Protecting personal identifying information on the Web. (Legal).
The U.S. Congress has passed a range of specific legislation regarding consumer privacy, but Congress has not passed legislation regulating the treatment of personal identifying information in general. In the absence of legislation, the Federal Trade Commission (FTC) issued guidelines in May 2002 suggesting policies on the collection and usage of such information.
Throughout the late 1990s, the FTC encouraged self-regulatory industry efforts to protect consumers' privacy. But in May 2000, the FTC's position changed; it recommended federal legislation to ensure a minimum level of privacy protection for online consumers, stating that consumer-oriented commercial Web sites collecting personal identifying information online should be required to comply with the four widely accepted, government-imposed "fair information practice principles":
* notice (providing clear and conspicuous notice of a information practices);
* choice (allowing options about how an individual's personal identifying information is used beyond the use for which the information was provided);
* access (providing the individual an opportunity to review, revise, and delete information collected about him or her); and
* security (stating the reasonable steps companies take to protect the security of the identifying information collected).
The bottom line is, however, that although voluntary compliance with the fair information practice principles is advisable, there is currently no enforced requirement in the United States as to how an association must collect, use, and protect general personal identifying information, other than in the aforementioned categories.
Even if an association elects to voluntarily comply with the U.S. fair information practice principles as a means of demonstrating its commitment to protecting personal data, it must still evaluate whether compliance is an issue in other jurisdictions. A U.S. entity runs the risk of negative publicity and enforcement actions if it operates in foreign jurisdiction and fails to comply with that jurisdiction's privacy requirements.
Stricter requirements abroad
One jurisdiction with stricter compliance requirements than the United States is the European Union, a regional, treaty-based organization that manages economic and political cooperation among the 15 EU member countries. In October 1998, the EU approved the "European Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data." The directive (a) controls "personal data" (any information relating to an identified or identifiable natural person) transferred both among and outside the member states; (b) creates a threshold for the treatment of personal data among member states by implementing common rules regarding the processing of personal data by businesses or administrations (such as collection, recording, organization, storage, adaptation or alteration, retrieval, and other operations performed on data); and (c) prohibits the transfer of personal data from member states to nonmember states that do not offer "adequate" privacy prote ction.
The directive reaches outside the EU because it applies to transborder data flows--information that flows between the EU and any other jurisdiction.
Because the United States did not have general Web site privacy legislation, data transfers from EU member states to the United States were impeded. Hence, the U.S. Department of Commerce (DOC) negotiated with the European Commission to develop the "safe harbor" principles. Effective November 1, 2000, U.S. entities that meet the safe harbor requirements are presumed to provide adequate privacy protection and may legitimately receive personal data from individuals in EU member states. A U.S. entity qualifies ("self-certifies") for the safe harbor protection if it abides by standards incorporating the EU directive's most important privacy principles: notice, choice, onward transfer, security, data integrity, access, and enforcement. An entity's self-certification of the safe harbor can apply to all personal data transferred from the EU, whether collected online or offline.
One glitch in the DOC's position on safe harbor applicability is that it does not apply to 501(c)(3) organizations. That is because the only organizations that may participate in the safe harbor are those subject to the jurisdiction of the FTC and U.S. air carriers and ticket agents subject to the jurisdiction of the Department of Transportation. Neither body has authority over 501(c)(3)s, and enforcement authority is necessary for safe harbor compliance. As a result, a 501(c)(3) organization that collects personal data from those in the EU must either comply fully with the EU's directive or use certain approved contractual clauses indicating that they provide adequate safeguards.
Most organizations today have a high likelihood of collecting, using, and storing personal data from individuals in multiple countries. Organizations must review procedures and goals to ensure that transborder data flows occur within the confines of multiple jurisdictions' laws.
Colleen Kotyk Vossler is an associate with the Technology Practice and Jerald A. Jacobs is a partner in the Non Profit Organizations Practice at the law firm of Shaw Pittman, Washington, D.C. Jacobs edits this column and is general counsel to ASAE.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||in the US and European Union|
|Author:||Jacobs, Jerald A.|
|Date:||Feb 1, 2003|
|Previous Article:||Actively ensuring a safe environment. (ASAE Up Front).|
|Next Article:||Technology and you; .NET: simple and cost effective.|