Compliance, Social Media, and the New EU Data Protection Regulations.

What do terms like "privacy by design" "profiling" and "the right to be forgotten" mean for your business? With a new EU data protection law coming, a lot.

Matthew Klein
June 5, 2015 - 7 min. read

Social media makes it much easier for for companies to have a presence in pretty much any market in the world. It’s fairly simple to target a Facebook ad to users in 20 different countries. The laws affecting business on digital and social media across those markets, however, might not be so straightforward.

Regulations and laws in a region with 28 member states aren’t always easy to get a handle on, especially for companies that are based in the US. But compliance with EU regulation is critical, and will only become more so with upcoming changes to European data privacy law—the draft of which includes fines of up to €100 million or 2-5% of a company’s worldwide revenue, whichever is greater, for certain violations.

We’re taking a look over some of the major points that companies need to consider compliance-wise, starting with those upcoming changes to EU law. According to our lawyers, this is not Official Legal Advice, but will hopefully help companies that are operating or plan to operate in the EU to better understand what they’ll need to do to be compliant.

The lay of the law

Probably the biggest single piece of legislation affecting what brands and networks can and can’t do in terms of digital and social marketing is the EU Data Protection Directive.

This data protection directive has a variety of different applications for social networks, brands and advertisers—what data can be accessed by whom, what kind of data can be used to target messages, what privacy settings are available, and what is the default.  It’s also going to be completely replaced by a new law that will have a major impact on brands on and beyond social media.

First, because the law will have such a big impact on how businesses operate online in the EU, we’ll look at some of its key points in a broad sense, then we’ll go into how it could impact businesses specifically on social.



A different data landscape

First, there’s a key distinction between the old data protection law and the new one. Unlike the old directive, the new proposal is for a regulation. A regulation means that the text is to be followed as is in all the member states. This contrasts with the current law, a directive, which is not applied uniformly across countries, but is instead used as the basis for laws in each member country. In that way, at least, the situation for businesses under the new law will be simpler to navigate.

It’s important to note that the regulation is not finalized. There are several drafts, and more changes are likely to come. But a lot of the key points touched upon here seem likely to remain in the final version.

So, what’s the scope? The regulation will deal with any company that processes or controls the processing of “personal data.” And since “personal data” encompasses any information relating to a person in the EU, and “processing” encompasses any dealings with that data—collecting, organizing, storing, transmitting or deleting it, it will affect a huge portion of companies that do business online.

And while the current directive applies to data processing companies that are established in the EU (incorporated in a member country), or those that “have a means of processing”—a server, or a data processing company—located in the EU, the new directive applies to any processing company that is established in the EU, or any company that “offers goods or services to EU residents” or “monitors their behaviour.”

And, as was mentioned, the regulation will be applied uniformly throughout the EU. There’s a sort of complicated structure proposed that will attempt to assure this, which you can read more about here, but basically the country in which a company’s “main activities” occur will have authority to ensure the company’s meeting those standards.

Complying with the regulation will be critical, considering the penalties for business that fail to do so. For failure to provide adequate information to data subjects or comply with the “right to be forgotten,” (a provision of the law) a fine of €500,000 or 1% of worldwide turnover can be applied. For processing data without a valid processing condition, or failing to comply with the profiling restrictions, a penalty of €100 million or 2-5% of annual worldwide revenue can be levied. Also, for failure to provide adequate mechanism for data subjects to exercise their rights, a fine of up to €250,000 or .5% of worldwide turnover. For individuals and small business, a first, non-intentional breach results in a written warning.


Major changes for businesses

In addition, all companies that process data and have over 250 employees or process the data of more than 5,000 people need to employ a data protection officer whose role is to ensure compliance with the law. The DPO must “operate independently and not take instructions from the business as to the exercise of his or her functions.”

Profiling, which the proposed law defines as “automated processing intended to evaluate, analyse or predict any features of their behaviour, preferences or identity,” is restricted. In my opinion, the law would make it very difficult for, say, a company to target ads for discounted baby strollers to people who had searched “pregnancy symptoms.” There are allowances—profiling can be carried out as part of a contract, with consent, or where otherwise specifically permitted by the laws of a member state. Pseudonymous data profiling is also generally allowed, but Profiling activities that “enable identification of data subjects from pseudonymous data,” are not considered pseudonymous.

Also, subjects will be able to demand a copy of any personal data from companies engaged in data processing.

There’s a lot more to the regulation that we won’t cover here, but which will still have a major potential impact on businesses—including more oversight on processing sensitive information or the data of children, strong requirements for the reporting of data breaches, and rules on sending data outside of the EU. The full text, a very fun read, is here.

Social specifics

Some of this stuff will affect companies operating on social channels directly, some of it will affect the social channels themselves, and the companies operating on them by extension.

So what is “the right to be forgotten”? This concept entered many people’s vocabulary last year when a European Court of Justice ruled that Google and other search engines were required under the data protection directive to respond to requests to remove links to content containing personal data.

The new law will extend this concept, so that it applies specifically to social networks. According to a circular about the impending regulation released by the EU, the right to be forgotten will mean social network users will be able to request that any information that the social networks have about that person be deleted.

And the new regulation introduces two new concepts that will likely have a significant impact on social networks: privacy by default and privacy by design. They will require that any new technology, product or service must be developed to ensure compliance with data protection obligations, and also that any collecting, storing or processing of data is done only so far as necessary. These concepts could potentially mean that new social networks or services skew anonymous, or away from collecting all available data about their users, and that existing ones shift that way.

Other elements of the proposed regulation that will probably make a difference for social network and brands’ presence on them, but we can’t know exactly what they are until the laws are finalized and interpreted. The restrictions on profiling could conceivably affect ad targeting, for example. Or the stronger requirements for consenting to any sort of data processing could mean more people opt out from targeting.

There are however rumors that certain “exceptions” from this regulation will be made for social networks, but they are at this point just rumors.

So what can companies do now?

Well, the good news for companies that will have to be compliant is that they have some time to get things in order. It looks as though final adoption of a new data protection regulation might occur, at the earliest, around the tail end of this year. It could well be pushed into 2016, and it likely won’t come into force until perhaps 2017.

But with the information available, and the scope of the changes that will be necessary for some companies, it would be wise for them to get started soon. First, make sure your lawyers are aware of what’s happening. This is a great resource for them.

Also, you should begin to look, on a high level, about the ways in which you use data. Are your applications for it specific, controlled, and transparent? Is data shared with only designated people, or does everyone in the company have access, more or less?

And, critically, you need to know what kind of partners you’re working with. Under the law, companies can be considered responsible for the compliance of companies that process data on their behalf. To avoid substantial penalties, partners need to understand the regulation inside and out, and the scope of any agreements include data processing will need to be very clearly defined from the outset.

Header image credit: Thijs ter Haar 

Book image credit: Pawel Loj

Content Strategy Handbook

Create a content strategy that will reach your business goals.