Protecting personal identifying information on the Web. (Legal).Whether an association is slowly migrating to the online world or is already heavily engaged in e-commerce activities, it is essential that those who use the Web site are comfortable that personal identifying information collected on the site is being adequately protected. Personal identifying information is any information that can be used to identify or locate an individual, including name; Social Security number; e-mail or postal address; or telephone, fax, or credit card number. Privacy remains a hallmark of successful Internet communication and e-commerce. Throughout the world, countries impose different standards on how individuals' privacy must be protected. In this column, Colleen col·leen n. An Irish girl. [Irish Gaelic cailín, diminutive of caile, girl, from Old Irish. Kotyk Vossler describes the legal landscape for Web site privacy in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. and the European Union European Union (EU), name given since the ratification (Nov., 1993) of the Treaty of European Union, or Maastricht Treaty, to the European Community . The U.S. Congress has passed a range of specific legislation regarding consumer privacy, but Congress has not passed legislation regulating the treatment of personal identifying information in general. In the absence of legislation, the Federal Trade Commission (FTC FTC See Federal Trade Commission (FTC). ) issued guidelines guidelines, n.pl a set of standards, criteria, or specifications to be used or followed in the performance of certain tasks. in May 2002 suggesting policies on the collection and usage of such information. U.S. guidelines Throughout the late 1990s, the FTC encouraged self-regulatory industry efforts to protect consumers' privacy. But in May 2000, the FTC's position changed; it recommended federal legislation to ensure a minimum level of privacy protection for online consumers, stating that consumer-oriented commercial Web sites collecting personal identifying information online should be required to comply with the four widely accepted, government-imposed "fair information practice principles": * notice (providing clear and conspicuous con·spic·u·ous adj. 1. Easy to notice; obvious. 2. Attracting attention, as by being unusual or remarkable; noticeable. See Synonyms at noticeable. notice of a information practices); * choice (allowing options about how an individual's personal identifying information is used beyond the use for which the information was provided); * access (providing the individual an opportunity to review, revise, and delete To remove an item of data from a file or to remove a file from the disk. See file wipe, trash and undelete. 1. (operating system) delete - (Or "erase") To make a file inaccessible. information collected about him or her); and * security (stating the reasonable steps companies take to protect the security of the identifying information collected). The bottom line is, however, that although voluntary compliance with the fair information practice principles is advisable ad·vis·a·ble adj. Worthy of being recommended or suggested; prudent. ad·vis  a·bil , there is
currently no enforced requirement in the United States as to how an
association must collect, use, and protect general personal identifying
information, other than in the aforementioned a·fore·men·tioned adj. Mentioned previously. n. The one or ones mentioned previously. aforementioned Adjective mentioned before Adj. 1. categories. Even if an association elects to voluntarily comply with the U.S. fair information practice principles as a means of demonstrating its commitment to protecting personal data, it must still evaluate whether compliance is an issue in other jurisdictions. A U.S. entity runs the risk of negative publicity and enforcement actions if it operates in foreign jurisdiction and fails to comply with that jurisdiction's privacy requirements. Stricter requirements abroad One jurisdiction with stricter compliance requirements Compliance requirements are a series of directives established by United States Federal government agencies that summarize hundreds of Federal laws and regulations applicable to Federal assistance (also known as Federal aid or Federal funds). than the United States is the European Union, a regional, treaty-based organization that manages economic and political cooperation among the 15 EU member countries. In October 1998, the EU approved the "European Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data." The directive (a) controls "personal data" (any information relating to relating to relate prep → concernant relating to relate prep → bezüglich +gen, mit Bezug auf +acc an identified or identifiable natural person) transferred both among and outside the member states; (b) creates a threshold for the treatment of personal data among member states by implementing common rules regarding the processing of personal data by businesses or administrations (such as collection, recording, organization, storage, adaptation or alteration, retrieval, and other operations performed on data); and (c) prohibits the transfer of personal data from member states to nonmember states that do not offer "adequate" privacy prote ction. In general, the directive applies to the processing of personal data--including sensitive data or data that reveals one's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health