Global commerce and the privacy clash: there are critical gaps in the privacy rights laws of Europe and the United States that pose a major challenge to companies embracing global commerce. (Global Outlook).A U.S. software company sets up operations in 25 countries worldwide: some in Europe, others in Asia, one in Australia. In the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. , there are no provisions the company must abide by regarding the use of customer personal data gathered by its Internet service provider Internet service provider (ISP) Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password. as its customers shop. However, Australian law, specifically the Privacy Amendment Act of 2000, provides that personal information cannot be collected without the consent of the person giving it. It further provides that the information must be kept confidential and "cannot be transferred to another country that does not have privacy protection." This provision means that the U.S. company's Australian subsidiary cannot transfer the information it collects from consumers in Australia to the U.S. parent -- since there is no privacy protection in the United States. This same clash is likely between the United States and countries that form the European Union European Union (EU), name given since the ratification (Nov., 1993) of the Treaty of European Union, or Maastricht Treaty, to the European Community (E.U.), which includes Austria, Belgium, Denmark, Finland, Germany, Greece, Ireland, Italy, France, United Kingdom, Luxembourg, Portugal, Spain, Sweden, and The Netherlands. Privacy rules are strikingly different in the European Union, and the differences threaten to hamper the ability of U.S. companies to engage in transactions with E.U. countries without risk of incurring penalties. Like Australia, European rules forbid for·bid tr.v. for·bade or for·bad , for·bid·den or for·bid, for·bid·ding, for·bids 1. To command (someone) not to do something: I forbid you to go. 2. the transfer of personal data to a country that does not provide a level of protection similar to its own. Therefore, the prospect looms that U.S. companies can be denied access to information from their own European subsidiaries or other companies located in Europe. E.U. Directive 95/46/EC, which was adopted in 1998 and became applicable to the United States in 2001, was devised in Europe after it was recognized that some E.U. member states did not have privacy protection, while others had incompatible laws To address this problem, the European Parliament European Parliament, a branch of the governing body of the European Union (EU). It convenes on a monthly basis in Strasbourg, France; most meetings of the separate parliamentary committees are held in Brussels, Belgium, and its Secretariat is located in Luxembourg. issued the directive so that member states could harmonize their laws, assuring that all states have the same provisions regarding protection of personal data. The directive's significant feature is that the data subject (i.e., the person from whom data is collected) must unambiguously give consent for personal data to be collected after being informed about the purposes for which the data will be used. Otherwise, the European Union will allow personal data to be collected and processed only if * the data is necessary for the performance of a contract *its processing is required by a legal contract * the data is critical to the person's life -- for example, taking blood from an unconscious person after an accident * the data is necessary for a public interest, such as collection of taxes * the controller or third party has a legitimate interest in doing so -- striking a balance between the business interests of the controller and the privacy of the person However, the European Union expressly prohibits asking for "sensitive information," which is defined as the person's racial or ethnic origin, political opinions, religious beliefs, trade union membership, and sexual preference. Such data cannot be processed unless specific consent has been given. The E.U. directive also applies to invisible collection of personal data, such as "cookies" that collect information on a person's Web surfing Refers to jumping from page to page on the Web. Just as in "TV channel surfing," where one clicks the remote to go from channel to channel, the hyperlink on Web pages makes it easy to jump from one page to another. habits. The directive makes special provision for situations when personal data will be used for direct mailings. E.U. member states must give data subjects the right to object to personal data use for direct mailing purposes. More significantly, data subjects must be informed that data will be used for direct mailing. The E.U. rules apply even if the person providing data is located outside of the European Union if the data will be processed in an E.U. member state. Collection of personal data becomes an international issue because of the Internet, the Internet, the, international computer network linking together thousands of individual networks at military and government agencies, educational institutions, nonprofit organizations, industrial and financial corporations of all sizes, and commercial enterprises primary instrument that makes it possible to send personal data from one continent to another in a millisecond One thousandth of a second. See space/time and ohnosecond. (unit) millisecond - (ms) One thousandth of a second, one thousand microseconds. A long time for a modern