Printer Friendly


What data do U.S. companies doing business in Europe need to protect, and why?

The European (EU) Directive on Data Privacy was adopted by the 15 member states of the European Union to harmonize the protection of personal data. It seeks to regulate the processing of personal information under a set of quality principles and standards and prohibit the transfer of such data by companies to countries that don't adequately adhere to these guidelines.

It's been over a year since the directive became law, yet U.S. companies doing business in Europe are still searching for a solution to the issue of compliance, as the U.S. has been categorized as offering "inadequate" protection.

During the early days, it became clear that the U.S., unlike some other non-European countries, wasn't going to imitate the European model of national regulation and authority, but would continue to fine-tune its own data protection regime based on sectoral regulation, self regulation and individual choice. In addition, the U.S. came to accept that Europeans see privacy as a fundamental human right - and data protection as an essential means to protecting that right.

The directive does allow companies alternatives, such as the use of consent forms, codes of practice and contracts. Unfortunately, no one solution can encompass all the data-processing requirements of a company vis-a-vis personal information.

In a model contracts project launched in 1998, privacy experts from 60 leading U.S. companies drafted a model contract for approval by the EU data protection authorities. The model contract is a framework designed to ensure data protection, and it outlines a means of enforcement between affiliates of U.S. companies operating in the EU nation and the corporate unit in the U.S.

Over the last 12 months, the U.S. Department of Commerce has also been trying to persuade European officials to accept a system under which U.S. companies would adopt a code of behavior and be allowed to regulate themselves. The "safe harbor" concept would have a set of privacy principles to which companies would voluntarily adhere. These principles include the notification to individuals about whom information is being gathered, what type of information is being collected, why it's being assembled and who will receive the data. Individuals would be given an "opt out" mechanism that would let them determine the use of personal data.

In December 1999, the working party created to advise the EU commission on the implementation of the EU directive posted its opinion that the most recent safe harbor package released in mid-November was unsatisfactory. In its concluding remarks, the working party encourages the U.S. to clarify the scope of safe harbor; provide clear identification of participants; ensure enforcement by a public entity for all participants; establish procedures to forward unresolved complaints to that entity; and narrow the exemptions and exceptions in this recent draft. It's perfectly clear that, even today, the safe harbor concept is far from being universally accepted. In fact, data privacy experts disagree as to whether these negotiations will ultimately be successful.

Discussions between a delegation of the model contracts project and the German data protection officials last April also reminded U.S. firms that the Germans view the model contract as the preferred course in lieu of waiting for the safe harbor outcome. This will form an excellent implication of future compliance, if and when the safe harbor discussions lead to an agreement.

Irrespective of the outcome of any of these alternatives, doing nothing is not an option for U.S. companies. If one wishes to continue to do business in the global arena, one should at the least do the following:

* Know what information is being collected;

* Understand the specific country regulations under the directive;

* Know what to do when any data are being transferred outside the country;

* Know which employees have access to personal data;

* Ensure customers and employees are aware of their legal rights; and

* Stay aware.

Data Privacy and Financial Systems

Data privacy issues may affect a number of areas of financial record-keeping, but the most common are customers, vendors and employees.


There are two types of customer: corporate and individual. While privacy issues relating to corporate customers exist -- and these are essentially the same as for vendors -- the more difficult problems arise when dealing with individuals. This is because data privacy legislation is primarily directed at protecting the rights of individuals rather than corporations, with the underlying assumption that information is sacrosanct to the individual concerned and shouldn't be used in a way that infringes on his or her personal right to privacy. Unfortunately, the manner of dealing with privacy issues is more complex in the case of individuals.

The most common information maintained in an accounts-receivable system is name, address, telephone number, fax number and mail address. All such data are considered as personal information by the legislation and require adequate protection. In addition, personal financial information -- like credit card particulars -- may also be stored. In short, the control and protection of individual personal data is imperative.

