Privacy's Safe Harbor
If you do business in Europe, you need to know about the EU's privacy laws. They're significantly more stringent than what we have in this country and you should comply. The easiest way for an American company to comply is through the "Safe Harbor" provisions negotiated by the United States Department of Commerce.
Our privacy laws are more liberal than the EU's where they require permission from the customer before a company can share or sell the customer's personal information. Here, we rely on a combination of legislation, government regulation and mostly self-regulation.
In contrast, the EU uses a system of comprehensive legislation that requires creation of government data protection agencies, registration of databases with those agencies, and, in some instances, prior approval before personal data processing may begin. Further, the EU prohibits the transfer of personal information to countries outside of the EU that don't ensure the same level of privacy protection - like the United States. It's as if they have created a bubble within the EU, where data may flow freely within the member sites, but data can't leave the bubble unless it's transferred to another bubble.
The Europeans are a bit lofty in their rhetoric concerning privacy. The EU's "Directive" identifies privacy as a fundamental human right. It says that "data-processing systems are designed to serve man; whereas they must respect their fundamental rights and freedoms, notably the right to privacy." As an American, I always that thought data processing systems were designed to serve spammers giving them an ever refreshed list of email addresses - but that's another column.
The part of the Directive that causes American companies heartburn is the part that covers transfers of personal data to third countries. It impacts transactions like banking, travel reservations, ecommerce activities, credit checks, credit card purchases, and even routine communications between branches of the same company.
EU law defines personal data as "any information relating to an identified or identifiable natural person. " This personal data can only be collected for specified purposes and processed only if the "data subject" (that would be you when you are wearing your consumer hat) gives unambiguous consent. There are a number of exemptions relating to things like national security, safety and contract rights, but these exceptions won't impact most businesses.
With this as the backdrop, American companies were not pleased with the prospect of having to comply with strict European privacy laws. Trying to avoid even the hint of a trade war, both sides worked to find a compromise. The result was "Safe Harbor," which applies to both offline and online data.
The EU requires compliance with seven fundamental principles.
The first is "notice." You have to tell people things like your purpose in collecting information, how to contact your company, to whom you disclose information, and the choices and means your company offers to limit use and disclosure of information.
Then there must be a "choice" to opt-out of your company disclosing a person's information. The rules are even more stringent if you intend to transfer sensitive information or want to use it in a way different from the way you originally disclosed.
The third principle is control of "onward transfers" meaning that you make sure that those you give the information to also comply with Safe Harbor.
Next is "access" to the information so that a person can correct and amend it.
The fifth principle is "security." This means that your company must take reasonable precautions to protect personal information. The key phrase is "reasonable precautions" meaning that you aren't required to have perfect security. If you have commercially reasonable security in place, you should be okay on this one.
The sixth principle is "data integrity" which has to do with the information being relevant for the purposes for which you are using it. Under this principle, the personal information must be significant to the purpose of its use and cannot be used in a way that's inconsistent with the reason you collected it.
The last principle is "enforcement." In the U.S., the Department of Commerce provides the stick if you say you are complying with Safe Harbor, but in fact, are not.
If your business touches the EU, I strongly recommend that you immediately begin the process of Safe Harbor compliance. A good start is reviewing the material on the Department of Commerce's website athttp://www.export.gov/safeharbor/. After you digest the fundamentals, find a lawyer familiar with Safe Harbor to guide you through the process. As much as you may not like it, you're going to have to deal with EU law one way or another if you intend to do business there.