How the new European data law will affect U.S. companies

How the new European data law will affect U.S. companies

Summary: With the draft European data protection regulation announced, it won't just affect the 500 million Europeans. U.S. companies with European users should also take heed.


If you thought that because you were a U.S. company that European rules would not affect you, think again. Europe has a population of over 500 million people, which is nearly twice that of the United States.

The new Regulation signals that the tide has turned. The 1995 Directive focused on building the online economy, and favouring businesses large and small to expand and grow, while the 2012 Regulation will reverse the fortunes for businesses and focus on European end users.

Internet companies will have to seek explicit consent from its users to use data about them, including when it is being collected, told for how long it will be stored, and for what purpose it is being used for.

A European Commission spokesperson confirmed to ZDNet that the proposed measures are "focused on younger people", particularly teenagers, students and young adults, in a bid to "protect the consequences of putting photos and other information on social network websites".

It does not guarantee the right to have data held by local and European law enforcement agencies deleted, however.

But the proposed "right to be forgotten" laws have already been met with harsh criticism from the wider Web industry. It will create a right that will not only be difficult to implement, but could have a detrimental effect on the use of the Web in Europe.

Sheryl Sandberg, Facebook's chief operating officer, gave an insight on what the wider argument could be amongst businesses and European regulators. While Web companies provide employment and spur on economic growth --- such as seen with Facebook's impact on the European economy --- governments should not get in the way.

"In Europe, in the United States, throughout the world, we need to make sure we are investing, we are investing in technology, and we are investing in basic education so that people can take advantage of these tools," she said.

"The Internet and social media, it’s not just posts and pictures and fun things with your friend. But this is really serious stuff. This is about growth. This is about jobs."

Facebook as a company remained silent in the run-up to the new Data Protection Regulation, but will likely suffer its consequences.

Reuters quoted Microsoft's European chief operating officer, Ron Zink, as saying the proposals may be "too prescriptive". Microsoft is one of the few companies pushing for harmonisation of privacy laws between the U.S. and the EU, but even it is concerned over the scope of the 'right to be forgotten" rule.

"If one person puts photos on their SkyDrive and makes them available to everyone on the public Internet, and then later asks us for the content to be removed, we can take it off our servers," Zink said.

Businesses are expected to lobby heavily for amendments that benefit them, and reduce the long-term workload that would be expected as part of the new Regulation's finer details.
Details of data breaches --- something every company will have to deal with at some point --- also takes a high standing in the Regulation. Since the Sony breach, where over 70 million user accounts were hacked, Europe is responding by enforcing a "24-hour rule".

"Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay. As a general rule, without undue delay means for me ‘within 24 hours’," Reding said in a speech earlier this week.

But should a company not be aware of a hack, a breach, or a data loss for 24 days, let alone 24 hours, it applies more pressure on companies to be aware of their own internal security matters and data protection policies.

The U.S. Department of Commerce weighed in, saying that the rule is "simply too short" and could lead to disproportionate fines, and even to false alarms. This in itself is likely to cause consumer frustration and unnecessary worry.

If companies are found to have broken the rules of the Regulation, stiff financial penalties not far behind Europe's competition and antitrust penalties can be imposed; something not conducive to innovation in an already tight economic climate.

While some consider this to be a "tax on businesses", again highlighting the shift from business growth to consumer rights, the Regulation could be seen as a reactionary set of rules and laws that does not deal with the fact that many still choose to upload vast amounts of their data to the Web.

These are just a number of examples where the borderless Web means that European law takes just as much precedence as other sovereign states, as long as companies are operating within Europe's walls or has European customers.

The rules need to be approved by European member states and the European Parliament before they can come into effect. This could mean heavy amendments or outright rejection.

The Regulation in its current form should be seen as a warning flare, and a dictation of how a company should be acting in its present state.

However, a lot is still yet to change, so businesses should take heed of the warnings today. Change is afoot and the European authorities are about to shake the global data-collecting industry to its core. The announcement of the Regulation does not guarantee that all of its contents will go through, but it gives a grace period of two to three years for company practices and polices to be changed to comply with the overall measures.

Today's announcement:

Topics: Government UK, Government

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion

    So, Sony and other mega interests would love to impose SOPA PIPA and all this garbage, but when they get hit with the same dumb wooden club by the end users they cry and whine?
    Well done!
    • RE: How the new European data law will affect U.S. companies

      @dfumagalli@... BINGO!!....nice post....blunt and accurate! ;-)
  • RE: How the new European data law will affect U.S. companies

    Funny how all these mega corporations can easily mine all our data to target ads, and make a ton of money, but when you ask them to delete the data, it becomes too cumbersome.
  • 700?

    According to wikipedia, the European Union has a population of 502 million. The United States 312 million. Please correct your mistake. Thanks
    • RE: How the new European data law will affect U.S. companies

      @asx245 Europe has over 700 million, EU member states have around 500 million. Good spot.
    • RE: How the new European data law will affect U.S. companies

      @asx245 Hmm, I wonder if Wikipedia is now accepted as a legitimate "source" for facts!
  • People have a right to know...

    People have a right to know how long companies will hold on to their data, what they intend to do with said data, and why the data is being collected.<br><br>Too many people blithely upload personal information to various sites and then cry and complain about the ads or security of those sites, often stating "I didn't know they were going to use my data for "<br><br>By putting it in their face, making them *aware* of how the data is intended to be used and how long the company intends to hold onto that data, and then hitting the company with a fine when they *don't* use the data in the way they claimed to adds personal responsibility on two on the side of the company using and hosting the data and the other on the user's end, as they will be readily informed of what is to be done with the data they are uploading.<br><br>Win/win situation.
    • Transparency is key.


