When small and mid-size companies start expanding their apps or web presence into Europe, they need to start thinking about EU data protection laws. It’s tempting to take a look at what one or two of the “big guys” do about EU data protection compliance and think that whatever the big guys do in Europe must be good enough. But the ongoing saga between Google and the EU’s data protection authorities shows that this approach shouldn’t be adopted uncritically.
- Providing “clear, unambiguous and comprehensive information” regarding its data processing,” including an “exhaustive list of the types of data . . . and purposes.”
- Providing more information about its use of anonymous identifiers (a next-generation tracking/behavioral profiling technology that’s being developed and may eventually replace cookies).
- Educating its employees better concerning notice and consent requirements.
- Making sure that users are equally protected regardless of what device they are using (mobile phones, tablets, desktops, and any new devices that are invented).
Google has committed to putting these changes into effect by June 30, 2015. In the meantime, Google’s undertaking provides a useful spotlight on the areas of EU data protection compliance that the ICO (and other data protection offices) think require significant attention.