U.S. companies handling information about European consumers already are reeling from a decision to end a longstanding agreement allowing for easy transfer of data across the Atlantic. Now firms must determine how to comply with European Union data-privacy regulations that are closer than ever to going into effect.
A 209-page draft of final regulations aimed at protecting personal data of individuals was proposed by the European Parliament and Council earlier this week. The General Data Protection Regulation will corral the disparate laws of individual European countries into a more consistent set of rules. It broadens the definition of personal data, restricts use of data for profiling consumers, requires companies to give consumers details about how their information will be used and with whom it will be shared, and bolsters the so-called "right to be forgotten" rules which would require companies and their partners to purge links to or replications of personal data.
"Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether the initial or further processing, at any time and free of charge," states the December 15 document.
Personal data includes "name, an identification number, location data, online identifier" or "one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person," states the proposal.
Large firms already have been preparing for the new rules. "We have data about people in thousands of databases, some of which are legacy databases," said Hilary Wandall, assistant VP compliance and chief privacy officer of Merck and Co, while speaking at a conference focused on the new EU privacy rules hosted by Truste in San Francisco on Dec. 8. "There are regulatory reasons why in many cases we actually have to keep data. So the actual requirement to erase data on people is fundamentally problematic," she continued, noting the company sometimes needs to store data reflecting consumers' opt-out requests.
"It's certainly a big game changer," said Jack Yang, associate general counsel, VP, and head of data use and privacy at Visa, while speaking at the conference. "Visa's an organization [that] profiles transactions. We use it for risk and fraud," he said.
Also speaking at the event, Barbara Mangan, privacy counsel, North America, for Ebay suggested that the company has discussed boundaries of data collection with its European staff in part to ensure they are staying away from profiling.
The Interactive Advertising Bureau's European branch has expressed concerns about how the GDPR will deal with personal data. As reported by Business Insider, the trade group is worried "that the idea of 'personal data' has now been widened, and that internet companies worldwide will now need to gain consent from European users before they use their data to serve targeted advertising to them."
But some online ad firms took a more nuanced view of the new rules. "Rocket Fuel supports efforts to codify data protection rules in the European Union, and looks forward to working with EU regulators to balance these protections in a way that is commercially reasonable and allows for continued access to free content and services that European citizens enjoy," said Ari Levenfeld , senior director of privacy and inventory quality at the digital ad firm, in a statement sent to Ad Age.
Organizations that handle data on Europeans for marketing purposes are also navigating a new data sharing landscape devoid of the Safe Harbor compact which has helped streamline the flow of data for more than 4,000 companies including data brokers, ad technology firms and ecommerce companies for 15 years. In October an E.U. high court ended the Safe Harbor, deciding the agreement is not strong enough to protect Europeans' privacy, including against U.S. spies.
In addition to holding a conference on the subject, privacy services firm Truste launched new readiness and privacy impact assessments this week to help companies comply with the new GDPR rules.