Industry news site Net-Security.org reports that a recent bill voted on in the European Union parliament might increase the data security burden U.S. companies have, even if they don't directly do business in Europe.
Europe already has much stricter data breach laws than the U.S., and the proposed bill is set to make them even more burdensome. American IT companies, big data firms, and web marketers could end up feeling the strain. (For more on the problems with international data breach laws, see our article Why IT Contractors Shouldn't Hold Their Breath for Universal Data Breach Legislation.)
The bill is not yet law, but it passed an initial hurdle with a vote of 621 to 10. A final vote will take place in May, and the new regulations could begin as early as 2016.
Now let's take a look at some of the E.U.'s proposed requirements and what they mean for U.S. businesses.
Future Regulations = Future Headaches for IT Businesses
The proposed bill in Europe would shift IT markets around the world by requiring web hosting and tech businesses to get permission from users more often and by restricting the way businesses can use and transfer data. Here are some of the main features of the bill:
- If a European business transfers data outside of the E.U., it must receive permission from the owners of the data (i.e., the business’s customers), and the country receiving the data must have sufficient security standards.
- There will be new limits on "profiling" that uses location data, economic data, work performance information, and other data.
- Users have the right to have their data erased.
- Companies must communicate data security information and policies in easy-to-understand language.
- Fines could reach over $100 million or 5 percent of a company's revenue.
These provisions seem to be aimed at limiting two things: big data marketing and data breaches. E.U. lawmakers hope to increase users’ privacy by making it easier for them to opt out of sharing their data. But these provisions (in particular the limits on location data, etc.) would cripple some of the new developments in mobile marketing and business intelligence. For example, Google's entire revenue stream is built around gathering information about its users and marketing to them.
According to a report published on out-law.com, an international legal news site, the UK government has strongly criticized the new bill, saying it doesn't reflect the realities of the modern-day Internet economy. Restricting the way data is stored and transferred would put up a massive roadblock for companies that are moving toward cloud storage, SaaS, and big data marketing.
Understanding Safe Harbor: How European Laws Affect U.S. Businesses
You might be thinking: does an American business have to follow E.U. laws? That's a complicated question, especially when dealing with Internet and e-commerce because so much business and data move internationally.
Currently, U.S. businesses have to comply with E.U. laws through "safe harbor" provisions, which require them to follow aspects of European law or a smaller set of regulations. In other words, U.S. companies that do some business in Europe follow a scaled-down version of the law, but still have to meet stricter requirements than they would back home.
As this new E.U. law hasn't reached a final vote, lawmakers have yet to work out what the "safe harbor" version of the law would be for American businesses that interact with E.U. data. That will come down the road, but you can be sure that it means higher standards for businesses that deal with international data and commerce.
What a Tangled Web of Liabilities: E-Commerce and International Data
There are a few things you can take away from these proposed rules and regulations:
- Data security expectations are changing. In the U.S., there have already been three bills proposed in the Senate that would regulate data security. That's three bills in the first three months of the year. Regardless of the laws that are passed in Europe, there will likely be a new data security law in this country within the next few years. (For the latest on U.S. data security laws, check out And Another One: Congress Proposes One More Data Breach Bill.)
- Liability is interconnected. New regulations will affect the complicated way that businesses interact in the digital world. We've already pointed out on this blog that many data breaches are caused by contractors (see: Help Your Clients Understand the Risks of Third-Party Contractors). It only makes sense that the places where businesses connect to one another are often the weak spots in security. As Europe looks to heavily regulate the transfer of data, it's an important reminder that when you share data with another company, you're exposed to risks.
As expectations for data security change, make sure to protect your business from data breach and identity theft lawsuits. Your E&O Insurance covers lawsuits when a client's data is breached on their network. For more on E and O coverage, visit our page of sample insurance quotes for a free insurance cost estimate.