Consumers have a “right to be forgotten” – at least in the EU. Last month, the European Court of Justice (ECJ) classified Google as a data controller and ruled that they must comply with individuals’ requests to remove certain links to personal data. Google has asserted that this will adversely affect innovation, but those claims are premature. The EU’s human rights-centered views have been influencing global standards and privacy practices in the Middle East for decades, and businesses have adapted to more restrictive markets, like China and North Korea, and thrived. The ruling presents opportunities to establish profitable relationships with European clients who desire privacy-based services. Corporations need to see privacy as another market ripe for innovation, one that can yield global profits, because adapting to EU concerns means extending your market reach across the world.
And Europe’s concerns are global concerns. The ECJ ruling has implications for all multinational businesses that handle European data, and it dilutes the “proportionality test,” where businesses claim that the economic effort of deleting personally identifiable data is damaging to their business models. Now, companies need to pay attention to where their clients live (and the jurisdictions that govern them) because they can be held accountable.
Even before the ECJ decision, Europeans felt that they had to balance access to US markets with the risk of EU fines. A lawyer for an EU corporation told me, “When we work with U.S. companies who process our data, we have to put something in our contracts that give us some protection because we know that they won’t be held accountable. We want to participate in U.S. markets, but we know we are exposing ourselves at home.” Officials are even reviewing the Safe Harbor agreement, which enables the transfer of personal data from the EU to companies in the U.S., and pressing for more robust enforcement on U.S. soil. And a new Data Protection Regulation aims to create one centralized law and expand the arm of EU enforcement. If it goes into effect by 2015, the stakes will be even higher. These efforts will pressure European companies to look for U.S.-based providers who can address these concerns. This may keep EU companies from using U.S.-based services, but it also opens a market for companies with healthy privacy systems, since others won’t be able to shield their EU clients from litigation.
The Google case should motivate telecoms and global corporations to integrate privacy into their operational models, instead of treating them solely as issues of compliance. Google has already extended its practices to states outside the EU with similar laws, which (despite the company’s condemnation of the ruling) is an innovation that places Google at the forefront of privacy services. Bing is also following its lead by striving to develop a “right to be forgotten” feature. If other companies establish mechanisms to protect their clients’ private data, they can cater to the more regulated EU markets and rebuild consumer trust at home (it has deteriorated as a result of Snowden’s revelations and growing concerns about U.S.-based cloud computing).
U.S. laws about government surveillance and corporate data ownership likely won’t harmonize with Europe any time soon, but this is an opportunity for companies to maintain competitive advantage and keep up with newer market players. To respond to these changes and make privacy work for profit, consider:
A new market for privacy services. Google already handles a host of removal or review requests from the broadcasting and music industries for IP violations. Now the company is fielding an average of 10,000 individual requests a day through its new online form, and a team must be trained to review them. The economic impact on Google and others has yet to be determined, but it opens a job market for privacy experts. Reputation management companies, which work to bury search engine results, could also offer request services to individuals.
Integrating privacy officers. Privacy is not just about fulfilling legal obligations; it involves understanding telecom systems, regulations, and the operational characteristics of a particular industry. Businesses should take a cue from the intelligence community and make privacy officers more than compliance watchdogs. Train risk assessors to identify sensitive or important data and assess the connections among your security teams and your business models.
Privacy as part of your client relationship. These rulings mirror growing mistrust of how consumer data is managed. Surveys indicate growing American and European unease over how companies gather and use consumer data, their role in sharing personal data with governments, and the transfer or sale of data to third parties without consent or knowledge. Consumers increasingly believe that companies see them merely as data fodder. Treat their private data with respect, and you will attract loyal new customers. Firms that process data already provide tailored services for their clients, so it makes sense to include European privacy protection as another customized service. Hire data security experts and have them work with privacy officers to construct systems that secure data, use it responsibly, and test these mechanisms regularly. Embed data protection into your company’s culture, and involve your clients in the process. Communicate how you protect them in clear and concise language, and invite feedback.
Failure to take privacy seriously can put you at risk of fines or litigation, but the worse case scenario involves negative publicity equating your company with a lack of concern over personal information (e.g. Target and Neiman Marcus). The Google ECJ case is an opportunity to strengthen relationships between clients and consumers by reconsidering how their data is managed. The winners of the digital age will be those who see privacy as an investment that secures profits and opens up privacy markets across the globe.