(Editor's note: this is a guest post from Mike Weston, CEO of data science consultancy Profusion, discussing how tech companies can navigate the shifting sands of privacy regulations.)
Tech companies generally hate legislation. The European Union loves to regulate. In legislative terms, the irresistible force of tech innovation meets the unmovable object of European bureaucracy.
The latest manifestation of this epic battle – Facebook’s Moments app. At the time of writing, the EU has claimed victory, forcing Moments to withdraw from European shores until its facial-recognition technology comes equipped with an opt-in.
If only privacy, data ethics and the march of tech innovation was that simple (and dramatic). The real situation is much more nuanced.
A case in point was the announcement last week of draft EU data protection regulation. Although the legislation is couched in incredibly dull language, it has the laudable goal of seeking to homogenise data protection rules across Europe.
In theory, this should make it cheaper for companies, particularly those operating in marketing and tech, to do businesses. It should also reinforce privacy protections for EU citizens. Sadly, the draft that was announced was hilariously ambiguous.
For example, there’s a rule that allows companies to change how and what they do with data if they can show ‘legitimate interest’. Just what a ‘legitimate interest’ will entail is anyone’s guess. In total, there are 35 flexible provisions. To avoid boring you to death and to protect my sanity, I’ll avoid going into any more detail. But when the directive is finally implemented, it won’t be consistent across Europe and is highly unlikely to be easy to understand. Tech and data lawyers will be salivating at this prospect.
So what does all of this mean for global tech companies? Well, Europe, like many other places in the world, is embroiled in a cultural battle over privacy. On the one hand, it should be simple: the ‘right to respect for private and family life’ is enshrined in Article 8 of the European Convention of Human Rights, drafted and signed into being a mere 65 years ago.
However, the expectation of privacy varies massively between countries and is hardly consistent. For example, Germany went apoplectic at the Edward Snowden spying revelations, whereas the situation in the UK and France was much calmer. However, in relation to Google’s ‘right to be forgotten’, France is pushing hard for it to be extended across the world. Meanwhile, in the UK, the new Conservative government is drawing up new rules to extend the state’s digital reach into tech companies and people’s lives – the so-called ‘Snooper’s Charter’.
European governments, in general, are struggling to balance privacy concerns, security and breathing room for tech companies to innovate. Each technological innovation brings with it new challenges that legislation is struggling to keep up with. Facial recognition is just the latest battleground, yesterday it was chat apps like WhatsApp and BBM, tomorrow it could be wearable technology. For context, the UK is governed by data protection rules drawn up in 1997 and implemented in 1998, a full ten years before iPhone was launched.
Mark Zuckerberg is unlikely to lose any sleep over the delay to Moments. Creating an opt-in is not going to dent the tech behemoth’s bottom line. However, for smaller tech companies, the danger of entering a European market with shifting privacy rules and a prickly consumer base is clear and present.
My advice is to tread carefully. If you plan to enter Europe and your app or software deals with cutting-edge technology or is data heavy, and you can afford to get legal advice, get it quickly. This is not a situation where it is better to beg for forgiveness than ask for permission.
For companies where even Saul Goodman would be a lavish expense, the UK offers pound-for-pound the biggest market with the most relaxed attitude to privacy and data protection. So the UK makes a good test market. Being mindful of incorporating explicit requests for data use and opt-ins is also crucial. Finally, use of language and sensitive marketing goes a long way to avoiding the ire of regulators.
Transparency is key. Make it clear how you use your customers’ data and what they will get in return. Not only will this help to retain consumer trust, it will also give you an important bargaining chip if the regulatory or media environment changes.
Although European privacy legislation and cultural attitudes can seem anathema to US tech entrepreneurs, especially if they are of the libertarian persuasion, it shouldn’t be a major hurdle if you operate your business on an ethical basis. Respecting customers by being transparent and not taking advantage of their personal information should be the cornerstone of any tech company. There will always be some curve-balls thrown by regulators as Moments has showcased.
However, as legislation will forever play catch up with the tech industry, the best way to protect your start up is to deal with transparency and data in precisely the same way you would wish other companies to deal with your own personal data. Essentially, do with others’ data as you would have others do with your own private data.
Featured image credit: AHMAD FAIZAL YAHYA / Shutterstock.com