It is easy to become overwhelmed by all of the regulatory changes in Europe. In less than 12 months, we’ve witnessed the death of Safe Harbor, the recent emergence of Privacy Shield, the announcement of the General Data Protection Regulation (GDPR), and of course, the Brexit decision. The bottom line is that if you are collecting data on European citizens, it is time to get smart on European privacy laws.
Against that background, here is some foundational information:
- GDPR. The General Data Protection Regulation (GDPR) replaces the EU Data Protection Directive of 1994. It is intended to create a more unified approach to data protection in Europe and applies to any entity that collects or uses data from European citizens, even if the company itself does not have a European presence. The law takes effect in May of 2018, so you have a little over a year to prepare for the regulatory changes. And with fines for non-compliance equal to the greater of 4% of global revenues or $20 Million Euros, you are going to want to make sure that you are ready!
- Privacy Shield. Privacy Shield replaces the now-defunct Safe Harbor framework. It is an agreement between the US Department of Commerce and the European Commission that addresses the transfer of data from Europe to the US. The US Department of Commerce started accepting applications on August 1, 2016; you can apply at privacyshield.gov.
- Personal Data. In the US, we often talk about data in the context of personally identifiable information (or PII). Companies that transact data via cookies and advertising identifiers operate in a relatively safe haven because they do not collect or use PII and as such, do not have to comply with the more stringent legal requirements associated with the use of PII. In Europe, by contrast, the concept of “personal data” is much more expansive. Under the GDPR, personal data includes cookies, device IDs, IP addresses and other online identifiers. Companies that collect, use or control this data will fall under the purview of the GDPR, even if they do not collect names, email addresses, and other information that we consider to be PII in the US.
- Consent. With the exception of certain sensitive use cases, American consumers can generally exercise choice by opting out of data collection. European regulators, however, have always indicated a preference for opt-in consent, which we first saw with the EU Cookie Directive and the subsequent EU Cookie “Sweeps” in 2014. The GDPR has further clarified that opt-in consent is required before personal data is collected (or, at the very least, that an affirmative action is required before cookies are set). If you own or operate a website, you may need to make some changes to address this requirement.
- Right to Be Forgotten and Data Portability. The right to be forgotten is an expansive notion that does not have a parallel in American privacy law. In Europe, the right to be forgotten means that companies must, at the request of a European citizen, delete all personal data associated with that individual. Additionally, if an individual wants to transfer the data to another company, the data company is required to use reasonable means to facilitate that transfer. Depending on the type of data that you are collecting, you may need to work with your tech teams to ensure that you are equipped to respond to deletion and portability requests from European citizens.
- Data Transfers. After the demise of Safe Harbor, many companies (including Lotame) were relying on the use of model clauses to transfer data from Europe to the US. When Privacy Shield was announced, there were fears that the framework would not meet the concerns of European regulators. The good news is that the European Commission has agreed not to challenge Privacy Shield for at least one year. Lotame is in the process of exploring Privacy Shield as a means to transfer data from Europe to the US and encourages its clients and partners to do the same.
Doing Our Part
This is certainly not everything that you need to know about European privacy law and it isn’t intended to substitute for the legal guidance that you can, and should, solicit from your own counsel.
Privacy laws at home and abroad move almost as quickly as the pace of innovation. Lotame itself relies on its in-house legal team as well as a team of outside consultants to ensure that we are fully prepared for regulatory changes. Additionally, Lotame participates in all of the prominent self-regulatory organizations, including the Network Advertising Initiative (NAI), Digital Advertising Alliance (DAA), IAB, and IAB UK. Our General Counsel sits on the Advisory Board of the Future of Privacy Forum, along with representatives from major global marketers.
Lotame is constantly reviewing the latest regulations to ensure our organization, and our solutions, are in compliance with the most current privacy laws. In fact, in Europe, Lotame’s DMP recently received the e-Privacy seal from e-Privacy GmbH and Lotame is certified by TRUST-e as compliant with the EDAA’s OBAA Programme.
As always, we will continue to monitor the privacy laws and keep our clients informed of updates that we think are relevant. If you have questions or would like more information about any of the items listed above, please don’t hesitate to reach out to your Client Success Manager, or drop us a line at firstname.lastname@example.org.
Would you be interested in attending a webinar on European Privacy Laws? Email the marketing team to let us know and, if there’s enough interest, we’ll let you know!