Europe is way ahead of the United States when it comes to protecting personal data and the electronic sharing of that information. And while some IT and business leaders may shrug it off, major U.S. companies should be focused on catching up with their European counterparts, as ignoring privacy issues could not only stall future international business deals but also prompt liability headaches.

The European Union directive
A good starting point for understanding the privacy issue is getting familiar with the European Union (EU) Data Protection Directive. The directive, adopted by EU member states in 1995 and implemented within the EU in 1998, outlines how foreign countries can collect personal data and poses limits on the use of that data.

The focus of the directive is to standardize data privacy protection for all EU citizens. In 2000, the EU and the U.S. Department of Commerce worked out an agreement called Safe Harbor, which dictates how U.S. companies can collect personal information from citizens in EU states. U.S. companies wishing to do business with EU companies need to join Safe Harbor to avoid possible problems arising over the privacy of the personal data collected.

Safe Harbor participation is beneficial: U.S. companies are viewed as safe to do business with, and the program simplifies business operations. Nonparticipating corporations require prior approval from EU member states before an EU firm can transfer information to a non-Safe Harbor company. The data could be as simple as an individual’s Web preferences or much more valuable—a customer’s name, address, credit-card numbers, and spending patterns.

For those participating in Safe Harbor, prior approval will, in most cases, be waived.

“It eliminates many obstacles to doing business with European firms,” explained Beth Hutchison, VP of IS for a Massachusetts-based scientific equipment manufacturer. “It can speed up the entire business process.”

Another big benefit for participating U.S. firms is enhanced legal protection. Any claims brought against a U.S. company by an EU participant will be settled in the U.S. courts.

The seven Safe Harbor principles
A company must comply with seven principles within the context of Safe Harbor: notice, choice, onward transfer, access, security, data integrity, and enforcement. The following points provide a quick synopsis of the first three principles:

  • The notice principle requires that companies inform entities as to why personal data is being collected and how it will be used. It also requires that users be told how to contact the company with questions and how to report complaints concerning data use.
  • The choice principle requires that a company allow users to choose whether the primary company collecting the data can share the information with third parties. When it comes to sensitive information, the user must explicitly agree to let the information be shared.
  • Onward transfer has to do with how third parties handle the privacy of personal data. A Safe Harbor participant must ensure that any third parties receiving information abide by the notice and choice principles, even if that third party does not officially participate in Safe Harbor.

While straightforward in scope, some principles are burdensome for U.S. companies.

“We’ve decided we can’t be our own policemen and completely check out what all our partners are doing,” said one manager for an East Coast equipment distributor. “So, once we meet Safe Harbor requirements, we’ll be limiting ourselves to only sharing data with other Safe Harbor-approved companies. Unfortunately, this will significantly reduce the number of companies we share the [personal] data of our clients with.”

A mixed bag of requirements
While some of the principles are viewed as burdensome, companies seem to see no problem with adhering to others. For instance, the access principle requires that users have access to information collected and, in the event there is inaccurate data, that a company must provide individuals an opportunity to correct it—functions most companies already provide on their Web sites.

Most U.S. enterprises already abide by strict security requirements out of sheer competitiveness, as consumer wariness can negatively impact online business.

Under the security principle, companies must safeguard data from loss, misuse, unauthorized access, and destruction—a wise move for companies that want to keep their customers close and feeling safe about doing business.

Similarly, to meet the data integrity requirement, a company must keep personal data accurate and up to date. Many companies do this anyway, simply because it makes good business sense to have accurate information about their customers.

But few companies are adhering to last principle—enforcement. This principle requires that a company set up a way to enforce the Safe Harbor standards, which means that companies must provide a mechanism for complaints to be resolved. Most enterprises have not done this because the cost of building customer service teams and the legal staff necessary to pursue illegal actions is prohibitive.

Haste makes trouble
The challenges in meeting all the Safe Harbor requirements have pushed most U.S. firms away from compliance.

That doesn’t mean, however, that these same companies are not concerned about data privacy. In fact, the primary concern of U.S. companies is meeting current federal data privacy guidelines (which are not as stringent as Safe Harbor). For instance, any U.S. company doing e-business must post a privacy policy on its Web site.

And now, technical organizations, as well as software makers, are beginning to offer up privacy control tools for the online consumer. And while the intentions are good, some of these privacy control developments could lead to liability headaches for an enterprise.

One example is the World Wide Web Consortium’s (W3C) Platform for Privacy Preferences Project (P3P).

The P3P provides users with an automated system for increased control over the use of personal information. P3P code provides a succinct summary of the privacy practices of a Web site and lets visitors set site-specific privacy preferences, such as declining certain cookies. The system alerts users automatically if a site is trying to use a prohibited cookie.

Microsoft has jumped into the fray by enabling Internet Explorer (IE) 6, within XP, to automatically check a site’s privacy policy. When a user tries to access a Web site, IE 6 will look for P3P. If the site does not have P3P posted, IE 6 will take certain actions—from declining cookies to completely blocking access—to help protect the user’s privacy.

In response, some online enterprises have devised a workaround to Microsoft’s approach—they plug in any P3P code just to satisfy the IE 6 site check. And that’s where the legal problems can come in.

“The P3P language just doesn’t have the words or content built into it to protect a company from liability,” explained Benjamin Wright, a Dallas-based attorney and founding author of the book The Law of Electronic Commerce. “If you are going to have a privacy policy, state it in English and be very careful how you state it.”

He noted, for example, that in 1999, US Bancorp was forced to pay $7.5 million for misstatement in a privacy policy posted on its Web site. (For more information on P3P legal issues, check out Wright’s P3P site.)

Wright maintains that P3P language is inadequate for writing legal privacy policies and that companies depending on it for protection are foolish.

He’s even got his own workaround to the dilemma—a legal disclaimer he calls “disavow P3P.” This disclaimer is written as a free new code in the P3P syntax called DSA, for “disavow P3P and any liability it carries.” Wright’s Web site states, ” The idea behind DSA is that organizations can, with the age-old technique of a legal disclaimer, implement dummy P3P codes while nullifying their legal affect.” Wright says that the free DSA code is a good way to keep P3P privacy liability issues at a minimum while still allowing IE 6 users site access.

The DSA code would satisfy a browser query if P3P is posted on the site that the user wishes to access, but it does not put a company in jeopardy for misstatement in its privacy policy. The true corporate privacy policy, written with words and not the cryptic digital strings of P3P, would still be made available on the site.

As US Bancorp discovered the hard way, privacy concerns are a serious issue in light of growing e-commerce and an increasing online population. While Safe Harbor programs and vendor tools are certainly helping to address the privacy issue, there’s no one-size-fits-all solution to protect online consumers—or enterprises, for that matter. But staying aware and up to date on potential tools and services is clearly a mandate for today’s CIOs.

What is your enterprise doing to protect privacy?

Are you a Safe Harbor participant? If so, write and tell us how you’ve dealt with the principle requirements. If you have insight or tips to share, start a discussion below.