Trading Partners Clash On Data Privacy Policy

August 1999
By Michelle L. Hankins

Administrators strive for free flow of information between nations.

The debate between the European Union and the United States over protecting personal information represents a fundamental cultural difference that could alter the future growth of electronic commerce. Throughout this debate, these differences have threatened to bring data transfers from within the European Union to the United States to a grinding halt.

Whereas the United States has thus far relied on a mix of legislation and self-regulation, the European Union has enacted an omnibus data privacy policy that reaches beyond the current U.S. efforts to restrict the use of personal data. The European group has adopted a measure to protect consumers operating in the electronic world by guaranteeing their right to be informed of the identity of the organization processing the data and the purpose for which the data will be used. The scope of the European effort affects not only the United States, but any global trading partners that transfer information within the region. With so many businesses operating in the international arena, the impact of the European initiative could have widespread effects on businesses in the United States and abroad.

The U.S. Department of Commerce has been engaged in negotiations with the European Union regarding the United States’ level of protection for personal data. While threatening to block transfers of personal data if an agreement is not reached, the union has, however, granted the free flow of information to the United States during the negotiation period.

The European Union’s (EU’s) directive on personal data protection, effective October 1998, established a framework for regulating the use of personal data transferred between the union’s 15 member states. The initiative was aimed at ensuring privacy for EU citizens while encouraging the free flow of data within the union. Because member nations had varying data protection laws, differences in legal guidelines were hindering information flows between some nations. The EU policy was also created to boost consumer confidence by offering a guaranteed level of security for personal information.

The directive outlines fundamental rights of individuals regarding their personal information. It states that citizens have the right to know where data originated and where it is available as well as the identity and purpose of the organization processing the data about them. According to the policy, individuals have the right to access their own personal data and to correct that information if it is proven to be inaccurate. Citizens also have the option to refuse to permit use of their data in certain instances, including for direct marketing purposes. Sensitive data, such as ethnic or racial classification or information pertaining to political or religious beliefs, health or sexual interests, typically can only be used with the consent of the individual. Certain exceptions exist within the directive for journalists or for artistic or literary purposes. Other exceptions include use after gaining an individual’s consent, use after establishing contract stipulations, and use where releasing the information would protect an individual’s vital interests such as in a medical emergency.

However, the impact of the directive extends outside the EU with clauses pertaining to data transfers to third countries. Therein lies much of the contention between the United States and the union. EU laws state that data can be transferred outside the union only if adequate protection is provided. Many of the negotiations between the two groups have centered on the definition of adequate protection. EU officials say that level of adequacy will be determined on a case-by-case basis. Foreign organizations may seek to qualify through voluntary arrangements that establish privacy protection. Agreements and contractual clauses between two parties can also ensure adequate levels of protection. Otherwise, data transfer could be blocked if the recipient country’s level of protection is deemed inadequate. Access to data could further be denied through an appeal to the European Commission, the administrative arm of the EU, which could move to extend a temporary denial of access.

Gerard De Graaf, first secretary of the commission’s delegation to the United States, explains the importance of the directive for the free flow of information among EU nations. The success of the single European market depends on unrestricted borders, but within the EU, data privacy is regarded as a fundamental right of each individual. De Graaf continues that European culture differs from that of the United States in the use of personal data. The EU view is that many U.S. direct marketing procedures are an invasion of privacy.

In the United States, direct marketers target potential customers, share mailing lists and even reach into homes by calling customers to solicit business. The union has incorporated policy to prohibit activity of this kind. “There is a different business culture in the United States than there is in Europe,” De Graaf says. “There’s much more data protection in the EU.”

He adds, however, that the EU is not against marketing, but the organization’s position is that people have a right to know how their information is being used and not to be bothered by direct marketing ploys. The notion that the individual, and not the marketer, should have control over the data is the core of these European values, De Graaf states.

He maintains that the third country policy within the directive is to ensure that data is protected once it is outside the EU. Were it not for this protection, De Graaf says, a loophole would exist that would undermine the entire effort to protect individuals’ personal information. He notes that European nations have been addressing data privacy protection for nearly a decade.

The European Union has also been engaged in discussions with several other nations, including Australia, Canada, Japan, Switzerland, Central and Eastern Europe, and Hong Kong.

Throughout the early debates, the EU found the U.S. methods of regulation to be inadequate. It is a “patchwork” method of regulation, De Graaf says, unlike that of many other nations that have already adopted data protection policies. “The United States is different from the rest of the world, not the rest of the world is different from the United States,” he emphasizes. In the U.S. system of self-regulation, he believes, there is little guarantee that organizations will effectively ensure data privacy. The question, he says, is who would actually hold organizations accountable for maintaining adequate protection. In contrast to the United States, the European Union has data protection commissions and allows members to seek rectification through judicial systems.

To ensure an adequate level of protection, De Graaf says that a number of indicators in third-party countries must exist. Policy must be adopted to protect data and must include the basic tenets of the EU’s protection measures such as notice of use of data, the choice to deny use, and access to one’s own data. Individuals must have the ability to resolve problems, and violators of data privacy regulations must face consequences when they fail to comply.

In response to the EU’s directive on personal data protection, the United States issued the international safe harbor privacy principles. This policy was designed specifically to address the question of adequacy that arose with the EU directive. The principles were developed with industry and public input in an attempt to solve the data privacy issue and to continue to promote international commerce between the United States and the EU.

According to a draft of the policy, organizations can qualify for the safe harbor in several ways. An organization can qualify if the group voluntarily adopts private sector policies that replicate the safe harbor principles, or a group can qualify if their practices are already regulated by governmental personal data privacy policy. The EU and the United States also discussed the use of contracts between two parties that stipulate privacy guidelines that could qualify as adequate protection.

The safe harbor principles define seven areas in which organizations must comply with EU standards for adequate data protection. The first principle involves notifying individuals of the purpose for which personal information has been collected. This includes informing individuals of any third parties to which the information will be given. Appropriate means to contact the third parties with any questions or complaints or to limit the use of the data is guaranteed.

The second principle allows individuals to withhold permission if their information is to be given to a third party for purposes other than those originally intended. Further, an organization may only forward information to third parties if they show adequate privacy protection consistent with the principles of notice and choice.

Organizations must ensure the security of personal data by implementing measures to prevent loss, misuse or unauthorized access or disclosure. They must take the necessary steps to ensure that the data is accurate and current and that it is being used for the originally intended purpose. An individual must be allowed to access personal information and to amend the information if it is inaccurate.

The last principle addresses enforcement for organizations that violate safe harbor principles. It provides recourse for individuals if their personal data is not protected according to these guidelines. This enforcement phase includes investigations into disputes over data and damages where appropriate. It also says organizations must be held to the security standards that they claim to offer and that the validity of these claims should be verified. In addition, organizations must be held responsible for problems that arise due to data conflicts.

In an effort to make these guidelines explicit and to clarify any gray areas for businesses that might face regulation under the directive, a series of questions on which the two trans-Atlantic trading partners must agree accompanies the safe harbor principles.

Department of Commerce officials have responded to the EU policy on personal data protection for over a year in intense negotiations. David L. Aaron, undersecretary of commerce for international trade, has emphasized that both sides need to reach an agreement to allow the free exchange of information and to maintain and expand conventional trade and investment. He further argues that an agreement is needed to allow electronic commerce to reach its economic potential.

Defending U.S. data protection measures, Aaron stated in a speech before a global forum in the Netherlands that the United States does have standards to protect data privacy. “We think that our system is more than adequate to protect personal privacy. In fact, some of our laws surpass European standards. But in Europe, our system is unfamiliar, and thus suspect. In particular, we have had difficulty in explaining our reliance on industry self-regulation,” Aaron explains.

Aaron asserts that people will not put their personal information on the Internet unless they receive confidentiality guarantees. To allow electronic commerce to grow, organizations will be forced to provide the protection their consumers demand. Privacy, he says, is essential for electronic commerce to flourish.

If data flows are interrupted, many businesses operating both in the United States and around the world would face an uncertain future. There would undoubtedly be a zone of discomfort for businesses if agreement about adequate data protection remained undefined, De Graaf says. “A disruption of data flows would be a disaster of historic proportions. It would threaten our ability to carry on trans-Atlantic trade even at current levels, let alone expand it,” he says. Aaron adds that blocking data flows could cost billions or even trillions of dollars or euros in international trade and investment.

One U.S. company that could be adversely affected by the EU directive is Bell Atlantic, New York. The company has offices outside the United States, and its operations include the transfer of data between EU nations and the United States to process directory information. Bell Atlantic Executive Director Shelley E. Harms explains that the possibility of preventing the free flow of information could hurt businesses and consumers alike. “It has the potential to hamper the availability of services to citizens,” she states.

Bell Atlantic has supported the United States’ safe harbor principles and believes that the soft regulatory approach that the nation has adopted provides more than adequate protection for data privacy. As a rule, Harms notes, the company has instituted, in its own business practices, privacy measures that benefit the customer.

Indeed, direct marketers stand to be affected dramatically by the EU directive. Charles Prescott, vice president of international business development and government affairs for the Direct Marketing Association in the United States, is familiar with the debate about data protection. “It is clear that the directive poses some serious challenges for direct marketers in the United States who want to conduct state-of-the-art database management and marketing exercises into Europe from their facilities in the United States.”

Prescott has studied how personal information collected by organizations can be protected, and he outlines several guidelines for how direct marketers should conduct business in Europe. He suggests that businesses should be aware of how individuals’ data flows within an organization and should conduct an internal privacy checklist. He advises that businesses should understand where data comes from and where it goes, giving notice to individuals about its use.

In addition, Prescott says, organizations must be sure that data acquired can be used for direct marketing. Businesses should register with the proper data protection authorities in Europe if they have offices overseas. When renting lists from Europe, U.S. businesses should ensure that the proper approval has been granted for use of the lists.

While the United States and the EU grapple with cultural differences regarding data privacy protection, U.S. businesses are speaking out on the issues that will affect their operations. Many have already instituted their own privacy policies, and many support the safe harbor principles to ensure adequate protection of data being transported from the EU to the United States.