Doing business in Europe invariably means collecting data relating to EU citizens. This means your business will need to comply with the European data protection regime, even if you don’t have any kind of formal EU establishment.
- Transfers of data outside of the EU (including to the US) are prohibited unless you have a European compliant international transfer solution in place. For most US companies, this means getting Safe Harbor certified but there are other options to consider.
- The rules across the 28 member states of the EU vary, so a “one-size-fits” all approach to European data compliance will not generally work. A strategic approach to formal establishment within the EU can help to reduce the compliance burden.
- US privacy policies and practices do not normally go far enough and will not generally work in Europe. You should localise your US centric policies and procedures for compliance with European data protection laws.
- You may need to register with the local data protection authorities. Failure to notify is a criminal offence. Luckily in most EU member states, the notification process is relatively straightforward so this should be one of the easier issues to tackle.
The European data protection regime is technically one of the strictest and most comprehensive in the world. Failure to comply means you risk not only regulatory scrutiny and fines (which are set to increase to up to 2 % of a company’s worldwide turnover for severe breaches), but also a potential PR disaster as European consumers are particularly privacy conscious.
Of course, we recognise that technical and resource constraints mean that a putting in place a fully compliant approach may not (at least initially) be possible, particularly if this is your first voyage into the European market!
However, if you’re ultimately looking to win the hearts and minds of European customers, data protection compliance should be right up there on your to-do list. The earlier you can start factoring in privacy to the design of your business processes and terms, the better.
Getting advice from a European data protection professional is a good starting point. If they’re worth their salt – they will be able to help you pragmatically navigate the compliance challenges and reduce some of the compliance burden.
Felicity Fisher specializes in technology transactions and regulatory matters. She works predominantly with digital business sector, advising on commercial agreements, technology licensing and procurement, cloud services, outsourcing, e-commerce issues as well as privacy and consumer regulatory matters.