condition, or sexual actvities--by either automatic or manual means. Personal data may not be processed without the data subject's unambiguous consent, except in certain circumstances, such as an instance in which (a) the data subject has given his consent to the processing of the data or (b) processing is carried out in the course of legitimate activities (1) with appropriate guarantees by a foundation, association, or any other non-profit-seeking body with a political, philosophical, religious, or trade union aim, (2) on condition that the processing relates solely to the members of the body or to people who have regular contact with it in connection with its purposes, and (3) that the data are not disclosed to a third party without the consent of the data subjects. For example , an association that collects personal data from its international membership but fails to permit the members to select whether the association can use the personal data for purposes other than those specified in a privacy policy runs afoul of a·foul of prep. 1. In or into collision, entanglement, or conflict with. 2. Up against; in trouble with: ran afoul of the law. the directive. Transborder implications The directive reaches outside the EU because it applies to transborder data flows--information that flows between the EU and any other jurisdiction. Because the United States did not have general Web site privacy legislation, data transfers from EU member states to the United States were impeded im·pede tr.v. im·ped·ed, im·ped·ing, im·pedes To retard or obstruct the progress of. See Synonyms at hinder1. [Latin imped . Hence, the U.S. Department of Commerce (DOC) negotiated with the European Commission European Commission, branch of the governing body of the European Union (EU) invested with executive and some legislative powers. Located in Brussels, Belgium, it was founded in 1967 when the three treaty organizations comprising what was then the European Community to develop the "safe harbor Safe Harbor 1. A legal provision to reduce or eliminate liability as long as good faith is demonstrated. 2. A form of shark repellent implemented by a target company acquiring a business that is so poorly regulated that the target itself is less attractive. " principles. Effective November 1, 2000, U.S. entities that meet the safe harbor requirements are presumed to provide adequate privacy protection and may legitimately receive personal data from individuals in EU member states. A U.S. entity qualifies ("self-certifies") for the safe harbor protection if it abides by standards incorporating the EU directive's most important privacy principles: notice, choice, onward on·ward adj. Moving or tending forward. adv. also on·wards In a direction or toward a position that is ahead in space or time; forward. transfer, security, data integrity, access, and enforcement. An entity's self-certification of the safe harbor can apply to all personal data transferred from the EU, whether collected online or offline. One glitch A temporary or random hardware malfunction. It is possible that a bug in a program may cause the hardware to appear as if it had a glitch in it and vice versa. At times it can be extremely difficult to determine whether a problem lies within the hardware or the software. See glitch attack. in the DOC's position on safe harbor applicability is that it does not apply to 501(c)(3) organizations. That is because the only organizations that may participate in the safe harbor are those subject to the jurisdiction of the FTC and U.S. air carriers and ticket agents subject to the jurisdiction of the Department of Transportation. Neither body has authority over 501(c)(3)s, and enforcement authority is necessary for safe harbor compliance. As a result, a 501(c)(3) organization that collects personal data from those in the EU must either comply fully with the EU's directive or use certain approved contractual clauses indicating that they provide adequate safeguards. For U.S. entities attempting to take advantage of the safe harbor in collecting personal data from those in the EU, various steps are involved. The most essential step is the posting of a privacy policy which (a) explicitly states what type of personal data the organization collects and how the organization will use the personal data and (b) offers the individual an opportunity to select via an opt-in or opt-out mechanism if the individual will permit such use. Most organizations today have a high likelihood of collecting, using, and storing personal data from individuals in multiple countries. Organizations must review procedures and goals to ensure that transborder data flows occur within the confines con·fine v. con·fined, con·fin·ing, con·fines v.tr. 1. To keep within bounds; restrict: Please confine your remarks to the issues at hand. See Synonyms at limit. of multiple jurisdictions' laws. Colleen Kotyk Vossler is an associate with the Technology Practice and Jerald A. Jacobs is a partner in the Non Profit Organizations Practice at the law firm of Shaw Pittman, Washington, D.C. Jacobs edits this column and is general counsel to ASAE ASAE American Society of Association Executives ASAE American Society of Agricultural Engineers (Society for Engineering in Agricultural, Food, and Biological Systems) ASAE Alkali-Sulfite-Anthraquinone-Ethanol . |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion