There are some serious difficulties ahead for businesses in the wake of the repeal of the US Internet Privacy Bill. How can US businesses comply with the GDPR?
Disclaimer: As always, my opinions are my own and not those of Ipswitch or its partners. Worth mentioning when it’s true.
In a recent story, I mentioned the EU’s General Data Protection Regulation (GPDR), the repeal of the U.S. Internet Privacy Bill, and their impact on companies involved in the trade of products and services between these regions. At the risk of beating a topic to death, let’s examine what has happened since and the compliance difficulties involved.
Like most techies in the world, the repeal of the Internet Privacy Bill in the U.S. was surprising in several ways. With the GPDR coming into effect in May 2018, a law like this one flies in the face of everything the GPDR stands for, namely the protection of private data.
In an age where marketers target every possible avenue for monetization, letting ISPs do so seems like madness, when you consider that they handle traffic for all industries and consumers, regardless of applicable regulations and standards.
As John Culkin, Director of Information Management at Crown Records Management, a global provider of information, storage and access solutions, puts it, “There is a major intersection ahead on the data protection highway – and the problem for global corporations is that the US is about to turn right just as Europe goes left.”
Problem one identified, but what else is in store? Will the situation cause compliance difficulties? What about net neutrality? What is the Internet Privacy Bill and is its reinstatement even possible?
The GPDR
The GPDR aims to harmonize data protection across the continent of Europe and provide citizens with greater rights over how and where their personal data is stored, said Culkin.
“This legislation will feature huge fines for data breaches, introduce strict deadlines on how quickly a breach must be reported and will apply to any business which handles the personal data of EU citizens. It will also require companies to gain express consent from citizens to store their data in the first place,” said Culkin.
The repeal of the Internet Privacy Bill removes those rights.
“It opens up the possibility that internet service providers could access people’s personal information – such as financial, health, geolocation, web browsing history and use of apps – and share it with third parties,” said Culkin.
“It’s easy to see problems ahead for any businesses which operate both in the US and Europe,” added Culkin.
Consumers will Drive Markets, as Always
The United Kingdom vote to leave the EU will not change the fact that GPDR compliance is necessary for companies trading with the EU and the same compliance is necessary for U.S. companies with business activities in Europe.
For U.S companies, “the transmission of data outside the European Economic Area was previously covered by Safe Harbor, before being challenged in court by privacy campaigners. The newer Privacy Shield was agreed but may face further problems around potential surveillance and recourse when issues occur,” said Culkin.
The EU GDPR brings an additional challenge in that it protects EU citizens no matter where they are. Therefore, it could be considered a problem for US business too, added Culkin.
As Culkin points out, the underlying feeling in Europe is that far from fearing potential fines for non-compliance, companies should see safe data as a selling point. This is especially true when you consider that consumers are increasingly demanding data protection when choosing where to spend their money, whether on products or service.
“It’s not impossible, for instance, that US-based businesses could find themselves prevented from processing the data of EU citizens – although there are serious question marks over how the regulation can be enforced,” said Culkin.
GDPR makes a distinction between companies that handle the data, versus companies that own the data - but the rules apply to both. Learn more about how GDPR impacts the use of personal data.
Citing one example, Culkin confirmed that many companies are currently choosing to host data in the EU and it will be interesting to see if that trend continues.
When the powers-that-be in the White House kill net neutrality, and ISPs prioritize their own services over others, the nail in the coffin for innovation in the U.S. will begin. The whole ‘buy American, hire American’ rhetoric will be shown up for what it is, when American ISPs screw their own citizens, sell their private information to all who will buy it and choke the bandwidth of competing services, unless they pay exorbitant rates for access.
Attempting to solve a trade deficit is a worthy goal for any country, but when data privacy is compromised for all involved in the import-export industry, how can it possibly succeed?
Comply with all Regulations?
In conclusion, companies need the flexibility to combat compliance issues. We’ve all heard of Agile methodologies. Why not employ them?
“The real issue is that companies, regardless of regulations in the US or in Europe, should be taking a good look at their information management systems and asking what data is being stored, where it is stored, how easy is it to access and whether its true value is being realised. Only then can they be ready to travel the data protection road safely – no matter what twists and turns lie ahead,” said Culkin.
In the meantime, say goodbye to the European market, as consumers and companies take their business elsewhere, to ensure their data is not monetized or leaked in a data breach that ISPs are not legally obligated to report. OR, perhaps amendments will take place that will satisfy international trade concerns for all? Time will tell.
For now, I’ll courier some glitter balls, balls of string and laser pens to the White House. With any luck it will distract them for a while and delay additional BS from being conceived of and spewed forth in the form of executive orders.
