR’s profound, global effect.
GDPR will replace the decades-old Data Protection Directive, serving to bring regulations up to date and to streamline enforcement or data protection and privacy laws. What could be wrong with that?
At Odds: Consumer Privacy & Certain Business Models
Data collection is the foundation of modern marketing techniques. However, it’s often taken to extremes, to the extent that some call it “invasion of privacy”. We’ve already had to contend with phone apps that siphon away personal information from your phone, for example. And a few years back, Twitter was selling tweet archives to the highest bidder.
Legislation like the GDPR aims to protect citizens from these types of shenanigans, but marketing is big business. Even the seemingly benign practice of sending emails to a list of subscribers has its own dark side: when “subscribers” aren’t really subscribers at all but rather hapless owners of email addresses who somehow got themselves signed up for this list or that.
With GDPR, list owners will have to provide solid evidence that each and every “subscriber” knowingly gave permission to be emailed. Since email marketing is currently the channel of choice for most modern marketers, GDPR is going to bring radical changes on this front alone.
Also Under Scrutiny: Freedom of Expression/Right of Erasure
On another front, some feel their rights will be hindered by the GDPR. They see a clear omission in the law, namely in the areas of putting safeguards into place to ensure freedom of expression.
The problem is here: GDPR protects the right to erase (or have erased) damaging info about oneself. This is seen as neglecting the rights of those who published the info: their right to freely express.
The real fear here is that GDPR will be used “…to censor authors and invade the privacy rights of speakers”**. This certainly puts the wrong face on data protection laws.
— Marc R Gagné MAPP (@OttLegalRebels) December 9, 2016
Current Data Security Climate in the U.S.
Recent election-hacking accusations and other hacking of U.S. government systems have brought to light the dire need for stronger security measures.
Leaving cybersecurity up to users isn’t working: our password habits are terrible, for example. Almost three-quarters of U.S. and U.K. respondents to a survey admitted they use the same password for multiple accounts. Even worse, they’ve been using that same password for over five years. No wonder we all keep getting hacked (40% of us, actually, according to that same report). At least people in the U.K. have GDPR-level security laws working for them. Even after Brexit, they will most likely adhere to GDPR standards in order to keep trading with the E.U.
What We Think Trump Will Do
So far, Trump’s stance on data security and privacy right indicates he’s going to run smack into conflict with the EU’s stringent standards. Back in February 2016, when Apple and the FBI were at odds against access to the pone of a San Bernardino incident terrorist, Trump called for a boycott of Apple. His words*:
“To think that Apple won’t allow us to get into her cellphone? Who do they think they are? …Boycott all Apple products until such time as Apple gives cellphone info to authorities regarding radical Islamic terrorist couple from Cal.”
-Donald J. Trump
However, in an interview with Breitbart Tech published last year, Trump came out with some surprisingly bland comments, making it difficult to truly predict what he’ll do when he takes office:
“There must be a balance between those Constitutional protections and the role of the government in protecting its citizens. Congress should continue to be the arbiter of that balance.”
-Donald J. Trump
Seems he’ll most likely rely on Congress to reign in the NSA on matters of privacy rights, unless a headlining story captures his attention, as the San Bernardino event did.
Finally, Trump’s campaign promise to reduce government regulation doesn’t bode well for tough pursuit of cybersecurity laws. Relying on business to volunteer to make things safer for consumers hasn’t always worked out in the past.
Whatever remains to be seen and no matter how many ways the GDPR is challenged or supported, or how it affects our current agreement (Privacy Shield) with the EU on data protection, one thing is for sure: we can all expect change.