Data privacy: is your approach American or European?

The United States Congress has authorized Internet service providers (ISPs) to sell their clients’ personal data without requiring their consent. This political and business decision incurs a major risk of companies invading consumer privacy. In fact, an individual’s web browsing history constitutes a direct window onto their private life, with personal information on their interests and leisure activities, as well as their health, sexual orientation, religion, and so on. From a European perspective, this is extremely sensitive data.

This decision indicates the U.S. favoring corporate interests over its citizens’ privacy, a position that is diametrically opposed to the regulatory changes taking place in France and Europe more widely, where privacy is a critical concern. 2016 saw major developments in data privacy rules, especially the vote in favor of new European regulation and French digital law. These important changes are aimed at enabling consumers to regain control over their personal data and decide how it is used. Individuals must be able to manage their data and decide who may access it. This is the essence of article 1 of the French Informatique & Libertés law, which has been updated to integrate the notion that “every person has the right to decide on and control the use made of their personal data.”

This strengthening of consumer rights sends a clear message to companies: people are free to decide how their personal data is used. They must be able to give their consent and withdraw it at anytime. Their consent must be freely given, specific and informed, since the consumer must have sufficient information to take a decision in full knowledge of the facts.

Are you concerned? Most likely, as a consumer and an employee. Whether you are sending marketing materials, handling sensitive data or transferring your clients’ contact details to a partner, you need to be aware that any data processing is subject to consumer consent and it is important for your company to comply. CNIL, the French data protection authority, is particularly vigilant on this point, imposing sanctions if necessary. For example, in December 2016, two online dating sites were publicly ordered to pay penalties of €10,000 and €20,000 respectively for processing sensitive data (sex life, religious beliefs and ethnicity) without users’ consent. Another example is CNIL publishing a note in October 2016 following numerous complaints over pharmaceutical records being created without patients’ consent.

Particular attention needs to be paid to the issues of requesting user consent and complying with it, as well as providing the right information to consumers. Our data culture is changing: consumers are increasingly protective of their private lives, better informed of their rights and keen to assert them.

Your company must adapt to these changes and respect clients’ wishes as a key to driving trust and building long-term relationships.