The striking down of the existing Safe Harbor transatlantic data-transfer agreement has been all the talk of late. And while an agreement was finally reached – a new framework to be known as the EU-U.S. Privacy Shield – there are likely still hurdles to overcome before everything is finalized.
Despite reaching this agreement, there may be confusion around how this relates to other recent shifts across the pond regarding ensuring customer data privacy and security.
The rules and regulations relating to how merchants and retailers capture, store, share and process customer (and staff) data are about to change in Europe. It will apply to all European Union (EU) member states without a need for local legislation. At the start of this year, the European Commission unveiled a draft of its European Data Protection Regulation, which is planned to take the place of its previous Data Protection Directive. The purpose of the change is to align and update data protection across the EU. One continent, one law. It impacts not only those businesses within the EU, but also businesses that target goods or services at EU consumers, too.
The regulation is expected to be implemented and enforceable by 2018. When this happens, all businesses will have to be ready for key changes to how personal data is collected, stored and processed. In addition, there are changes to how data breaches are reported. The consequences of noncompliance will increase greatly, too. The current draft outlines that fines could be as significant as 4 percent of global annual turnover. This in itself is enough of an incentive for merchants, retailers and their financial services partners to sit up and pay attention.
Now, while you may be thinking this doesn’t apply to retailers and service providers in the U.S., particularly with the new framework, I’d be careful with that assumption. As stated, businesses that target goods or services at EU consumers will be expected to comply.
One thing is certain: the rules and regulations around all of this are currently muddled to say the least. Regardless of how this all shakes out, there's distrust among European consumers when it comes to U.S. entities protecting their data.
I surmise that whatever the end result of these new and forthcoming data security requirements, all of this actually presents a great opportunity for U.S. merchants. By complying with European standards, you're demonstrating to European prospects and customers that you're a trustworthy business and that you'll protect their data. It may all seem daunting, but if you work with service providers with data centers in your target European markets, they will have the local knowledge and resources needed to help your company be compliant. The investment is relatively small, at least from a customer payments point of view, and in fact is likely less expensive than transferring customer data back to the U.S. given you will have “feet on the street” overseas.
If there's a data breach in Europe, your brand name can be easily ruined in the marketplace. It's very hard to regain trust – especially where there's already a strong lack of trust among European consumers who are sensitive to the protection of their personal data given the revelations from Edward Snowden and big providers who let the U.S. government tap into their data. It can take a long time to earn a positive reputation – and just minutes to quickly lose it.
Many Europeans feel that even with the new EU-U.S. framework, promises are bound to be broken. If a breach should happen, the public outcry in Europe will be substantial, and merchants that comply with EU law will have a significant advantage.
Rather than taking a “wait-and-see approach,” if you're seeking to extend your global reach and/or retain your position in Europe, I recommend taking the new rules seriously and moving towards adoption now. The regulations present a good opportunity for U.S. retailers to demonstrate their commitment to European consumers, while showing that you respect their privacy. If you don’t, your competitors may beat you to the punch, and you could risk losing market share moving forward as a result.
Andre Malinowski is head of international business at Computop, an international payment service provider.