International Data Privacy: How to Navigate the Challenges

by White & Case LLP

Hardly a day goes by when the news doesn't include some privacy-related story or scandal.  To name just a few recent examples, we've seen:

  • Highly publicized losses of customer credit card data by household-name retailers.
  • Companies being hacked, including entertainment businesses and dating websites, and the subsequent revelations in the data publicized proving far more scandalous than the hack itself.
  • Revelations by Edward Snowden about government surveillance of individuals on a massive scale.
  • European Court of Justice cases declaring that the mechanism most widely used by US businesses to transfer EU personal data to the US (Safe Harbor) no longer provides adequate protection, and giving European individuals a "right to be forgotten" from internet search engine results.
  • The continual introduction in the US of Federal and State laws governing the privacy of personal information in a variety of contexts, including when personal information is collected from individuals online/via mobile devices, and about children, and in sectors such as healthcare, finance and education.
  • A controversial new EU data privacy regulation that not only attempts to expand further the reach of EU regulators beyond Europe's borders, to the US and around the world, but also increases the compliance burden on all businesses, and the potential fines, to up to U.S. $20 million or 4% of worldwide turnover.

These issues and many more have kept privacy in one form or another consistently in the public eye and at the top of the agenda for many years now.

These incidents frequently involve an element of tension between approaches to privacy in the US (often perceived as open, innovation-focused and relatively free of privacy regulation) and in the EU (often perceived as having a confusing, impractical and excessive mess of privacy - not to mention other - regulatory regimes, and citizens who are highly sensitive about the processing of their personal data).  Putting aside the (fascinating) historical and philosophical theories behind the different cultural attitudes to privacy (think the importance placed in the US on free speech versus sensitivity in Europe (particularly post-war) to any massive databases collecting and monitoring individuals' behavior and movements), let's consider the practical scenarios that typically arise.

The Fast-Growth Company Paradigm – Different approaches when entering a new jurisdiction

The paradigm is this: a fast-moving Silicon Valley technology business offers an innovative (and often free to consumer) product that is somehow reliant on the mass collection, storage or clever monetization of individuals' personal data.  The business is wildly successful in the US and, naturally, looks to expand internationally, with Europe being an obvious target.  Having already (in true Silicon Valley style) taken a "risk-based approach" and prioritized product, user acquisition and sales over compliance (particularly in the US), the business then expands aggressively into Europe, proving popular with users/customers and gaining great traction and recognition in a new and valuable market.

Then, one way or another, attention turns to the business's data privacy practices.  This might be because of:

  • the scale on which it is collecting data;
  • the sensitivity of the particular data collected;
  • the uses to which the data is being put; or
  • perhaps worst of all, the data not being held securely, and somehow ending up in the public domain.

Cue public outcry, investigations by data protection agencies, potential loss of users/customers and a general decrying in Europe that Silicon Valley companies don't take EU privacy laws seriously.  The business may argue that it is not subject to EU privacy law, or the privacy laws of the particular European countries involved (and there are sometimes persuasive arguments that this is the case), but the damage has already been done.

So, is this all part of the lifecycle of a Silicon Valley business (hopefully not) and how can a "big startup" expanding rapidly (as Silicon Valley companies so often are) embrace these challenges?

Overcoming the Challenges

1. Perfect compliance?
Recognize (even if your business is not ready to aspire to it) that perfect compliance (assuming it exists):
a. requires investment;
b. is time-consuming;
c. involves taking a non-uniform approach across jurisdictions (or hitting baseline compliance in the strictest jurisdictions and over-complying everywhere else);
d. requires some interpretation of often opaque and outdated statutory/regulatory language and guidance (with variations between jurisdictions); and
e. may involve some small (or perhaps big) sacrifices in product functionality, user experience and maybe even revenue streams.

2. Practical approaches
a.  "Hot issues"
A risk-based approach can work in a privacy context (providing your business genuinely accepts the "risk" aspect).  Work with a privacy expert to identify "hot issues" in privacy enforcement/on the regulatory agenda, and those which have been largely forgotten (contrast the frequent and relatively large fines/settlements for data security breaches with the information requirements of the EU's electronic commerce regulatory regime, which — while not particularly onerous to comply with — are rarely enforced by regulators).
b. Key markets
Identify key markets that have (or that you are aspiring to have) the largest share of your international revenues and invest more heavily in compliance efforts there.
c. User perception
Think about the reaction of your users/customers if they "found out" what you are actually doing with their data. —Even if you have complied with applicable notice and consent requirements, is there anything you're doing that they would likely be unhappy about?
d. Good faith efforts to comply
Think about a practical approach to following the law that demonstrates a genuine good faith effort to achieve full compliance (rather than simply ignoring the issue), even if this means sacrificing some user experience.
e. Legal and industry trends
Pay close attention to legal and industry trends — think about the (albeit still slightly uneasy) position we've reached on EU cookie notice and consent mechanisms, after the initial uproar/concern that all websites would have to serve a blank page with an opt-in notice on all European users before those users even landed at any part of the website, destroying the user experience in the process.
f. Product/user teams and privacy by design
Work with your product and user teams to understand how much modification they can "stand", without making real sacrifices in user experience.  In fact, the ideal scenario product-wise is to engage early enough with the teams (and certainly long before any growth beyond the US into stricter regimes like Europe) to factor in privacy by design from the outset, but this does require some patience/understanding on the part of teams who are, no doubt, in a tearing hurry to release new products/iterations.

3. Regulatory engagement
If you nevertheless start receiving regulatory enquiries, avoid a combative, quasi-litigious style (or worse, putting the correspondence in a drawer and hoping it goes away).  Instead, engage actively with the regulator right away, acknowledge that the privacy of its country's citizens is a big priority for you, and show a genuine appreciation for their concerns, and a willingness to take steps to resolve them.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© White & Case LLP | Attorney Advertising

Written by:

White & Case LLP

White & Case LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.