Does your company make databases of customer information? Does it perform analytics on the data? Then be careful of the Privacy Shield, which may restrict these abilities or impose huge fines for simply doing business the American way.
Hidden down deep in amongst the redress options and the monitoring mechanisms is a simple required statement. Like an insidious “pledge of allegiance,” the Privacy Shield documents require that any business seeking its protection must agree to the core principals of the EU data protection regime, specifically, the principals of Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability.
While all of these principals seem, on their faces, to be vaguely reasonable concepts in holding and transferring personal data – who can argue with Data Integrity or Data Security, for example? – their very vagueness will lure U.S. businesses into much stricter limitations on their own business models, or else risk jaw-dropping fines that could run to four percent of worldwide gross revenues. In other words, complying with the Privacy Shield means acceding to the European vision of data as tightly restricted in use and movement without explicit permission from the data subject.
Specifically, many sophisticated U.S. companies, including huge enterprises like Microsoft, Google or Facebook, build files of data and attach those files to the individual that the data describes. Transactional data, like what a person purchases, what account is used, descriptive data like location and specific computers used, and incidental data like search history and browser history are all collected and applied for advertising regimes and innumerable other functions. Many other companies extrapolate secondary or tertiary information from personal data and aggregate those results into useful lists. All of these activities are likely to be unlawful under the Data Shield Principals that U.S. businesses are being asked to accept.
Those companies complying with the Privacy Shield will have not only agreed to “Purpose Limitation” restrictions, but also agreed to “Recourse, Enforcement and Liability” provisions that demand punishment for the company that fails to comply. The Purpose Limitation Principal is defined as “ensuring that personal data is only processed for the purposes for which it was collected, subject to further consent from the data subject.” Nowhere does this requirement appear in U.S. law to restrict American businesses from building internal knowledge, or to force those businesses to send a request to all people represented by information in the companies’ databases for every new query that the companies might have.
U.S. companies have built their businesses in the absence of such restrictions and complying with those restrictions could destroy important sources of customer information and revenue, developed over decades of experimentation. By agreeing to the terms of the Privacy Shield, these important business tools will be at risk and companies using them would be submitting themselves to the scant mercy of the various EU Data Protection Authorities.
In addition, the vague concept of “Purpose Limitation” has never been well-defined or closely understood in the recent history of gathering electronic data. If customer information is collected for the purpose of completing a transaction, then, under a “Purpose Limitation” regime, that data should not be used once the transaction is complete (including, one assumes, delivery of a purchased item). But where a consumer provides a name or other personal data for other reasons, where does the right to use the data stop? From a Data Protection Authority’s position, the onus would be on the company receiving information to define its initial use, so the company can ask for permission for further use, but this has never been the way U.S. firms conduct business online. In addition, would the “Purpose Limitation” apply to aggregated use, or extrapolation of secondary information from various databases?
The rule is not clear, but the EU Data Protection Authorities, especially in German states, have demonstrated a willingness to be aggressive in trying to force U.S. businesses into the most restrictive perceived EU rules. We predict this particular aspect of the Data Shield will yield confusion and sanctions for many U.S. companies in the coming years.
Finally, if U.S. Companies take the required action to meet EU Privacy Shield requirements, and agree in their published privacy policies that those companies support and comply with “Purpose Limitation” in their treatment of personal data, have they just imposed a restriction on their use of data collected from North America? If so, this would be a restriction that NO U.S. legislature or regulatory agency has imposed on collection and use of general personal data. But after making such public assurances, many U.S. companies will have subjected themselves to FTC enforcement for using personal data in the traditional ways.
The FTC can claim that these companies have unfair and deceptive trade practices under the FTC Act for using customer personal information in ways that extend beyond the original purpose of its collection. U.S. executives should think hard about alternatives before blithely making “Purpose Limitation” promises in their privacy policies.