SECRET AGENTS.What data do U.S. companies doing business in Europe need to protect, and why? The European (EU) Directive on Data Privacy was adopted by the 15 member states of the European Union European Union (EU), name given since the ratification (Nov., 1993) of the Treaty of European Union, or Maastricht Treaty, to the European Community to harmonize the protection of personal data. It seeks to regulate the processing of personal information under a set of quality principles and standards and prohibit the transfer of such data by companies to countries that don't adequately adhere to adhere to verb 1. follow, keep, maintain, respect, observe, be true, fulfil, obey, heed, keep to, abide by, be loyal, mind, be constant, be faithful 2. these guidelines guidelines, n.pl a set of standards, criteria, or specifications to be used or followed in the performance of certain tasks. . It's been over a year since the directive became law, yet U.S. companies doing business in Europe are still searching for a solution to the issue of compliance, as the U.S. has been categorized cat·e·go·rize tr.v. cat·e·go·rized, cat·e·go·riz·ing, cat·e·go·riz·es To put into a category or categories; classify. cat as offering "inadequate" protection. During the early days, it became clear that the U.S., unlike some other non-European countries, wasn't going to imitate im·i·tate tr.v. im·i·tat·ed, im·i·tat·ing, im·i·tates 1. To use or follow as a model. 2. a. the European model of national regulation and authority, but would continue to fine-tune its own data protection regime based on sectoral regulation, self regulation and individual choice. In addition, the U.S. came to accept that Europeans see privacy as a fundamental human right - and data protection as an essential means to protecting that right. The directive does allow companies alternatives, such as the use of consent forms, codes of practice and contracts. Unfortunately, no one solution can encompass all the data-processing requirements of a company vis-a-vis personal information. In a model contracts project launched in 1998, privacy experts from 60 leading U.S. companies drafted a model contract for approval by the EU data protection authorities. The model contract is a framework designed to ensure data protection, and it outlines a means of enforcement between affiliates of U.S. companies operating in the EU nation and the corporate unit in the U.S. Over the last 12 months, the U.S. Department of Commerce has also been trying to persuade European officials to accept a system under which U.S. companies would adopt a code of behavior Noun 1. code of behavior - a set of conventional principles and expectations that are considered binding on any person who is a member of a particular group code of conduct and be allowed to regulate themselves. The "safe harbor Safe Harbor 1. A legal provision to reduce or eliminate liability as long as good faith is demonstrated. 2. A form of shark repellent implemented by a target company acquiring a business that is so poorly regulated that the target itself is less attractive. " concept would have a set of privacy principles to which companies would voluntarily adhere. These principles include the notification to individuals about whom information is being gathered, what type of information is being collected, why it's being assembled and who will receive the data. Individuals would be given an "opt out" mechanism that would let them determine the use of personal data. In December 1999, the working party created to advise the EU commission on the implementation of the EU directive (European Union Directive) A set of privacy requirements that took effect in 1998 and ordered European member nations to enact compliant legislation. It deals with the establishment of Data Protection Authorities, people's rights to personal information and enforcement. posted its opinion that the most recent safe harbor package released in mid-November was unsatisfactory. In its concluding remarks, the working party encourages the U.S. to clarify the scope of safe harbor; provide clear identification of participants; ensure enforcement by a public entity for all participants; establish procedures to forward unresolved complaints to that entity; and narrow the exemptions and exceptions in this recent draft. It's perfectly clear that, even today, the safe harbor concept is far from being universally accepted. In fact, data privacy experts disagree as to whether these negotiations will ultimately be successful. Discussions between a delegation of the model contracts project and the German data protection officials last April also reminded U.S. firms that the Germans view the model contract as the preferred course in lieu of Instead of; in place of; in substitution of. It does not mean in addition to. waiting for the safe harbor outcome. This will form an excellent implication of future compliance, if and when the safe harbor discussions lead to an agreement. Irrespective of irrespective of prep. Without consideration of; regardless of. irrespective of preposition despite the outcome of any of these alternatives, doing nothing is not an option for U.S. companies. If one wishes to continue to do business in the global arena, one should at the least do the following: * Know what information is being collected; * Understand the specific country regulations under the directive; * Know what to do when any data are being transferred outside the country; * Know which employees have access to personal data; * Ensure customers and employees are aware of their legal rights; and * Stay aware. Data Privacy and Financial Systems Data privacy issues may affect a number of areas of financial record-keeping, but the most common are customers, vendors and employees. Customers There are two types of customer: corporate and individual. While privacy issues relating to relating to relate prep → concernant relating to relate prep → bezüglich +gen, mit Bezug auf +acc corporate customers exist -- and these are essentially the same as for vendors -- the more difficult problems arise when dealing with individuals. This is because data privacy legislation is primarily directed at protecting the rights of individuals rather than corporations, with the underlying assumption that information is sacrosanct sac·ro·sanct adj. Regarded as sacred and inviolable. [Latin sacr  s to the individual concerned and shouldn't be used in a way that infringes on his or her personal right to privacy. Unfortunately, the manner of dealing with privacy issues is more complex in the case of individuals. The most common information maintained in an accounts-receivable system is name, address, telephone number, fax number and mail address. All such data are considered as personal information by the legislation and require adequate protection. In addition, personal financial information -- like credit card particulars -- may also be stored. In short, the control and protection of individual personal data is imperative. Dealing with data privacy may take different forms, depending on the way business is conducted with the customer. Among the most common are personal contact (in the case of retail operations), telephone/mail contact (in the case of mail-order shopping) and electronic contact (home shopping Home Shopping commonly refers to the electronic retailing / home shopping channels industry, which includes such billion dollar companies as HSN, QVC, eBay, ShopNBC, Buy.com, and Amazon.com. on the Internet). In all cases in which the maintenance of customer information would infringe in·fringe v. in·fringed, in·fring·ing, in·fring·es v.tr. 1. To transgress or exceed the limits of; violate: infringe a contract; infringe a patent. 