Close

Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

The Big Challenge in New EU Data Protection Law: Values

Matt Kelly | December 17, 2015

Years ago, the chief compliance officer at a large manufacturing concern told me his biggest struggle was this: how to build an effective ethics & compliance program across cultures that have fundamentally different values.

The fundamentally different culture in his mind—to nobody’s surprise here, I’m sure—was China. How can you convince the Chinese that favoritism in awarding contracts is against company ethics, when personal connections are of supreme social value in China? How can you convince the Chinese to self-report misconduct, when shame is an outcome far worse and more offensive than guilt?

I’ve always thought my CCO acquaintance raised an excellent point. I just never expected that U.S. companies would see that gap in fundamental values emerge in such an unexpected way as it has this week.

The fundamentally different cultural value, of course, is privacy. And the place that sees it so differently is Europe.

Compliance officers will feel that gap most tangibly in the new EU data protection law, and we’ll get to the details of that legislation shortly. Rest assured, you and the head of marketing in your business will spend more than a few hours trying to digest its implications for data collection, and all the new procedures you’ll need to adopt to ensure your collection practices stay in compliance with the law.

But the law itself isn’t what jarred me this week. What jarred was this: that even on the same day that European officials agreed upon a final text for this legislation, word came that last month Belgian police missed a chance to apprehend one of the suspects in the Paris terror attacks—because Belgian law doesn’t allow nighttime raids to apprehend suspects, out of respect for personal privacy.

How can global organizations manage compliance with differing laws on privacy, when protection of personal privacy can be as deep-rooted as that?

The Belgium example is extreme and perhaps a bit unfair, I know; it’s more an example of bureaucratic ineptitude and outdated law than anything else. But the differing views on privacy are real, huge, and immensely hard to bridge. I can recall another time when I had to write an article on college students’ views on sharing digital music. I found a group of college students here in Boston, and asked what they thought. Then I asked for their names, and the first one I asked happened to be a Spainard. He became annoyed. “The press can’t just ask someone on the street what his name is,” he said. And I remember thinking—actually, yes I can. And every American knows this.

The Spaniard and I were both right to think the way we did. We just came from two entirely different perspectives, each equally valid. So I don’t know when the United States and Europe might ever resolve our differences over privacy of data. It strikes me as one of the unsolvable problems of corporate compliance.

At its core, the EU Data Protection Regulation revolves around the concept of consent: companies can only use a customer’s data for whatever narrow, specific use they tell the customer about.

Back to the EU data privacy law. Yes, the legislation—which must still pass a final adoption vote by the European Parliament—will apply to all 28 member states of the European Union, so we now have a harmonized set of regulations to study and implement. The bad news is that penalties for noncompliance can be severe (up to 4 percent of global revenue), and many specific clauses remain ambiguous. I expect we will see plenty of implementing rules and pronouncements to come, and a blizzard of law firm memos trying to put the directive into its full context.

Technically the law covers two separate rules: the General Data Protection Regulation, which addresses how companies use the data of EU citizens; and the Data Privacy Directive, which covers how law enforcement uses that data. Both will affect compliance officers, albeit in different ways.

At its core, the Data Protection Regulation revolves around the concept of consent: companies can only use a customer’s data for whatever narrow, specific use they tell the customer about. Where in the United States we check some box on an electronic form that’s 58 pages long and we never read, and blissfully agree to let companies use all our personal data any way we like—that idea will be severely restricted in Europe. Companies will not be able to scoop up vast piles of data on customers and then line up those data points in new ways, to glean fresh insights into our behavior. If you want to use a customer’s data in multiple ways, you will need to ask for that consent multiple times. The data scientists in your marketing division will hate it.

Game out that new climate, and suddenly data classification becomes even more important than it already is. Not only will you need to classify every bit of customer data correctly, and apply the necessary access controls to sensitive data like health information; you’ll need to track consent for various uses of all that data. Or you can start stripping away personal details to study customer data in aggregate, but prepare for howling voices and gnashing teeth in the marketing department. They will hate this too. 

Matt Kelly has been editor of Compliance Week for 10 years. He will step down from that role at the end of this year. You can find him on LinkedIn at www.LinkedIn.com/in/mkelly1971 or on GoogleTalk at MattCompliance@gmail.com