computer. . Via the Internet, a company located in one country with one set of privacy rules can send personal data about an individual -- or a database of millions of individuals -- to other firms in more than 150 countries worldwide. Each recipient's country may have different privacy laws or no laws at all. In order to bridge these different privacy approaches, the U.S. Department of Commerce, in consultation with the European Commission European Commission, branch of the governing body of the European Union (EU) invested with executive and some legislative powers. Located in Brussels, Belgium, it was founded in 1967 when the three treaty organizations comprising what was then the European Community , developed the Safe Harbor Safe Harbor 1. A legal provision to reduce or eliminate liability as long as good faith is demonstrated. 2. A form of shark repellent implemented by a target company acquiring a business that is so poorly regulated that the target itself is less attractive. provision by which U.S. companies can avoid sanctions Sanctions is the plural of sanction. Depending on context, a sanction can be either a punishment or a permission. The word is a contronym. Sanctions involving countries: The Safe Harbor plan lets Europe certify cer·ti·fy v. cer·ti·fied, cer·ti·fy·ing, cer·ti·fies v.tr. 1. a. To confirm formally as true, accurate, or genuine. b. that U.S. companies meet E.U. guidelines guidelines, n.pl a set of standards, criteria, or specifications to be used or followed in the performance of certain tasks. for privacy protection. Without that negotiated agreement, the $350 billion U.S./E.U. trade could be threatened. Instead of being a legislative enactment by Congress, Safe Harbor was established as a voluntary program administered by the Department of Commerce. Certifying compliance with the Safe Harbor is supposed to ensure that E.U. businesses know which U.S. companies provide adequate privacy protection as defined by the directive. The question is whether this voluntary program will remain acceptable to the E.U., since fewer than 75 U.S. companies had signed up for it as of mid-2001. This may be because it opens them up to scrutiny by the U.S. Federal Trade Commission (FTC FTC See Federal Trade Commission (FTC). ) if a complaint is lodged against them. Because of this, privacy groups in the United States will probably push for a legislative mandate in the near future. How and when the European Union would enforce the agreement remains unclear. One unexpected complication complication /com·pli·ca·tion/ (kom?pli-ka´shun) 1. disease(s) concurrent with another disease. 2. occurrence of several diseases in the same patient. com·pli·ca·tion n. is that not all E.U. countries have complied with the directive; France, Ireland, and Luxembourg had not enacted any privacy laws as of mid-2001. Sweden, on the other hand, believes that the Safe Harbor provision is inadequate, deficient de·fi·cient adj. 1. Lacking an essential quality or element. 2. Inadequate in amount or degree; insufficient. deficient a state of being in deficit. , and not in compliance with the E.U. directive. Practically speaking, if E.U. member countries' laws are not up to standard, it will be politically difficult for the European Union to impose penalties on U.S. companies, and countries like Sweden may object to data transfers even if a U.S. company has signed on to Safe Harbor. In the United States, some say that the Safe Harbor agreement may not meet legal muster TO MUSTER, mar. law. By this term is understood to collect together and exhibit soldiers and their arms; it also signifies to employ recruits and put their names down in a book to enroll them. because the FTC does not appear to have authority to protect foreign consumers' rights in the United States. In the meantime Adv. 1. in the meantime - during the intervening time; "meanwhile I will not think about the problem"; "meantime he was attentive to his other interests"; "in the meantime the police were notified" meantime, meanwhile , U.S. companies operating in Europe should be very careful. Customers must be informed of the identity of the entity collecting the data, the purposes for the processing, and the recipients of the data collected, as well as any rights they may have. Customers have the right to receive a copy of this information even if the data was acquired directly or indirectly from a third party. If it is not accurate or was unlawfully processed, the data subject has the right to have it corrected, blocked, or erased e·rase tr.v. e·rased, e·ras·ing, e·ras·es 1. a. To remove (something written, for example) by rubbing, wiping, or scraping. b. . The subject can even require that third parties that may have seen the incorrect data be notified. The onus throughout will be on the data user or the member states to justify their application. Also, E.U. authorities retain powers to intervene in certain cases. For example, if a private sector dispute resolution body found that a company had seriously violated the principles, but the company contested the finding and the case was referred to the FTC, the E.U. authorities could suspend data transfers to that company until the matter was resolved. Also, if evidence of non-compliance accumulates, and the European Union feels that the relevant U.S. enforcement body is not doing its job properly and that letting transfers continue risks causing grave harm to data subjects, E.U. authorities can again suspend transfers. The commission could subsequently change the Safe