For some U.S. companies, the European Union’s General Data Protection Regulation is a source of fear. They’ve heard about the massive penalties for non-compliance. They’ve heard about the complexity of the requirements and they don’t know what to do. In extreme cases these companies are simply blocking all internet traffic from Europe.
In other cases it’s about the annoyance of having to deal with multiple standards. They have to write one set of privacy policies for Europe and another set for everywhere else. Worse, they have to comply with multiple sets of legal requirements.
But it doesn’t have to be this way. While the GDPR privacy requirements are strict and the penalties potentially huge, companies that are making a good-faith effort to be compliant aren’t going to be severely punished.
Your company can eliminate the pain of having multiple privacy policies by simply having one that meets global requirements, in other words, by having GDPR compliant practices throughout your company, not just in the parts the deal with the EU. Some big enterprises are doing just that, including no less a global technology giant than Microsoft, which has announced that it’s providing GDPR rights to everyone.
“We believe privacy is a fundamental human right,” Microsoft’s deputy general counsel Julie Brill said in her blog on the topic. Brill said that privacy has grown in importance as people spend more time online, and expose more of their personal activities online.
“Privacy is also the foundation for trust,” Brill continued. “We know that people will only use technology that they trust.”
“That’s why today we are announcing that we will extend the rights that are at the heart of GDPR to all of our consumer customers worldwide,” Brill explained. “Known as Data Subject Rights, they include the right to know what data we collect about you, to correct that data, to delete it and even to take it somewhere else.”
Meanwhile, Facebook and Google have also said that the companies are GDPR compliant, although not as explicitly as Microsoft.
What’s important about Microsoft’s approach is that the company has settled on one standard for how it protects privacy everywhere in the world. That means that its U.S. customers will get European level privacy, despite the fact that it’s not required under U.S. law. The same is true in all other parts of the world.
For Microsoft and for other companies that have any exposure to EU privacy rules, this makes a lot of sense. It costs money to develop multiple standards, it costs more money to coordinate which standards apply where and under what circumstances and more yet to find ways to automate how those multiple standards apply.
By adopting the EU’s GDPR, Microsoft only has to support one standard. The cost of developing legal privacy standards for many different places has gone away. Now there’s just one. And because the GDPR is both more specific and broader, it apparently meets the requirements everywhere else as well.
This is not to suggest that changing your privacy policies so that they comply with the GDPR is going to be easy or cheap. But the reality is that if your company has a significant presence in Europe, you’re going to have to create GDPR-compliant practices anyway. But establishing the EU standard for everyone eliminates the complexity of supporting other standards.
Unfortunately, as Google and Facebook have found out, just saying that your company is supporting the GDPR isn’t enough. Both companies were sued for GDPR violations on May 25, the day the regulation went into effect.
The lawsuits, which would force the courts to impose fines of €3.7 billion and €3.9 billion respectively, say that the companies are not actually meeting GDPR requirements. At issue, according to Austrian activist Max Schrems, the EU citizen who filed them, is the single check box the companies use to accept their privacy policies. The GDPR requires that you have a choice of which policies to accept and that it’s not an all-or-noting choice.
On the other hand, Microsoft, which has transparently adopted the GDPR requirements globally has not been sued.
What this demonstrates is that it’s possible to have a global privacy standard. However, for your global privacy standard to work, you have to make sure you actually meet the GDPR requirements.
Microsoft is helping in this area as well. The company has created a resource that provides sample privacy policies, model clauses and help with complying with the U.S. Privacy Shield. Microsoft has also revised its cloud service so that it complies with the GDPR and it’s provided a compliant version of Office 365.
While some might view this effort on Microsoft’s part as a cynical attempt to profit from the angst over the new rules, I don’t see it that way. Microsoft has demonstrated a long commitment to privacy for years and has done battle with an aggressive U.S. Justice Department to protect its customers’ privacy. These aren’t the actions of a company trying to leverage its way into a fast buck.
Of course, you don’t have to pay attention to GDPR compliance. If you’re a company that doesn’t seek business in the EU and which rejects contact with that potential community of customers, you’re probably fine. Just be careful that you don’t violate the GDPR in the process.