Illustration by Keith Dalton.
Steven Roberts investigates how Irish businesses expanding into the US navigate two data protection cultures
This year has been challenging for businesses as they seek to comply with new data protection rules under the General Data Protection Regulation (GDPR). A recent survey showed that 96% of companies had begun their compliance journey, with 74% expecting to be fully GDPR compliant by the end of the year.
The landscape is particularly demanding for Irish firms operating within the USA as they seek to align two different data protection cultures. In this article, I outline some of the current and upcoming data protection and privacy challenges facing businesses as they start planning for 2019.
Different approaches to data
The contrast between EU and US approaches to data protection is significant. In the EU, data protection is considered to be about fundamental human rights to privacy and protection. Consumers in the US have traditionally had a more relaxed view of the transfer of personal data in exchange for service delivery.
This is reflected in US legislation, where federal laws are supported by a range of fragmented sectoral and state-oriented approaches. The most recent of these is the California Consumer Privacy Act. Passed in July and providing a host of new privacy rights for Californian residents, it will come into force in 2020. Irish firms operating in the US must ensure they are regularly monitoring the data protection landscape for changes at both a federal and state level.
Given the complexities involved, many international firms have chosen to use GDPR as their default data protection standard. While setting a higher bar for compliance, it removes the operational implications of trying to maintain separate data regimes for EU and non-EU residents.
The ePrivacy Regulation
While GDPR has taken the majority of media coverage recently, firms must not lose sight of another important piece of European legislation in the pipeline. The upcoming ePrivacy Regulation, now likely to be introduced at some point in 2019, will have wide-ranging impact on the area of electronic communications and the same territorial scope as GDPR.
The Regulation will replace the existing 2002 Directive and is part of the EU’s strategy for a digital single market. While GDPR seeks to align data protection rules across EU member states, the core focus of the ePrivacy Regulation is to harmonise rules around electronic communications.
It seeks to ensure providers of communication services handle data so that data subjects’ privacy and rights are always protected and will impact businesses in a range of ways.
– Streamlining Cookie Rules. Adopting GDPR’s principle of privacy by design, web browsers will be required under ePrivacy to provide users with a range of cookie options and tracking controls.
– Content and Metadata. The Regulation will seek to guarantee the privacy of the content of a communication (voice, text, video, image) as well as the meta data associated with it such as location, time and device-related information.
– Direct Marketing. It will be prohibited to send any unsolicited electronic direct mail where consent has not been given, except in the case where email details have been obtained in the context of a sale or service. Postal direct marketing falls outside of the remit of the ePrivacy Regulation, but comes within the scope of GDPR.
– Legal persons are also covered. While GDPR is focused on protecting individuals’ personal data, the ePrivacy Regulation also applies to data relating to businesses. The Regulation seeks ‘to ensure an equivalent level of protection for natural and legal persons’.
– Tracking walls will no longer be permitted. This will stop companies from requiring consumers to accept being tracked in exchange for accessing online content, posing significant challenges for media, technology and advertising firms in particular.
– Substantial fines. Fines under the new Regulation will be at the same potential levels as GDPR, with a maximum fine of 4% of global turnover or €20 million, whichever is the greater.
An end to Privacy Shield?
Since 2016, many firms transferring data to the US have relied on the Privacy Shield. This is an annually reviewed agreement between the EU and the US. It provides a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. The agreement is now under threat following a vote by the European Parliament on 5th July of this year, calling for its suspension.
While it is unclear as to how this situation will play out, firms reliant on Privacy Shield would be prudent to explore other GDPR compliant options potentially available to them, such as Binding Corporate Rules (BCRs).
Next steps
Data protection and privacy legislation will remain high on the agenda for firms over the coming year as ongoing GDPR compliance is implemented. While considerable uncertainty remains with regard to Privacy Shield and the ePrivacy Regulation, Irish businesses who take a watchful approach and seek to put in place early implementation plans will be well placed to prosper in the years ahead.