Harbor decision to exclude an ineffective U.S. enforcement body. One of the self-regulating privacy watchdogs is TRUSTe, which has set up a special TRUSTe stamp, similar to its current seal, indicating that a Web site has received E.U. Safe Harbor certification. TRUSTe has published its opinion that Safe Harbor will lead to an improvement of privacy as companies come under the threat of not being able to sell or use their data wares We love "wares" in this industry as noted below. See also warez. abandonware adware annoyware badware beltware betaware bloatware boardware brochureware bridgeware censorware cloudware courseware crapware crimeware crippleware crossware crudware demoware donateware dribbleware at the global level. Companies that want to compete globally will be strongly motivated to comply with the law, and global brands will want to manage their reputations, which can be threatened by evidence of wanton Grossly careless or negligent; reckless; malicious. The term wanton implies a reckless disregard for the consequences of one's behavior. A wanton act is one done in heedless disregard for the life, limbs, health, safety, reputation, or property rights of disregard for the law. Safe Harbor gives them the opportunity to balance business interests with government demands. That may, in fact, be happening. Microsoft, Intel, Hewlett-Packard, and Procter & Gamble have signed on to Safe Harbor and recently pledged to provide European-grade privacy protection to their customers in the United States and around the world, even though no law requires them to do so. Although Safe Harbor only pertains to what companies do with the personal data of citizens within the European Union, the E.U. laws are having a spillover spill·o·ver n. 1. The act or an instance of spilling over. 2. An amount or quantity spilled over. 3. A side effect arising from or as if from an unpredicted source: effect to the benefit of U.S., Asian, and Latin American consumers doing business with these trend-setting, global U.S. companies. The impact of Microsoft and Intel signing up will make it harder for other U.S. companies to avoid signing on if they want to maintain their customer base as consumers become more aware of privacy issues, identity theft, and related issues. This race to increase standards is a process called "trading up," and the spread of European data protection standards into the United States and elsewhere is a classic example of the theory in motion. But in Europe, not all are happy with the E.U. directive or even Safe Harbor. A British civil liberties watchdog called Statewatch grabbed headlines recently with dire predictions that the European Union is about to grant Euro-police sweeping new surveillance powers. The report portrays Europe on the brink of an Orwellian catastrophe, in which all phone, fax, wireless, and Internet traffic Internet traffic is the flow of data around the Internet. It includes web traffic, which is the amount of that data that is related to the World Wide Web, along with the traffic from other major uses of the Internet, such as electronic mail and peer-to-peer networks. records would be archived and accessible to law enforcement for seven years. It cites a British report that recommends increased data retention. Some feel that this is an outgrowth of the Council of Europe's proposed Cyber-crime Convention. The Council of the European Union Council of the European Union, branch of the governing body of the European Union (EU) that has the final vote on legislation proposed by the European Commission and deliberated by the European Parliament. wants to give European police broader access to information about the e-mail and Internet patterns of the continent's citizens. Under present law, Internet service providers are required to maintain the network data only as long as necessary for billing. Under the new proposal, police would be able to access the data simply by asking for it -- no court order would be necessary. It would give the police a map of a person's business and personal life without restrictions. It remains to be seen if the European Parliament will approve this proposal, but after the September 11 terrorist attacks in the United States and the discovery that the terrorists used the Internet to plot the attacks, its chances of passage could be vastly improved. The area of privacy, both online and offline, is becoming an urgent issue of the 21st century. Indications are that the United States will eventually follow the privacy standards initiated in the European Union, initially through the voluntary Safe Harbor provision but very possibly through some additional form of mandatory rules. Some clear exceptions will apply in the area of police protection due to terrorism, but eventually the E.U. directive on the collection and use of personal data may become standardized standardized pertaining to data that have been submitted to standardization procedures. standardized morbidity rate see morbidity rate. standardized mortality rate see mortality rate. in the United States and Europe. That will then leave open the question of privacy in Asia as it becomes the fastest growing sector of Internet users Internet user n → internauta m/f Internet user Internet n → internaute m/f in the 21st century. At the Core This article: * Examines privacy differences between the United States and the European Union that affect e-commerce * Shows the impact of privacy legislation, such as Safe Harbor * Analyzes other privacy trends and their impact on global