Europe’s next export: privacy

It’s not like banks and other U.S. businesses are in the dark ages about privacy. A slew of laws and rules enforced by multiple government agencies make it a priority. High price tags and scathing publicity for violations are another incentive.

Plus it’s just good business.

“When you care and people trust you with their information you can build a closer relationship,” says Russ Schrader, general counsel and chief privacy officer for the startup company Commerce Signals. “That database is an asset and you can make money off of it.”

Indeed, that describes the business model for Commerce Signals. Quoting from a Dec. 2016 Forbes article the company has a “databridge product that positions itself as a neutral middleman, acting on the data under the explicit permissions of whoever owns it, which creates transparency and trust.” One such group of data owners the company works with is banks with their “big data lakes” of credit card transactions.

Schrader spoke at a session on the changing landscape of privacy and security at the recent Money 20/20 Conference in Las Vegas. He answered questions posed by moderator Veronica McGregor, a partner at the Goodwin law firm. Schrader stays up on what’s happening in data privacy, and much of his remarks related to the changes going on in Europe and elsewhere.

Two E.U. regulations will impact U.S.

“Privacy in the old days used to mean the right to be left alone,” said Schrader. “Obviously with cameras in your car, on your phone, and in every convenience store there is no more privacy, in one sense.”

But there is, he added, if you look at privacy as a system of data rights. That is: “Who has a right to use that data, and who has supervening rights to prevent the use of that data?”

McGregor described how in Europe the General Data Protection Regulation (GDPR) is set to take effect on May 25, 2018. The regulation, according to web sources, will strengthen data protection for individuals, and give them more control over their personal data, including export of that data outside the European Union (E.U.).

McGregor then asked, “What do U.S. companies need to know about it?”

“It’s really tough for us in the U.S. to get our heads around it,” Schrader answered, “because it comes from a whole different place.”

In the U.S., Schrader continued, “we have privacy to protect kids, protect health, protect financial data—it’s very much a harm-based approach. In the E.U., it’s a human right. They do not see people as what they buy. They see people as who they are.”

As a result, the right to privacy is much more strongly protected in Europe, said Schrader. He noted also that what isn’t covered in the GDPR will be covered in a companion rule known as the ePrivacy Directive, which takes effect the same day as the GDPR.

Data outflows complex and tricky

Schrader outlined why European Union rules matter here. One relates to companies doing business in Europe.

If a company is engaging with European citizens, the E.U. expects it to give them European citizens’ rights, said Schrader. Such companies have a choice, he said: They could run two basic silos, one for the U.S. and one for the GDPR privacy rules— or they could have one system that is set up to pass muster in the EU. The latter may sound simpler, but Schrader said it would be neither cheap nor easy to do. He referenced the recently implemented U.S./European Privacy Shield Program governing the transfer of personal data between countries in commerce. The program is administered here by the International Trade Commission within the U.S. Department of Commerce. Schrader noted in regard to the program that “it’s complicated and tricky,” and is an “ongoing area that people will need to look at.”

Will the U.S. follow suit?

Asked if he thought the U.S. would emulate GDPR, Schrader quipped, “We have a President who believes strongly in certain forms of financial privacy.”

But he also noted that most recent privacy initiatives here come from the CFPB—“Elizabeth Warren’s child.” He didn’t see many organic privacy rules imminent given the polarized positions between the agency and the administration. He added, however, that the recent Equifax breach, which will inevitably result in more people having their identities stolen, may produce a groundswell of proposals in the next couple of years.

In addition, Schrader said that GDPR enforcement actions may change things here “when the Europeans start looking to get huge fines—like 4% of annual turnover [revenue] for violations—from American companies. They’ve already sued Microsoft, Facebook, and Google.” he noted.

Overall Schrader believes there “is a lot playing out overseas that will have a direct economic and probably regulatory and best practices impact here.”

A privacy twist in China

Just a couple of weeks before the conference, Chinese leaders began to talk about how the country thinks about privacy, according to Schrader. Based on a speech he read, their idea of privacy is not about consumer rights, not about human rights, but about the good of the state, the community, the family.

“Privacy is granted in a way that will suppress facts that are harmful to the family, community or state,” said Schrader. “Very different from what we talk about.”