      I generally agree with your point. I get a little sick of people who say that people should just, more or less, be naturally aware that information they give out on the net could be used in various ways they may not like. While its true that one might think people should be naturally aware, the sad truth is that most simply don't think in those kind of terms.

      The fact is there is no good reason why people should not be informed of exactly how their information is going to be used. Clearly people come in all kinds and sorts, some of who may be quite aware of potential pitfalls and some who simply don't have so much as a clue, and a bunch of people somewhere in between.

      Companies obviously would rather not fully inform the public, generally speaking. There is a real potential that for many people just reading about what their info could be used for would wake them up to the possible pitfalls of giving out information and that could put a genuine dent in a businesses ability to collect nearly as much data as they had in the past.

      While most people who write and post around here have understood for a very long time what can happen with private information and how it can be used to generate income, there are many out there who still do not, and marvel at how some successful websites can operate and supply a so called service for free. Really.

      Transparency is where its at. Or at least where it should be at. If it happens its going to be very interesting at just how much free data collection by these companies dries up.
      • RE: How the new European data law will affect U.S. companies


        I have no sympathy for the general retarded public.

        But being transparent is just good business ethics.
      • RE: How the new European data law will affect U.S. companies


        What if one of those so-called 'retards' was one of your family of friends?? Cold shoulder and a 'well I told you didn't I..."??

        Simple fact is a lot of the bigger companies (Google and FB especially) wrap up their 'services' in this gooey layer that the non-technically minded often don't question and often once mistakes are made it can be too late to remedy things...

        Unfortunately, in many a current business stratagem, transparency is NOT seen as part of the working model!
  • RE: How the new European data law will affect U.S. companies

    Personally I'd favor an international law prohibiting the sharing of anyone's information. What one posts on FB or Google+ should stay there. Or, if they wish to share my information then ask me first and be prepared to pay me a percentage of the profits. I'd say a 50-50 split would be fair. Of course that'll never happen.
    • RE: a 50-50 split would be fair

      @neverhome <br><br>Not for me, it will have to be 90/10.<br><br>And I will give you two guesses who gets `the lion's share`.
    • RE: How the new European data law will affect U.S. companies

      @neverhome LOL, we just might start having more pirate businesses; that is exactly what copyright is meant to do, but check out the pirate ships sailing the web today :)

      Though, they will have to be publicly known to be an established business, so that should be the blockade to the pirate businesses....oh wait....have we forgotten about EULAs? The simple work around this is to create more larger EULAs and bury these infos on how the user's information will be used without their knowing; thus, they click the "I agree" button (like I do majority of the time; cause I never share my private infos ;) ) b4 they are allowed to get the benefits.

      Conclusion; this is the year to become a lawyer.
      • exactly


        Even if this is enacted, even the technically savvy crowd will probably have trouble understanding the legaleze the information will be codified in. The reason many people dont use those EULA's is because its loaded with so much legal jargon people feel like they just did their taxes! If they dont write it in plain language you will need to be a lawyer to understand what the data will be used for as spelled out in their information.

        So yea, good year to be a scumb.......err lawyer
    • RE: How the new European data law will affect U.S. companies

      your percentage of the profits is the 'right' to use their service. Please, don't act like Facebook (or other free online services) is a human right or something: don't use it if you don't agree with how they earn their money.
    • RE: How the new European data law will affect U.S. companies

      @neverhome well said agree 100%..Regards
  • Oh Boo Hoo

    Yes this will be a lot of pain. Yes it will require a lot of work. But is has all been done before in the name of the customer. I cannot believe the amount of work I have to do in my finance company because we have an interest in America and are therefore subject to Sarbanes-Oxley.
    I bet if the US passed this it wouldn't get nearly the same reaction. (or maybe it would - did I hear some say SOPA?)
  • RE: How the new European data law will affect U.S. companies

    Government should stay out of the internet wether it be business or individual. I am adamantly against SOPA/PIPA but also feel individuals should be responsible for themselves and their online activity. Neither party needs government intervention !!
    • RE: How the new European data law will affect U.S. companies


      There is one issue that a lot of people here are forgetting about. Do a search on your name and see how much information people can gather about you wihtout you ever posting anything on the web yourself. Companies are mining public records and a lot of other non-public records like email addresses (past and current), tracking down relative information, etc, etc, and putting it out on the web. This is a bunch of crap. I don't know of anyone who said it was OK for a company to datamine their information and put it all into 1 easy location to make a profit off of it. I don't care if some of it is public record or not, why are these companies allowed to datamine this information and put it into an easy to find and follow format for crackers and identity thieves to use.
    • Ha! Ya. Right.


      Even the Wild West came to an end. And like it or not, mostly for good reason.

      Firstly, your wish is a pipe dream without question. For thousands of reasons, one being that governments are already knee deep into all kinds of web related legalities.

      Secondly, your dream of governments staying out of the web is something of the same kin that many different peoples wishes are about the government "staying out" of one thing or another. Most people have something on the go in their lives that make them wish the government had of stayed out of it. The problem is that they also have about 5 dozen things in their life they are glad the government has a handle on, perhaps even thinking the government should be more involved and take a stronger stance. And unfortunately that results in a multitude of overlap between the things people say the government doesn't do enough about and places people say the government shouldn't be involved in at all.

      Face it, as humans we are all so far from being of one mind that the saying "cant please all the people all the time" is about as factual as you can get.