Dealing with data privacy may take different forms, depending on the way business is conducted with the customer. Among the most common are personal contact (in the case of retail operations), telephone/mail contact (in the case of mail-order shopping) and electronic contact (home shopping on the Internet). In all cases in which the maintenance of customer information would infringe on the data privacy laws, the customer should be made aware of the following:

* Personal information is being stored in a manner which may be in contravention of data privacy legislation;

* The corporation has a data privacy policy aimed at protecting the customer from improper use of this personal information;

* The customer has access to the corporation's data privacy policy, and it will be forwarded to the customer should it be required; and

* The customer, by entering into the transaction, has acquiesced to the information being used within the realm of the corporation's data privacy policy.

Communication of this information may vary according to business circumstances. In a retail operation, the company might keep brochures summarizing the data privacy policy at each retail outlet, and display notices referring to the availability of these brochures at payment positions. In a mail-order business, the catalog might refer to the availability of data privacy policy brochures; a telesales operator could reinforce the message at the time of sale. For Internet transactions, it's probably easiest to give users a hypertext link to the corporation's data privacy policy web site. In all three cases, it's advisable to include a clause on the invoice affirming that the conclusion of the sale will be evidence that the customer agrees to the use of personal information as delineated in the corporation's privacy policy.

Remember: These solutions don't represent legal opinions, but rather the personal views of privacy experts and related proponents of privacy policy. Thus, seek legal advice when deciding on the solution most appropriate for your business.


It's unusual, though not impossible, for vendors to be individuals. Most vendors are corporations, and hence the majority of information retained won't be affected by the data privacy regulations. The most common exception will be contact information, i.e., details of individuals with whom the corporation deals on a regular basis. This is also the kind of information that might be maintained in the case of corporate customers.

If the kind of information maintained contravenes the data privacy regulations, it's incumbent on the corporation to handle vendors as it does customers: Make the affected party aware of the situation, direct him or her to the corporation's privacy policy and acquire consent regarding the intended use of the information. A letter to the individual -- inviting him or her to inform the corporation if he or she has any objection to the use of the personal data in the manner the policy describes -- might be the best way to obtain agreement.


Employee information is generally maintained in the corporation's human resources systems, and the necessary data privacy arrangements usually will be managed in this context. However, there may be instances where employee personal information resides in an organization's financial systems. The most commonly referenced sources of information are employee loans and payroll data. In these cases, it's probably advisable to issue a similar letter to that used for vendor/customer contacts, except that a positive rather than negative response may be required. That is, the employee is asked to sign a copy of the letter to verify awareness of and acquiescence to the corporation's policy.

Public policy and technology tools, global or otherwise, which protect and maintain an individual's privacy vis-a-vis his or her personal information -- be it sex, age, medical history, salary level, credit card information, buying patterns, etc. -- is a serious and private matter. In addition, a consumer's consent regarding the use of personal data is an emerging trend of paramount relevance to an organization's ability to distribute and utilize information. In this vein, organizations from across the globe must take responsibility for the use and circulation of personal information, irrespective of the fact that there appears to be a lack of universal policy consent at the moment. It's important that organizations that retain individual and/or corporate information develop privacy policies and take concrete steps to make the details of these policies available at the point of transaction.

To this end, corporations and other entities that have access to and record the private data of individuals have a profound duty to safeguard this information and to use it only in recognized and proper activities. In addition, given that the European Union currently leads the way in developing privacy policies, corporations based in America that do business in Europe must be especially conscientious about privacy procedures.

An organization that commits to a position at the vanguard of the privacy movement will be poised to take superior advantage of global Internet commerce and related technological innovations. It will be able to serve its customers in a safe and effective manner, and be better able to conform to privacy regulations as they evolve.

Anne Clifford is a senior global strategist with The Hunter Group, a Renaissance Worldwide Company. She recently co-authored a while paper on data privacy, "The European Union Directive on Data Privacy and Its Impact on Global Information Systems in U.S. Corporations."

Peter Weinberga is director of the global strategies and solutions practice of The Hunter Group.
COPYRIGHT 2000 Financial Executives International
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2000, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Author:Weinberg, Peter
Publication:Financial Executive
Date:Mar 1, 2000
Previous Article:Hit and Run.
Next Article:Courting the Dragon.

Related Articles
IRAN - May 29 - Attempt On Khatami's Life Thwarted.
League of Shadows.
Syria's Pretexts Gone.
Justice for Mayfield.

Terms of use | Privacy policy | Copyright © 2019 Farlex, Inc. | Feedback | For webmasters