European Union Tightening Privacy Rules

The European Commission has issued new rules to provide stronger privacy protections across the European Union. The new rules will impact the privacy and security procedures of all firms doing business in Europe.

At one time, European regulations would have mattered only to the largest US firms or those that were specifically export-oriented. Today, however, many small and midsize businesses (SMBs) do online business with European customers and must be concerned with European rules. Moreover, those rules may influence best-practice standards in ways that affect even purely local firms.

Privacy as a Priority

As reported by Don Reisinger at CNET, consumer privacy has long been a major concern of the European Union. The European Commission, the EU's executive component, has been working for some time to update its current privacy regulations. These date from 1995, nearly at the dawn of the Internet. European Commission vice president Viviane Redding noted that fewer than one percent of Europeans were on the Internet at that time.

Among the key points in the new rules are a "right to be forgotten," allowing consumers to permanently delete data. Consumers must also explicitly opt in to allow companies to keep and use personal data rather than such use being the default.

The new rules also require companies to report "serious data breaches" within 24 hours, or as soon as possible. The rules extend to data processed overseas (from Europe) if companies are actively doing business within the European Union. Violators may be fined up to one million Euros (about $1.3 million) or 2 percent of global annual sales.

The regulations might also save money, since they will provide a single compliance standard across Europe, replacing a hodgepodge of national online privacy regulations.

"Best Practices"

Small businesses that occasionally and incidentally sell online to European customers probably do not need to study up on the new EU privacy rules. But for firms that do regular substantial business in Europe, these rules will become the new benchmark for compliance.

And because the worlds of online business and data operations are so globalized, the European rules are likely to be incorporated in IT best practices guidelines for managing consumer data. Through this channel, they will be adopted by IT operations even in firms that have no active involvement in Europe.

At a time when both online privacy and firms' data security are growing issues in the US and globally, adopting industry best practices is a common-sense measure. In protecting their customers' information privacy, firms will also be protecting their own information security.