The ProQuest breakfast on Saturday morning featured the information-content company’s director of security and privacy information, Dan Ayala, who briefed attendees on two European Union (EU) privacy laws that will take effect on May 25: the General Data Protection Regulation (GDPR) and the ePrivacy Directive. Any American firm doing business in Europe will be affected by this legislation, Ayala said, and they are already “forcing US companies to look at data privacy in completely different ways.”
Some corporations, Ayala said, are laboriously setting up two different privacy systems, one for Europe and another for the US. However, the major players are unifying their rules to comply with the GDPR, “which is an indicator that European trends are starting to become global trends. Facebook and Google just rolled out new privacy centers that are in effect throughout the world, not just Europe.”
The GDPR requires companies conducting business in the EU, including the many businesses providing services to US libraries, to ensure the following protections:
- Increased territorial scope. Companies must comply if data is collected in the EU, even if it is processed elsewhere.
- Explicit consent. Users must explicitly agree to privacy terms and conditions (including accepting cookies) before they can access a service or product.
- Breach notification. Companies must let users know there has been a data breach within 72 hours of its discovery. (Compare the Equifax breach, which took the consumer-credit agency 70 days to notify the public about the massive amount of personal data that was compromised.)
- Right to access. Users have the right to request any personal information that has been collected from them.
- Right to be forgotten. Users may request that their data be erased.
- Data portability. Users have the right to request personal information from other companies that have received it second- or third-hand.
- Privacy by design. Companies should build their business processes with data privacy in mind from the beginning, not as an afterthought.
- Data protection officers. Companies must have a readily identified person, detached from operations, who is responsible for data and privacy protection.
The ePrivacy Directive includes these provisions:
- Users must be provided with clear and precise information on what data the cookies are collecting and must give their consent.
- Personal data on users collected as part of normal business interactions (phone numbers, billing, IP addresses) should be stored for only a limited time.
- Use of any data for marketing purposes must be agreed to by the user after accurate and full information is given by the provider.
- The types of cookies used for site or product analytics (number of hits, delivered anonymously) do not require as close scrutiny as those used for marketing purposes.
Ayala said that as more information-related companies come into compliance with the new European regulations, libraries and their users will reap some benefits. “GDPR will change the data economy,” he said. “The old models will no longer be viable.” Companies will introduce more granular controls over how personal data is used, and librarians can train their users to be aware of the differences in transparency between various products and services. “Of course, US companies whose sole business is advertising,” Ayala said, “will not be giving up their control.”
Librarians should also feel free to contact the data security officer of any company that provides them with a service and express any concerns they have over data privacy. “More data transparency and openness will build a greater amount of trust among a company’s clients,” Ayala said. The data security officer is there to show that “user privacy is handled effectively and appropriately.”
Ayala admits that enacting any privacy laws in the US similar to those in the EU is extremely unlikely, given the political landscape and the problem of state versus federal jurisdiction. Thus data privacy will rely on voluntary compliance by American companies.
“Data will always be collected,” Ayala said, “but data collection does not necessarily mean there is a privacy violation. Companies must learn to serve the user and clearly state their principles on data use and sharing. If you collect it, use it wisely.”