The European Union’s movement towards stricter privacy rules has the potential to affect any American company involved in data collection and storage, even those that have no connection to Europe at all. Last Monday, the EU took the next step towards strengthening its data protection laws when the Civil Liberties Committee voted to approve new, stricter privacy regulations on how companies collect, store and share data on European citizens. The full European Parliament is expected to vote on and likely pass the new legislation sometime between now and May. The implications of this new law may not be obvious, but it has the potential to significantly impact American companies in the near future.
The law itself is only likely to directly affect American businesses, such as Google and Facebook, as well as non-technology companies like banks, who operate in Europe and collect data on EU citizens. These companies have said that the burdens of complying with the new laws and the penalties they could face are so high that they may pull out of Europe rather than conduct business under the new regime.
Even as the EU’s current laws stand, Europe has much more restrictive data protection laws than the U.S. Through a trade agreement, however, American companies are allowed to operate in Europe under a Safe Harbor, which means that they don’t have to comply with EU privacy regulations as long as they adhere to seven principles listed in the EU privacy directive. But in the wake of allegations that the NSA may have been listening in to German Chancellor Angela Merkel’s cell phone and collected recordings of French citizens’ telephone data, some members of the European Parliament have recommended suspending the Safe Harbor.
This threat to suspend the Safe Harbor could start us down a path that ultimately touches American companies whose business never crosses the Atlantic. Europe takes its privacy seriously and doesn’t think the U.S. takes it seriously enough. Should the EU enact its directive in its current form, it might well spur the U.S. Congress to pass baseline privacy legislation that affects all American companies; not just those operating in Europe. At stake is significant business in the EU and European lawmakers may link a trade agreement and access to its markets to U.S. treatment of online privacy. Legislation may be the only way to appease the EU in trade negotiations and convince them to keep the Safe Harbor in place.
Last year, the White House released their “Consumer Privacy Bill of Rights,” which hints at what baseline privacy legislation could look like. While protecting consumers online will obviously be the focal point of any new privacy law, it is of the utmost importance that new rules do not impose such a burden on small- and medium-sized businesses (SMBs) that they cannot afford to comply or pay the penalties without suffering a serious hit to their bottom line.
If it looks like Congress is going to pass new privacy legislation, SMBs whose business involves the collection and storage of personal data must make their concerns heard above the din of the masses. These companies will be hit the hardest by any federal privacy legislation, and we must ensure that small business innovation is not derailed by an overly burdensome privacy law.