More
Even companies with wholly owned subsidiaries in Europe are at risk of breaking the law if they exchange customer data from one division to another by seemingly innocuous, transatlantic e-mails. Caught red-handed, the company could be hauled into European courts, subject to serious fines and, for executives, possible jail time. "We just don't know yet how aggressive the Europeans will be in enforcement," says Jennifer Barrett, chief privacy officer at Axciom Corp., a Little Rock, Arkansas-based information processing company. "But why take any chances?"
One Country's Privacy is Another's Meat
The United States, by virtue of its constitution, permits wider exchange of consumer data than most any other nation. The Europeans, however, are governed by a different mindset.Countries such as Germany and the United Kingdom take a much harder stance on privacy issues, especially in relation to the Internet. Laws have been passed to impede exchange of sensitive consumer data, chief among them the European Union's comprehensive privacy legislation, the Directive on Data Protection.
The directive became effective in October 1998 (it was adopted three years prior). It stipulates, in part, that customer data cannot leave Europe for another country unless that country provides what it calls an "adequate" level of privacy protection. The United States, unfortunately, failed the adequacy test. "The Europeans just plain don't believe we provide enough consumer privacy protection," says Charles Prescott, vice president of international business development at the Direct Marketing Association, Inc., a New York-based group representing more than 5,000 direct and interactive marketers.
Part of the problem is cultural-very real differences between the constitutional underpinnings of many European countries and that of the United States. In short, our sense of privacy is different from theirs. "Things like a person's political party affiliation are considered sensitive public data in Europe while here it is a matter of public record," Barrett notes.
"Our constitution, the US Freedom of Information Act, the move toward self-regulating industries and our right to sue, step over European legal principles," says Barrett. "In Europe, if you breach the bounds of what's considered private, you've broken the law. Here, if that happens, you just sue."
Navigating Safely
To bridge the divide created by the privacy directive, the US Dept. of Commerce-at the urging of American business interests-undertook a series of negotiations over the past two years with the European Commission. The DOC's chief goal was to create a model for protecting customer data that would satisfy European privacy concerns.These negotiations led to the development of the DOC's so-called safe harbor principles (to read the actual report detailing the provisions, log on to the department's website at www.ita.doc.gov/td/ ecom/menu.html). Basically, the safe harbors enable the EU to be assured that participating US companies meet its requirements for adequate privacy protection.
US companies that want to abide by European law must register with the Commerce Department and agree to the safe harbor conditions prescribed. Those that don't (participation is voluntary) risk actions taken by the Federal Trade Commission if they transfer European consumer data to the US. And that's in addition to whatever actions would be taken by individual European countries.
Given that data transfers are the lifeblood of many global companies (not to mention the foundation of all e-commerce), they cannot survive without complying with the safe harbor principles. The alternative to the safe harbors is swimming without a life preserver. Indeed, corporations will find it difficult to run their multinational operations without registering. "Basic information about foreign employees would not be transferable to the US unless the company has registered," explains Ben Isaacson, executive director of the Association for Interactive Media, a New York-based trade group representing more than 500 Internet companies.
"As for customers, say you're Amazon.com and you have a profile on an American customer-name, credit card number, address, and so on-but this person now lives in Europe and buys through Amazon's UK division. The transfer of that information would not be allowed unless Amazon has complied with the safe harbors."
There are very simple ways to achieve compliance with the safe harbor principles. For example, companies that join a self-regulatory privacy program adhering to the principles can qualify. The Direct Marketing Association is in the thick of forming such a program for its members. "We're hoping to have something up and running in the next few months," says Prescott.
The key is to review the scope of the principles-there are seven guidelines in all-and put in motion plans for compliance. The DOC has several related websites offering help, including one answering FAQs (frequently asked questions). Other helpful websites with up-to-the-minute information on this subject are www.privacyinternational.org and www.privacyexchange.org.
Rampant Confusion
While on its face the safe harbor principles and the EU privacy directive seem obvious and clear, there is still a lot of gray clouding the subject. "While the privacy directive passed in October 1998, it is still up to each of the 15 country members of the EU to pass it," Barrett notes."Although only five or so countries remain to sign it into law, keep in mind that each country can implement the law to its own specifications. The directive is a baseline only. Sometimes the differences are slight; sometimes they're dramatic."
For example, the EU doesn't specify that consumers either "opt in" or "opt out," leaving that up to the individual countries. Some countries, such as the UK, favor opt out of data for third-party use (meaning the company cannot share the customer's information with a third party if the consumer says it can't be shared), while Italy favors opt in (meaning the company cannot share the data with a third party unless the consumer gives explicit permission).
Such permission also varies country by country, "with some requiring written permission and others allowing an electronic version," Barrett notes. "The result of all this is that you cannot look to the EU from a business standpoint and think if I'm following EU law I'm safe," Barrett says.
Even simple e-mail exchanges between a company's US and European divisions may violate the safe harbor agreement. "Since some European countries will require an `opt in' of the consumer to pass his or her data, including the person's name, a company may not be able to send this information from Europe to the US in an e-mail without first obtaining that person's specific go-head," says Isaacson.
"Even if this is a US citizen, from a country that requires consumers to 'opt out,' European law would stand," Isaacson continues. "The upshot: Multinational companies cannot operate seamlessly between two divisions without explicit consumer consent."
Some aspects of the directive will require new ways of conducting business in the US. "The EU directive requires 'right to access,' meaning the consumer has the express right to contact a company and discern whatever data it has about him or her," says Barrett. "The company must respond to this query, and the consumer can challenge any inaccuracies. That's probably the toughest part of the law for US companies to comply with, simply because we have no comparable regulations in the United States."
Yet another concern is the constant pace of technology. "I don't think anyone really understands the ramifications of the advanced technologies being developed today and the extent of data sharing that will be going on between both continents in the future," Isaacson says.
Not every aspect of the directive is a challenge. For example, the directive makes it easier for US companies to satisfy each European country's privacy law. "The whole point of the EU, of course, is to provide some uniformity," Prescott says.
"A small company with about $20 million in annual revenues, without operations all over Europe, is now able to market its products to multiple countries and know it has complied with each country's privacy rules. By adhering to the safe harbors and committing to the same kinds of protections that European companies must adhere to, the bureaucracy is bypassed."
As for the likelihood of similar privacy laws here, Barrett is doubtful. "I can't see it happening, given our constitutional freedoms," she says. "We tend to believe in autonomy and self-regulation, with the courts as the final arbiter of injustices."
With access to over one million professionals and more than 60 industry-specific publications,
