Clash of Compliance Cultures: Old vs. New World
In the last few years, US companies been shy about expressing their feelings on the EU’s Data Protection Directive (DPD). There’s a major social media player, for example, with a European HQ in Ireland that’s been publicly critical of a proposed “right to be forgotten” rule for letting consumers delete their online data. There’s also a search engine service that, while not openly objecting, is instead suggesting it’s already doing a darn good job of meeting the DPD’s rules.
US companies have begun to learn that the data privacy rules and expectations they’re accustomed to in the US are viewed differently on the other side of the Atlantic. The EU Charter-their constitution-explicitly lists data protection as a fundamental right. That’s roughly like having a US amendment devoted to encryption, which, at this time, there isn’t.
This is not to say there’s a complete privacy compliance chasm between the US and EU.
Healthcare companies have long had extensive regulatory obligations under HIPAA for securing health information, alerting consumers about breaches, and gaining consent on information transfers. US companies in the banking and credit sectors could point to parallels in Gramm-Leach-Bliley and the Fair Credit Reporting Act.
While US medical and financial companies have had to deal with privacy and security legal burdens, that’s not been the case with the social media players. Because the Data Protection Directive covers all companies collecting data–not just ones in select, albeit important, industries—and through its Safe Harbor treaty it snags US firms as well, it’s not surprising that US Internet-based companies face the most culture shock when conducting business in the EU.
The ultimate issue of course is that in the new information economy data is revenue, and so deleting it is like, well, burning legacy paper currency.
Besides the right to data erasure differences, another sticking point between US social media companies and the EU is on rules for reasonable data retention limits. But this again reflects mostly differences between old and new economies. After all, outside the social media world, it’s generally considered good security policy–limiting data breach liabilities– to keep PII data to a minimum and erase it when it’s no longer necessary. For example, the credit card vendors, through their PCI industry standard, emphatically remind corporations with regard to credit card numbers that “if you don’t need it, don’t store it! “
But new regulatory forces along with changes in consumer attitudes may tilt social media companies towards a European view.
The FTC’s new privacy framework that was published earlier last year—and that I always come back to—calls for minimizing data collection of consumer data and sensible retention limits. There’s a (stalled) bill in the Senate, revealingly entitled “The Commercial Bill of Rights”, which will implement some EU-style data and privacy protections. The bill’s scope, by the way, covers any company that “collects, uses, transfers, or stores covered information concerning more than 5,000 individuals.”