Printer Friendly

Protecting personal identifying information on the Web. (Legal).

Whether an association is slowly migrating to the online world or is already heavily engaged in e-commerce activities, it is essential that those who use the Web site are comfortable that personal identifying information collected on the site is being adequately protected. Personal identifying information is any information that can be used to identify or locate an individual, including name; Social Security number; e-mail or postal address; or telephone, fax, or credit card number. Privacy remains a hallmark of successful Internet communication and e-commerce. Throughout the world, countries impose different standards on how individuals' privacy must be protected. In this column, Colleen Kotyk Vossler describes the legal landscape for Web site privacy in the United States and the European Union.

The U.S. Congress has passed a range of specific legislation regarding consumer privacy, but Congress has not passed legislation regulating the treatment of personal identifying information in general. In the absence of legislation, the Federal Trade Commission (FTC) issued guidelines in May 2002 suggesting policies on the collection and usage of such information.

U.S. guidelines

Throughout the late 1990s, the FTC encouraged self-regulatory industry efforts to protect consumers' privacy. But in May 2000, the FTC's position changed; it recommended federal legislation to ensure a minimum level of privacy protection for online consumers, stating that consumer-oriented commercial Web sites collecting personal identifying information online should be required to comply with the four widely accepted, government-imposed "fair information practice principles":

* notice (providing clear and conspicuous notice of a information practices);

* choice (allowing options about how an individual's personal identifying information is used beyond the use for which the information was provided);

* access (providing the individual an opportunity to review, revise, and delete information collected about him or her); and

* security (stating the reasonable steps companies take to protect the security of the identifying information collected).

The bottom line is, however, that although voluntary compliance with the fair information practice principles is advisable, there is currently no enforced requirement in the United States as to how an association must collect, use, and protect general personal identifying information, other than in the aforementioned categories.

Even if an association elects to voluntarily comply with the U.S. fair information practice principles as a means of demonstrating its commitment to protecting personal data, it must still evaluate whether compliance is an issue in other jurisdictions. A U.S. entity runs the risk of negative publicity and enforcement actions if it operates in foreign jurisdiction and fails to comply with that jurisdiction's privacy requirements.

Stricter requirements abroad

One jurisdiction with stricter compliance requirements than the United States is the European Union, a regional, treaty-based organization that manages economic and political cooperation among the 15 EU member countries. In October 1998, the EU approved the "European Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data." The directive (a) controls "personal data" (any information relating to an identified or identifiable natural person) transferred both among and outside the member states; (b) creates a threshold for the treatment of personal data among member states by implementing common rules regarding the processing of personal data by businesses or administrations (such as collection, recording, organization, storage, adaptation or alteration, retrieval, and other operations performed on data); and (c) prohibits the transfer of personal data from member states to nonmember states that do not offer "adequate" privacy prote ction.

In general, the directive applies to the processing of personal data--including sensitive data or data that reveals one's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health condition, or sexual actvities--by either automatic or manual means. Personal data may not be processed without the data subject's unambiguous consent, except in certain circumstances, such as an instance in which (a) the data subject has given his consent to the processing of the data or (b) processing is carried out in the course of legitimate activities (1) with appropriate guarantees by a foundation, association, or any other non-profit-seeking body with a political, philosophical, religious, or trade union aim, (2) on condition that the processing relates solely to the members of the body or to people who have regular contact with it in connection with its purposes, and (3) that the data are not disclosed to a third party without the consent of the data subjects. For example , an association that collects personal data from its international membership but fails to permit the members to select whether the association can use the personal data for purposes other than those specified in a privacy policy runs afoul of the directive.

Transborder implications

The directive reaches outside the EU because it applies to transborder data flows--information that flows between the EU and any other jurisdiction.

Because the United States did not have general Web site privacy legislation, data transfers from EU member states to the United States were impeded. Hence, the U.S. Department of Commerce (DOC) negotiated with the European Commission to develop the "safe harbor" principles. Effective November 1, 2000, U.S. entities that meet the safe harbor requirements are presumed to provide adequate privacy protection and may legitimately receive personal data from individuals in EU member states. A U.S. entity qualifies ("self-certifies") for the safe harbor protection if it abides by standards incorporating the EU directive's most important privacy principles: notice, choice, onward transfer, security, data integrity, access, and enforcement. An entity's self-certification of the safe harbor can apply to all personal data transferred from the EU, whether collected online or offline.

One glitch in the DOC's position on safe harbor applicability is that it does not apply to 501(c)(3) organizations. That is because the only organizations that may participate in the safe harbor are those subject to the jurisdiction of the FTC and U.S. air carriers and ticket agents subject to the jurisdiction of the Department of Transportation. Neither body has authority over 501(c)(3)s, and enforcement authority is necessary for safe harbor compliance. As a result, a 501(c)(3) organization that collects personal data from those in the EU must either comply fully with the EU's directive or use certain approved contractual clauses indicating that they provide adequate safeguards.

For U.S. entities attempting to take advantage of the safe harbor in collecting personal data from those in the EU, various steps are involved. The most essential step is the posting of a privacy policy which (a) explicitly states what type of personal data the organization collects and how the organization will use the personal data and (b) offers the individual an opportunity to select via an opt-in or opt-out mechanism if the individual will permit such use.

Most organizations today have a high likelihood of collecting, using, and storing personal data from individuals in multiple countries. Organizations must review procedures and goals to ensure that transborder data flows occur within the confines of multiple jurisdictions' laws.

Colleen Kotyk Vossler is an associate with the Technology Practice and Jerald A. Jacobs is a partner in the Non Profit Organizations Practice at the law firm of Shaw Pittman, Washington, D.C. Jacobs edits this column and is general counsel to ASAE.
COPYRIGHT 2003 American Society of Association Executives
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2003, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:in the US and European Union
Author:Jacobs, Jerald A.
Publication:Association Management
Geographic Code:1USA
Date:Feb 1, 2003
Previous Article:Actively ensuring a safe environment. (ASAE Up Front).
Next Article:Technology and you; .NET: simple and cost effective.

Related Articles
At 50, the EBU Looks Back at Its Accomplishments.
Protecting Online Privacy to Avoid Liability.
The Push for Privacy.
Global commerce and the privacy clash: there are critical gaps in the privacy rights laws of Europe and the United States that pose a major challenge...
Report security breaches: new rules aid privacy efforts, but challenge businesses. (2003 Technology & Business Resource Guide: Privacy Protection).
Protecting privacy in Canada's private sector: businesses that are serious about competing successfully in Canada need to get serious about privacy....
The electronic records conundrum: today, everything from business e-mails to speeding tickets could potentially--and legally--be posted online for...
U.S. and Europe reach data-sharing accord.

Terms of use | Privacy policy | Copyright © 2020 Farlex, Inc. | Feedback | For webmasters