How the new European data law will affect U.S. companies

If you thought that because you were a U.S. company that European rules would not affect you, think again. Europe has a population of over 500 million people, which is nearly twice that of the United States.

The new Regulation signals that the tide has turned. The 1995 Directive focused on building the online economy, and favouring businesses large and small to expand and grow, while the 2012 Regulation will reverse the fortunes for businesses and focus on European end users.

Internet companies will have to seek explicit consent from its users to use data about them, including when it is being collected, told for how long it will be stored, and for what purpose it is being used for.

A European Commission spokesperson confirmed to ZDNet that the proposed measures are “focused on younger people”, particularly teenagers, students and young adults, in a bid to “protect the consequences of putting photos and other information on social network websites”.

It does not guarantee the right to have data held by local and European law enforcement agencies deleted, however.

But the proposed “right to be forgotten” laws have already been met with harsh criticism from the wider Web industry. It will create a right that will not only be difficult to implement, but could have a detrimental effect on the use of the Web in Europe.

Sheryl Sandberg, Facebook’s chief operating officer, gave an insight on what the wider argument could be amongst businesses and European regulators. While Web companies provide employment and spur on economic growth — such as seen with Facebook’s impact on the European economy — governments should not get in the way.

“In Europe, in the United States, throughout the world, we need to make sure we are investing, we are investing in technology, and we are investing in basic education so that people can take advantage of these tools,” she said.

“The Internet and social media, it’s not just posts and pictures and fun things with your friend. But this is really serious stuff. This is about growth. This is about jobs.”

Facebook as a company remained silent in the run-up to the new Data Protection Regulation, but will likely suffer its consequences.

Reuters quoted Microsoft’s European chief operating officer, Ron Zink, as saying the proposals may be “too prescriptive”. Microsoft is one of the few companies pushing for harmonisation of privacy laws between the U.S. and the EU, but even it is concerned over the scope of the ‘right to be forgotten” rule.

“If one person puts photos on their SkyDrive and makes them available to everyone on the public Internet, and then later asks us for the content to be removed, we can take it off our servers,” Zink said.

Details of data breaches — something every company will have to deal with at some point — also takes a high standing in the Regulation. Since the Sony breach, where over 70 million user accounts were hacked, Europe is responding by enforcing a “24-hour rule”.

“Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay. As a general rule, without undue delay means for me ‘within 24 hours’,” Reding said in a speech earlier this week.

But should a company not be aware of a hack, a breach, or a data loss for 24 days, let alone 24 hours, it applies more pressure on companies to be aware of their own internal security matters and data protection policies.

The U.S. Department of Commerce weighed in, saying that the rule is “simply too short” and could lead to disproportionate fines, and even to false alarms. This in itself is likely to cause consumer frustration and unnecessary worry.

If companies are found to have broken the rules of the Regulation, stiff financial penalties not far behind Europe’s competition and antitrust penalties can be imposed; something not conducive to innovation in an already tight economic climate.

While some consider this to be a “tax on businesses”, again highlighting the shift from business growth to consumer rights, the Regulation could be seen as a reactionary set of rules and laws that does not deal with the fact that many still choose to upload vast amounts of their data to the Web.

These are just a number of examples where the borderless Web means that European law takes just as much precedence as other sovereign states, as long as companies are operating within Europe’s walls or has European customers.

The rules need to be approved by European member states and the European Parliament before they can come into effect. This could mean heavy amendments or outright rejection.

The Regulation in its current form should be seen as a warning flare, and a dictation of how a company should be acting in its present state.

However, a lot is still yet to change, so businesses should take heed of the warnings today. Change is afoot and the European authorities are about to shake the global data-collecting industry to its core. The announcement of the Regulation does not guarantee that all of its contents will go through, but it gives a grace period of two to three years for company practices and polices to be changed to comply with the overall measures.

Today’s announcement:

• Exclusive: European Commission ‘in denial’ over Patriot Act loophole
• European draft data law announced: What you need to know