thursday, 17 december of 2015

EU Data-Privacy Law Raises Daunting Prospects for U.S. Companies

The sweeping new digital-privacy regime that European Union officials agreed to on Tuesday runs counter to practices that have become commonplace in the U.S., according to several American corporations.

The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.

U.S. companies in industries ranging from advertising to health-care have embraced the opportunity to analyze vast amounts of data collected from sensors, apps and other sources. The new law places substantial roadblocks in their way, companies say, by specifically targeting data mining and user profiling.

“It’s going to be a game-changer,” Jack Yang, Chief Privacy Officer and Head of Data Use for Visa, Inc., said of the new European legislation during a San Francisco conference last week on how companies were responding to the law.

Executives from some Silicon Valley corporations say that the new law poses a big threat because it combines legal uncertainty with massive fines of up to 4% of global revenues. Some provisions rely on fluid notions, like risk-based harm to individuals, that could be interpreted differently by companies and regulators.

“Legal uncertainty and big fines are a toxic cocktail,“ Allan Sørensen, a board member for IAB Europe, an advertising trade group.

While some large U.S. firms have been lobbying behind the scenes, many are only starting to prepare. An October survey of 103 U.S. privacy professionals by Truste, a San Francisco company that helps business comply with privacy regulations, found that only half of U.S.-based businesses were aware or getting ready for the pending EU regulation.

“I think people underestimate the impact it will have,” said Eduardo Ustaran, a London-based lawyer at Hogan Lovells, who works with U.S. tech companies.

David Hoffman, global privacy officer of Intel Corp., said the chip maker was pleased to see the EU move to a greater degree of harmonization of it privacy and data-protection laws. “However, we are concerned about any sanctions regime that would include fines of up to 4% of global revenue,” he said. “Such high sanctions dis-incentivize business and investment.”

One provision appears to challenge what companies call “secondary uses” of personal data beyond the purpose for which it was collected. For instance, a weather app may collects location data to offer localized forecasts and then use the data to display a targeted ad.

U.S. consumers typically consent to such uses by checking a box next to a blanket privacy policy that covers all possible uses of data. The new European regulations could require specific consent for each use, said Martin Abrams, executive director of the Information Accountability Foundation, a think tank that is supported by technology companies. “Big data is all about repurposing—and repurposing is a problem,” in the new law, Mr. Abrams said.

It may be impossible to gain consent for every possible use of data, said Hilary Wandall, Chief Privacy Officer for pharmaceutical giant Merck & Co. Inc. Such consent is particularly challenging with respect to medical databases in which some individuals are deceased, she said.

The new law is expected to include tighter rules on a practice called profiling, or sorting users into buckets based on their online behavior. For instance, insurers use sensors attached to cars to price their premiums, and social networks use face detection technology to identify individuals in their users’ photographs.

The law gives users the right to know why they are being profiled, what buckets they are sorted into, who receives the data, the logic involved in drawing conclusions and “the consequences of such processing.”

Companies typically disclose to consumers that they may target them with an ad based on their information or behavior, but rarely disclose the categories they are sorted into.

“Right now, so much of our online lives are determined by algorithms that are totally opaque, said Alvaro Bedoya, executive director of the Center on Privacy and Technology at Georgetown University Law Center. “The right to access the ‘logic’ behind data processing could be a significant step forward in opening that black box.”

He pointed out that the law carves out exceptions to protect trade secrets, intellectual property, and anonymized data used for research purposes.

The new law also enshrines a broader version of the controversial “right to be forgotten,” applied to search engines since a 2014 decision by the EU’s top court. The new version requires any company to delete personal information it has about individuals who request that it be removed, except in certain circumstances, such as when that information is necessary for historical research or for exercising free expression. Search engines including Alphabet Inc.’s Google said the rule has already proven difficult to comply with.

Barbara Mangan, eBay Inc.’s privacy counsel for North America, said the company had been working for two years to find ways to fulfill European requests to have their data deleted right away. The solution was complex because a customer’s data might be held in dozens of databases at any given time.

“It’s pretty challenging to find those touch-points across all your business,” she said.

European Parliament and EU governments still need to approve the law, which is considered likely, after which it would take effect in two years.

(Published by The Wall Street Journal - December 16, 2015)

latest top stories

subscribe |  contact us |  sponsors |  migalhas in portuguese |  migalhas latinoamérica