American companies and GDPR – Can one take “GDPR compliance” at face value?
This is an interesting article, for anyone concerned about Privacy, from Reuters. Basically, Facebook members outside the United States and Canada currently fall under terms of service agreed with the company’s international headquarters in Ireland – inside the EU, so GDPR applies. Next month, that will only apply to European users, so less onerous US privacy laws will apply to everyone else.
I am not a lawyer, but I’m not sure that will always work. What about EU citizens living and working in India, say, who sign up with Indian Facebook?
In any case, it underlines the fact that many US companies see GDPR simply as a restriction of trade, to be avoided at all casts. Could they sometimes be adhering to the letter of GDPR law whilst evading its spirit whenever possible?
I think that there is simply a cultural difference – Europeans think that people override corporations in issues of personal data privacy, Americans don’t – but it’s obviously not as black-and-white as that. Simply stated, I think that any emerging Mutable Business with a global reach needs to do some due diligence, not only on its own data processing but also on its non-European partners – it can’t simply rely on assurances that “we are entirely GDPR compliant”.
Check out Saleforce’s GDPR site, which – on the face of it – seems a lot more thorough than most, and decide for yourself on the small print. There is great play made of Binding Corporate rules and Standard Contractual Clauses but my Bloor colleague Peter Howes reminds me that these may include references to other documentation that is subject to change. As an example, Salesforce’s lists of these Rules and Clauses and sub-processors, etc., are full of links to the Salesforce website “for the latest version”. Note also that Safe Harbour and Privacy shield are quoted, and that the EC authorities are not wildly enthusiastic about either of these – Safe Harbour has been overthrown and Privacy Shield is being challenged (one challenge has been dismissed but there are others).
The bottom line, I think, is that (regardless of GDPR and its jurisdiction) a mutable company can’t afford to have a breakdown of trust with its customers and other stakeholders – as Facebook is discovering. GDPR may simply be a catalyst for bringing data-related trust issues to the surface.