(Editor’s note: this is a guest post from Mike Weston, CEO of data science consultancy Profusion, discussing how tech companies can navigate the shifting sands of privacy regulations.)

Tech companies generally hate legislation. The European Union loves to regulate. In legislative terms, the irresistible force of tech innovation meets the unmovable object of European bureaucracy.

The latest manifestation of this epic battle – Facebook’s Moments app. At the time of writing, the EU has claimed victory, forcing Moments to withdraw from European shores until its facial-recognition technology comes equipped with an opt-in.

If only privacy, data ethics and the march of tech innovation was that simple (and dramatic). The real situation is much more nuanced.

A case in point was the announcement last week of draft EU data protection regulation. Although the legislation is couched in incredibly dull language, it has the laudable goal of seeking to homogenise data protection rules across Europe.

In theory, this should make it cheaper for companies, particularly those operating in marketing and tech, to do businesses. It should also reinforce privacy protections for EU citizens. Sadly, the draft that was announced was hilariously ambiguous.

For example, there’s a rule that allows companies to change how and what they do with data if they can show ‘legitimate interest’. Just what a ‘legitimate interest’ will entail is anyone’s guess. In total, there are 35 flexible provisions. To avoid boring you to death and to protect my sanity, I’ll avoid going into any more detail. But when the directive is finally implemented, it won’t be consistent across Europe and is highly unlikely to be easy to understand. Tech and data lawyers will be salivating at this prospect.

So what does all of this mean for global tech companies? Well, Europe, like many other places in the world, is embroiled in a cultural battle over privacy. On the one hand, it should be simple: the ‘right to respect for private and family life’ is enshrined in Article 8 of the European Convention of Human Rights, drafted and signed into being a mere 65 years ago.

However, the expectation of privacy varies massively between countries and is hardly consistent. For example, Germany went apoplectic at the Edward Snowden spying revelations, whereas the situation in the UK and France was much calmer. However, in relation to Google’s ‘right to be forgotten’, France is pushing hard for it to be extended across the world. Meanwhile, in the UK, the new Conservative government is drawing up new rules to extend the state’s digital reach into tech companies and people’s lives – the so-called ‘Snooper’s Charter’.

European governments, in general, are struggling to balance privacy concerns, security and breathing room for tech companies to innovate. Each technological innovation brings with it new challenges that legislation is struggling to keep up with. Facial recognition is just the latest battleground, yesterday it was chat apps like WhatsApp and BBM, tomorrow it could be wearable technology. For context, the UK is governed by data protection rules drawn up in 1997 and implemented in 1998, a full ten years before iPhone was launched.

Mark Zuckerberg is unlikely to lose any sleep over the delay to Moments. Creating an opt-in is not going to dent the tech behemoth’s bottom line. However, for smaller tech companies, the danger of entering a European market with shifting privacy rules and a prickly consumer base is clear and present.

My advice is to tread carefully. If you plan to enter Europe and your app or software deals with cutting-edge technology or is data heavy, and you can afford to get legal advice, get it quickly. This is not a situation where it is better to beg for forgiveness than ask for permission.

For companies where even Saul Goodman would be a lavish expense, the UK offers pound-for-pound the biggest market with the most relaxed attitude to privacy and data protection. So the UK makes a good test market. Being mindful of incorporating explicit requests for data use and opt-ins is also crucial. Finally, use of language and sensitive marketing goes a long way to avoiding the ire of regulators.

Transparency is key. Make it clear how you use your customers’ data and what they will get in return. Not only will this help to retain consumer trust, it will also give you an important bargaining chip if the regulatory or media environment changes.

Although European privacy legislation and cultural attitudes can seem anathema to US tech entrepreneurs, especially if they are of the libertarian persuasion, it shouldn’t be a major hurdle if you operate your business on an ethical basis. Respecting customers by being transparent and not taking advantage of their personal information should be the cornerstone of any tech company. There will always be some curve-balls thrown by regulators as Moments has showcased.

However, as legislation will forever play catch up with the tech industry, the best way to protect your start up is to deal with transparency and data in precisely the same way you would wish other companies to deal with your own personal data. Essentially, do with others’ data as you would have others do with your own private data.

Featured image credit: AHMAD FAIZAL YAHYA / Shutterstock.com

  • In addition, member states will still have the power to add their own rules, restrictions and certifications.

    For example in EU we don’t (and we won’t) have a single law for health service providers (like HIPAA in US).

    For example if a startup that is providing a great digital health solution in Germany (mHealth, eHealth, wearables, telemedicine etc), they can’t provide the same in France because they would need to be approved by French Data Protection Authority (CNIL). And probably they will skip French market because they need to be fast.

    Once the GDPR will be approved, there will be still a lot of work to be done in order to really simplify law compliance and support innovation.

  • I totally agree with the last line “do with others’ data as you would have others do with your own private data.” and would add to that family and friends as on both side of the pond, there will be an increased focus on “youth” and how data might harm our next generations.

    I would however like to draw a word of caution regarding using the UK as a test market: UK legislation is based on common law, which is not the same system as other European countries. The very long discussion about how the ePrivacy Directive has been transposed in the UK is a good reminder of that. Today, what might be ok for the Information Commissioner’s Office, the ICO, might not fly with French CNIL or Spanish AEPD. The European Data Protection Regulation is coming (end of 2015 or beginning of 2016) and let’s see how homogeneous it is across countries.

    Having said that and as a convinced European (yes, I know, naïve!), I find US legislation just as confusing with sectorial, and on top of that, federal vs. state based legislation. The very definition of PII for starters varies per state.

    While the legislators figure it out, let’s just focus as you also mention on our customers and their expectations of Privacy. More should clearly be done in terms of understanding and education, while we all hedge for current and future data risks.
    My basis line is usually the Fair Information Practice Principles (FIPPs), on top of now also the 7 Privacy by Design principles. And then drill down per country to determine risk and act accordingly.