commerce What U.S. and European Companies It may never be fully completed or, depending on its its nature, it may be that it can never be completed. However, new and revised entries in the list are always welcome. This is a list of companies from the countries in the European Union. Need to Know * How will data controllers in Europe know which companies in the U.S. can receive data? The U.S. Department of Commerce will hold (or designate some entity to hold) a list of organizations that have joined the Safe Harbor. The list will also make clear if any harborites lose their Safe Harbor status because they have not complied with the rules. The list will be publicly available, including online. * How will U.S. companies get on the list? By means of a self-certification process that can be done online. The process asks questions, such as an organization's name, the corporate officer in charge of compliance, URL URL in full Uniform Resource Locator Address of a resource on the Internet. The resource can be any type of file stored on a server, such as a Web page, a text file, a graphics file, or an application program. address to its privacy policy, the kind of data collected, and whether the firm is willing to "cooperate with the E.U. Data Protection Authority." Note that under U.S. self-certification, companies are not obliged o·blige v. o·bliged, o·blig·ing, o·blig·es v.tr. 1. To constrain by physical, legal, social, or moral means. 2. to show that they actually conform to Verb 1. conform to - satisfy a condition or restriction; "Does this paper meet the requirements for the degree?" fit, meet coordinate - be co-ordinated; "These activities coordinate well" the Safe Harbor principles The US Safe Harbor Arrangement is a streamlined process for US companies to comply with EU Directive 95/46/EC on the protection of personal data, developed by the US Department of Commerce in consultation with EU. before they sign up, though some other privacy programs do involve independent verification of conformity before companies can sign up. When they self-certify, companies will have to identify their enforcement bodies so that anybody who has a problem knows where to go to make a complaint by consulting the list. * How does a European company or European subsidiary of a U.S. company ensure that data transferred to U.S. companies within the Safe Harbor will not be passed on to others outside the Safe Harbor where data is not protected? One of the Safe Harbor rules safe harbor rule Antitrust law A federal guideline as to what constitutes antitrust activity, established by the FTC and Justice Dept, after specific legislation–which might be open to misinterpretation–is enacted. Cf Self-referral. is that data transfers to third parties can only be made if the individual has first been given the opportunity to prevent it. The only exception to this rule is when the disclosure is made to a third party acting as an agent under instructions from the harborite. In this case, the disclosure can be made either to other harborites or to companies that have undertaken contractual obligations to observe similar standards. * Since this is a voluntary system, who will make sure that the rules are, in fact, observed? Many U.S. companies in the Safe Harbor will have their compliance checked annually by an independent body, but this is not obligatory obligatory /ob·lig·a·to·ry/ (ob-lig´ah-tor?e) obligate. obligatory unavoidable; something that is bound to occur. so as not to discourage small and medium-sized enterprises from signing up. For them, there are rules about how to conduct effective self-verification. Beyond that, enforcement will largely be through alternative dispute resolution Procedures for settling disputes by means other than litigation; e.g., by Arbitration, mediation, or minitrials. Such procedures, which are usually less costly and more expeditious than litigation, are increasingly being used in commercial and labor disputes, Divorce mechanisms. Independent private sector bodies will investigate and try to resolve complaints. If harborites fail to comply with the rulings of these bodies, cases will be referred to the FTC or the Department of Transportation, which have legal powers to oblige them to comply. Serious cases of non-compliance will result in companies being struck off the Department of Commerce's list. This means that they will no longer receive data transfers from the E.U. under the Safe Harbor arrangement. Read More About It "Clarity on Communications Data Retention Law," 2000. Available at www.statewatch.org/ news/dec00/02ncis.htm (a British report that recommends increased data retention) Council of Europe Council of Europe, international organization founded in 1949 to promote greater unity within Europe and to safeguard its political and cultural heritage by promoting human rights and democracy. The council is headquartered in Strasbourg, France. at press.coe.int/cp/2001/456a%282001%29.htm (Council of Europe press release about final draft of a convention on cyber-crime) TRUSTe at www.truste.org (provides information about the privacy watchdog group, TRUSTe) U.S. Department of Commerce at web.ita.doc.gov/safeharbor/shreg.nsf/safeharbor?openform (provides information about certifying as an organization that adheres to Safe Harbor) Michael Fjetland, J.D., is an International Attorney for the International Legal Group and has negotiated in more than 60 countries. He can be reached at Fjet2020@aol.com. |
|
Printer friendly
Cite/link
Email
Feedback
Reader Opinion