2. on the data privacy laws, the customer should be made aware of the following: * Personal information is being stored in a manner which may be in contravention A term of French law meaning an act violative of a law, a treaty, or an agreement made between parties; a breach of law punishable by a fine of fifteen francs or less and by an imprisonment of three days or less. In the U.S. of data privacy legislation; * The corporation has a data privacy policy aimed at protecting the customer from improper use of this personal information; * The customer has access to the corporation's data privacy policy, and it will be forwarded to the customer should it be required; and * The customer, by entering into the transaction, has acquiesced to the information being used within the realm of the corporation's data privacy policy. Communication of this information may vary according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. business circumstances. In a retail operation, the company might keep brochures summarizing the data privacy policy at each retail outlet retail outlet n → punto de venta retail outlet n → point m de vente retail outlet retail n → , and display notices referring to the availability of these brochures at payment positions. In a mail-order business, the catalog catalog, descriptive list, on cards or in a book, of the contents of a library. Assurbanipal's library at Nineveh was cataloged on shelves of slate. The first known subject catalog was compiled by Callimachus at the Alexandrian Library in the 3d cent. B.C. might refer to the availability of data privacy policy brochures; a telesales telesales Noun the selling of a commodity or service by telephone telesales npl → televentas fpl telesales npl → operator could reinforce the message at the time of sale. For Internet transactions, it's probably easiest to give users a hypertext hypertext, technique for organizing computer databases or documents to facilitate the nonsequential retrieval of information. Related pieces of information are connected by preestablished or user-created links that allow a user to follow associative trails across the link to the corporation's data privacy policy web site. In all three cases, it's advisable to include a clause on the invoice affirming that the conclusion of the sale will be evidence that the customer agrees to the use of personal information as delineated de·lin·e·ate tr.v. de·lin·e·at·ed, de·lin·e·at·ing, de·lin·e·ates 1. To draw or trace the outline of; sketch out. 2. To represent pictorially; depict. 3. in the corporation's privacy policy. Remember: These solutions don't represent legal opinions, but rather the personal views of privacy experts and related proponents of privacy policy. Thus, seek legal advice when deciding on the solution most appropriate for your business. Vendors It's unusual, though not impossible, for vendors to be individuals. Most vendors are corporations, and hence the majority of information retained won't be affected by the data privacy regulations. The most common exception will be contact information, i.e., details of individuals with whom the corporation deals on a regular basis. This is also the kind of information that might be maintained in the case of corporate customers. If the kind of information maintained contravenes the data privacy regulations, it's incumbent on the corporation to handle vendors as it does customers: Make the affected party aware of the situation, direct him or her to the corporation's privacy policy and acquire consent regarding the intended use of the information. A letter to the individual -- inviting him or her to inform the corporation if he or she has any objection to the use of the personal data in the manner the policy describes -- might be the best way to obtain agreement. Employees Employee information is generally maintained in the corporation's human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. systems, and the necessary data privacy arrangements usually will be managed in this context. However, there may be instances where employee personal information resides in an organization's financial systems. The most commonly referenced sources of information are employee loans and payroll data. In these cases, it's probably advisable to issue a similar letter to that used for vendor/customer contacts, except that a positive rather than negative response may be required. That is, the employee is asked to sign a copy of the letter to verify awareness of and acquiescence Conduct recognizing the existence of a transaction and intended to permit the transaction to be carried into effect; a tacit agreement; consent inferred from silence. to the corporation's policy. Public policy and technology tools, global or otherwise, which protect and maintain an individual's privacy vis-a-vis his or her personal information -- be it sex, age, medical history, salary level, credit card information, buying patterns, etc. -- is a serious and private matter. In addition, a consumer's consent regarding the use of personal data is an emerging trend of paramount relevance to an organization's ability to distribute and utilize information. In this vein, organizations from across the globe must take responsibility for the use and circulation of personal information, irrespective of the fact that there appears to be a lack of universal policy consent at the moment. It's important that organizations that retain individual and/or corporate information develop privacy policies and take concrete steps to make the details of these policies available at the point of transaction. To this end, corporations and other entities that have access to and record the private data of individuals have a profound duty to safeguard this information and to use it only in recognized and proper activities. In addition, given that the European Union currently leads the way in developing privacy policies, corporations based in America that do business in Europe must be especially conscientious about privacy procedures. An organization that commits to a position at the vanguard of the privacy movement will be poised to take superior advantage of global Internet commerce and related technological innovations. It will be able to serve its customers in a safe and effective manner, and be better able to conform to Verb 1. conform to - satisfy a condition or restriction; "Does this paper meet the requirements for the degree?" fit, meet coordinate - be co-ordinated; "These activities coordinate well" privacy regulations as they evolve. Anne Clifford is a senior global strategist strat·e·gist n. One who is skilled in strategy. Noun 1. strategist - an expert in strategy (especially in warfare) strategian market strategist - someone skilled in planning marketing campaigns with The Hunter Group, a Renaissance Worldwide Company. She recently co-authored a while paper on data privacy, "The European Union Directive on Data Privacy and Its Impact on Global Information Systems in U.S. Corporations." Peter Weinberga is director of the global strategies and solutions practice of The Hunter Group. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion