For many U.S. -based startups, European privacy standards remain an afterthought. No one thinks much about them until the startups — which often collect personal information about their users, like online behavior, location, sex, IP addresses and unique smartphone IDs — are told they’re facing sanctions for their business practices.
Of course, in many countries, the sanctions are tantamount to a slap on the wrist, particularly for giants like Google and Facebook that have a special talent for aggravating European lawmakers over privacy issues.
But the laws abroad only look to become more stringent and to give consumers more power, and they’re likely to come with more devastating consequences for those companies that ignore them. In fact, one current data privacy proposal being weighed would allow regulators to assess fines of as much as 2 percent of a company’s global sales. (Ouch.)
So how can startups figure out what changes are coming and how to prepare for them? To find out more, we called up Phil Lee, a freshly-arrived-to-Silicon Valley attorney who heads up the U.S. practice of London-based Field Fisher Waterhouse, and who specializes in helping U.S. companies understand the black box that is European privacy law. Our conversation has been edited for length.
Big picture, what are some of the biggest differences between U.S. and European privacy law?
Well, the way European and U.S. privacy laws work are obviously very different, but the basic difference is that privacy laws in the U.S. are sector driven; there are laws that pertain to the collection of personal information in the financial and medical sectors, but there are no overarching federal laws. Meanwhile in Europe, we have umbrella privacy laws that cut across all businesses, regardless of sector. These are set out in two key “directives,” with each of the 27 European Union member countries having to implement their own national versions of them. This is supposed to lead to harmonization across the territories but, in practice, each of the countries implement the directives in different ways.
Can you elaborate on the two directives?
The main one is the Data Protection Directive, and this applies to any business that collects “personal data.” Personal data is a much broader concept than the U.S. concept of Personally Identifiable Information, in that it can include things like IP addresses and smartphone IDs. This has particular implications for the online publishing and advertising communities, as well as mobile app developers. The Data Protection Directive sets out very specific rules regulating the collection, use and exchange of data, with particular restrictions around exports of data back to the U.S.
Meanwhile, the E-Privacy Directive, or Directive on Privacy and Electronic Communications, governs privacy over electronic communications networks, setting out specific rules about obtaining individuals’ consent to email marketing and use of Website cookies.
But the EU is completely rewriting its laws to produce new data protection standards that will be substantially more onerous. Indeed, most U.S. companies already find our privacy laws a bit of a shock in the ways they restrict what they’d like to do with data. But the new laws will be much tougher. The aim is basically to put privacy on equal footing with [European] antitrust laws.
When will the newer laws go into effect?
They’ll probably be adopted in early 2014, and in current draft form would come into effect two years later, so we’re likely looking at 2016 before they come into effect.
So how can businesses adapt?
Not every country is actively implementing the new laws and standards though, correct?
The law was changed in 2009, and all of EU member states were given 18 months to implement it into their own national laws, but by May of last year, the only country to have implemented the law was the U.K. Now that we’re coming to the end of 2012, roughly 75 percent of EU territories have implemented the law in their territories.
Why the slow uptake initially?
It reflected that most countries didn’t know what to do. They had a legal obligation to implement it but didn’t want to do it in a way that killed off online business in their country. So U.K. law says that you have to get consent to have cookies, but in the U.K., the implied consent model works, provided you give sufficient transparency about the cookies you use and what they do and give people a clear opportunity to turn those cookies off. If they don’t, you can imply their consent. There has to be some mechanic on Website that allows them to refuse the different categories of cookies served, so a user can say, for example, “I don’t mind analytics and preference cookies, but I don’t want to be served advertising cookies.”
Which countries have taken the U.K.- style approach since, and which haven’t?
Well, Ireland is also generally thought of as more business friendly on regulatory issues, and Luxembourg is also a popular territory for European businesses launching into Europe. France, Germany, Spain, and the Netherlands, on the other hand, are considered much more strict on data protection compliance; they lean more toward opt-in consent for cookies. It really reflects local cultural attitudes. Their feeling is that what we’re talking about here is invisible tracking of people online, people who don’t realize they are being monitored, and that companies shouldn’t assume they have the right to do that. So this kind of stuff varies quite substantially from country to country based on cultural and regulatory attitudes that can be traced back to World War II. Use of cookie identification numbers to track what people are doing online is a very sensitive topic in some European countries.
So how can startups, with their global user bases, deal with these divergent laws and approaches?
Essentially, there are two things you have to look at. Do you have an establishment in Europe, a subsidiary that’s collecting user data? If that’s the case, the law that applies to you is principally going to be the one where your establishment is based. So if you’re a U.K-based business, then it’s U.K. data protection law that applies to you, even if you’re collecting data from France, Germany, etc. If you aren’t established in Europe, the law that applies to you depends on where you host data processing equipment, so if you have servers in France, Germany, and Spain, you’re subject to each of their laws.
When you say establishment, what do you mean? Do two salespeople in an office constitute an establishment?
It depends on whether the establishment qualifies as a “data controller” in Europe – a subsidiary that’s exercising autonomy over how data is being collected and used. So if you have a subsidiary that’s maintaining its own database and exercising authority over how data will be used for marketing and the like, it would be considered a data controller and subject to EU data protection laws.
Are the consequences of not abiding real or mostly theoretical at this point?
The consequences vary from country to country. In UK, you can get fined up to 500,000 pounds for serious data protection breaches; in other places, the fines can be more substantial. The fines in Spain, for example, are an order of magnitude higher than elsewhere and aggressively enforced. But beyond fines are investigations, audits, and enforcement orders that require you to change your business practice.
It’s definitely harder to enforce against you if you aren’t established in Europe, though it’s not impossible. Google, for example, had an issue in Germany where German regulators took objection to sites using Google Analytics to track visitors for analytics purposes. Finding it difficult to go directly after Google, the regulators threatened to pursue its local customers. Once they started that, Google was forced to change its service for Germany to address the regulators’ concerns.
When you meet with startups in Silicon Valley, how well versed on the changing regulations are they?
We find that they have some knowledge of European data law and they know it’s complex and they might know about cookie consent, but they aren’t sure what to do. How do you manage a business that’s operating on both sides of the Atlantic across two very different legal and cultural regimes? So a lot of our advice is based on how to help them set up business in a way that helps them globally.
Obviously, privacy isn’t the only concern. Aside from data privacy regulation, most business are driven by tax considerations, considerations about what local employment laws are like, the availability and cost of real estate and so forth.
But also, the regulations seem so much in flux. It’s easy to see why they might not be a top priority for startups at this point.
Well, under the new laws, one of the big things that will change is that it will expressly apply to businesses serving European customers, even if wholly operating from outside of the EU. Even if you aren’t established in Europe or using equipment in Europe, if you’re collecting data from European citizens in the course of providing services to then, the new law will clearly apply. And backed with substantial fines of up to 2 percent of [sales], it becomes a substantial business risk.
But even without that, data protection is already a clear and growing risk for businesses today. Data privacy regulators aren’t adverse to pursuing a businesses’ customers if they can’t directly enforce against the business itself. Plus, data breaches attract a significant amount of attention in Europe, so the scope for reputational damage — particularly to fledgling startups — can be devasting.
And quite aside from all of that, a lot of startups will be giving all manner of representations to their customers and investors about their compliance, leaving them very exposed if they aren’t proactive in managing their compliance. European laws are moving to a place now where they expect businesses to be much more “accountable” for their data practices.
Accountable meaning what in this context?
A cornerstone of the incoming legislation is the need for businesses to maintain clear documentation of their policies and practices. The aim is to ensure proactive data management throughout the business life cycle. For example, one key goal is “privacy by design,” or embedding privacy at an early stage into the design process. Today, many companies roll out core new products and features and only address privacy concerns at the last minute, resulting in bolted-on privacy controls that aren’t very effective. And companies will increasingly need to do “privacy impact assessments,” a process by which you identify at an early stage the privacy implications of new products, services or systems and how to resolve them.
Photo: Image courtesy of Shutterstock.