When Europe’s highest court declared the Safe Harbor agreement invalid in October 2015, you could almost hear the collective gasp from U.S. companies conducting business in the European Union. U.S. businesses have enjoyed nearly unfettered access to international consumers’ data for almost two decades, and the October ruling most certainly threw a wrench in that access. Now, the E.U.-U.S. Privacy Shield aims to replace Safe Harbor, and is currently awaiting final approval from the Article 29 Working Party. Thus far, the Privacy Shield has elicited great criticism, as reviewers still feel it’s not strict enough. Compared with Safe Harbor, the final version is expected to be much tougher on enterprises.
Despite its tepid review, the E.U.-U.S. Privacy Shield is still an indicator that the global consumer-data privacy regulations are constantly evolving, and that maintaining compliance is a challenge for many companies. Indeed, there has been a deluge of commentary bemoaning the collateral damage that new regulations introduce to global enterprises. For example, many brands whose core customer data management infrastructure is in the United States may be penalized for non-compliance with overseas regulations, as building data centers in various E.U. countries is extremely cost-prohibitive. Even migrating the data back to the European Union holds its own complexities.
While these are certainly valid concerns, there is some potential good that can come from the ruling. One is a renewed focus on customer privacy and security. In an ideal world, privacy would already have been systematically incorporated into every aspect of a business from day one. But digital transformation has changed everything, and many existing business systems cannot support today’s requirements for cross-region and cross-channel privacy.
In essence, the Privacy Shield forces businesses to take the steps necessary to safeguard and respect their customers’ privacy by ensuring that data is managed compliantly, is only used for initiatives that have been green-lit by consumers, and is captured with a clear value exchange in mind. The Privacy Shield also puts the burden on enterprises to ensure E.U. citizens’ data won’t make it into the hands of third parties outside the United States — a challenge, given enterprises typically work with multiple vendors across the globe. The good to come out of this, of course, is greater trust, confidence and loyalty in the long run among existing and potential customers.
New regulations also present an opportunity for businesses to cut capital expenditure. Under the original Safe Harbor framework, U.S. companies conducting business in the European Union followed a single, uniform set of privacy standards, and could transfer personal data about their E.U.-based customers back to U.S. servers they built and maintained themselves. Now, enterprises have the opportunity to offload the costs associated with building and maintaining data center infrastructure to cloud-based vendors — and those who already have infrastructure in place in various overseas regions. This means consumer data is stored and handled according to the rules and regulations of the country in which it resides. Using cloud-based data management infrastructure that comprises several international data centers allows for data localization while still providing enterprises with a single, holistic view of their respective customer bases. It also makes ongoing compliance much easier should regulations continue to evolve, as the burden falls to vendors rather than brands.
With the E.U.-U.S. Privacy Shield on the table — and change imminent — U.S. businesses are consumed with figuring out their next steps. The smartest companies will adopt a nimble compliance strategy that is agile enough to store and protect customer data according to regional specifications, while still securely sharing the data with the global enterprise. Those that can’t evolve with the new regulations will find it difficult to continue doing business overseas.
It’s true that the Safe Harbor invalidation — and its much stricter successor, the Privacy Shield — presents a huge bump in the road for U.S. companies. But it’s also forced some changes that are a long time coming, and that yield significant benefits. Making consumer privacy a top concern for today’s international businesses will pay off in spades with customer trust and loyalty; and embracing new infrastructures and technologies that will support evolving requirements will drive down capital expenditure. With these as guaranteed benefits, maybe regulations should have changed long ago.