Hardly a day goes by when the news doesn't include some privacy-related story or scandal. To name just a few recent examples, we've seen:
- Highly publicized losses of customer credit card data by household-name retailers.
- Companies being hacked, including entertainment businesses and dating websites, and the subsequent revelations in the data publicized proving far more scandalous than the hack itself.
- Revelations by Edward Snowden about government surveillance of individuals on a massive scale.
- European Court of Justice cases declaring that the mechanism most widely used by US businesses to transfer EU personal data to the US (Safe Harbor) no longer provides adequate protection, and giving European individuals a "right to be forgotten" from internet search engine results.
- The continual introduction in the US of Federal and State laws governing the privacy of personal information in a variety of contexts, including when personal information is collected from individuals online/via mobile devices, and about children, and in sectors such as healthcare, finance and education.
- A controversial new EU data privacy regulation that not only attempts to expand further the reach of EU regulators beyond Europe's borders, to the US and around the world, but also increases the compliance burden on all businesses, and the potential fines, to up to U.S. $20 million or 4% of worldwide turnover.
These issues and many more have kept privacy in one form or another consistently in the public eye and at the top of the agenda for many years now.
These incidents frequently involve an element of tension between approaches to privacy in the US (often perceived as open, innovation-focused and relatively free of privacy regulation) and in the EU (often perceived as having a confusing, impractical and excessive mess of privacy - not to mention other - regulatory regimes, and citizens who are highly sensitive about the processing of their personal data). Putting aside the (fascinating) historical and philosophical theories behind the different cultural attitudes to privacy (think the importance placed in the US on free speech versus sensitivity in Europe (particularly post-war) to any massive databases collecting and monitoring individuals' behavior and movements), let's consider the practical scenarios that typically arise.
The Fast-Growth Company Paradigm – Different approaches when entering a new jurisdiction
The paradigm is this: a fast-moving Silicon Valley technology business offers an innovative (and often free to consumer) product that is somehow reliant on the mass collection, storage or clever monetization of individuals' personal data. The business is wildly successful in the US and, naturally, looks to expand internationally, with Europe being an obvious target. Having already (in true Silicon Valley style) taken a "risk-based approach" and prioritized product, user acquisition and sales over compliance (particularly in the US), the business then expands aggressively into Europe, proving popular with users/customers and gaining great traction and recognition in a new and valuable market.
Then, one way or another, attention turns to the business's data privacy practices. This might be because of:
- the scale on which it is collecting data;
- the sensitivity of the particular data collected;
- the uses to which the data is being put; or
- perhaps worst of all, the data not being held securely, and somehow ending up in the public domain.
Cue public outcry, investigations by data protection agencies, potential loss of users/customers and a general decrying in Europe that Silicon Valley companies don't take EU privacy laws seriously. The business may argue that it is not subject to EU privacy law, or the privacy laws of the particular European countries involved (and there are sometimes persuasive arguments that this is the case), but the damage has already been done.
So, is this all part of the lifecycle of a Silicon Valley business (hopefully not) and how can a "big startup" expanding rapidly (as Silicon Valley companies so often are) embrace these challenges?
Overcoming the Challenges
1. Perfect compliance?
Recognize (even if your business is not ready to aspire to it) that perfect compliance (assuming it exists):
- requires investment;
- is time-consuming;
- involves taking a non-uniform approach across jurisdictions (or hitting baseline compliance in the strictest jurisdictions and over-complying everywhere else);
- requires some interpretation of often opaque and outdated statutory/regulatory language and guidance (with variations between jurisdictions); and
- may involve some small (or perhaps big) sacrifices in product functionality, user experience and maybe even revenue streams.
2. Practical approaches
a. "Hot issues"
A risk-based approach can work in a privacy context (providing your business genuinely accepts the "risk" aspect). Work with a privacy expert to identify "hot issues" in privacy enforcement/on the regulatory agenda, and those which have been largely forgotten (contrast the frequent and relatively large fines/settlements for data security breaches with the information requirements of the EU's electronic commerce regulatory regime, which — while not particularly onerous to comply with — are rarely enforced by regulators).
b. Key markets
Identify key markets that have (or that you are aspiring to have) the largest share of your international revenues and invest more heavily in compliance efforts there.
c. User perception
Think about the reaction of your users/customers if they "found out" what you are actually doing with their data. —Even if you have complied with applicable notice and consent requirements, is there anything you're doing that they would likely be unhappy about?
d. Good faith efforts to comply
Think about a practical approach to following the law that demonstrates a genuine good faith effort to achieve full compliance (rather than simply ignoring the issue), even if this means sacrificing some user experience.
e. Legal and industry trends
Pay close attention to legal and industry trends — think about the (albeit still slightly uneasy) position we've reached on EU cookie notice and consent mechanisms, after the initial uproar/concern that all websites would have to serve a blank page with an opt-in notice on all European users before those users even landed at any part of the website, destroying the user experience in the process.
f. Product/user teams and privacy by design
Work with your product and user teams to understand how much modification they can "stand", without making real sacrifices in user experience. In fact, the ideal scenario product-wise is to engage early enough with the teams (and certainly long before any growth beyond the US into stricter regimes like Europe) to factor in privacy by design from the outset, but this does require some patience/understanding on the part of teams who are, no doubt, in a tearing hurry to release new products/iterations.
3. Regulatory engagement
If you nevertheless start receiving regulatory enquiries, avoid a combative, quasi-litigious style (or worse, putting the correspondence in a drawer and hoping it goes away). Instead, engage actively with the regulator right away, acknowledge that the privacy of its country's citizens is a big priority for you, and show a genuine appreciation for their concerns, and a willingness to take steps to resolve them.