March 16, 2001, 2:32 PM — Companies with European subsidiaries can shield themselves from privacy-related lawsuits under a "safe harbor" agreement negotiated between the United States and the European Union (EU) last summer. The pact lets U.S. businesses send personnel and customer data stateside, an exception to EU rules that prohibit transfer of personal information to any country that doesn't follow Europe's stringent privacy laws.
Businesses that join the pact (which is voluntary) agree to follow the EU's Directive on Data Privacy, which says they can share only info they collect with other companies if the subject of the data consents. In return, Europeans unhappy with how U.S. companies use their data have to sue in U.S. courts under privacy laws that are less stringent than Europe's. Businesses that decide not to join risk having European governments prohibit them from sending data back home. Jeff Rohlmeier, an international trade specialist with the U.S. Department of Commerce (DOC), says the agreement was needed to prevent disrupting $350 billion in trade with Europe, which is now mostly conducted electronically.
So far only 13 companies have signed the pact. The reason isn't clear. Companies appear to be procrastinating because the agreement isn't currently being enforced. That's likely to change later this year, when the EU will decide whether to seek even stricter rules.
Whether or not a company signs on, it still has to build systems that comply with the EU's privacy standards in each European country where they handle personal data, says lawyer Catriona Hatton, whose practice in the Brussels office of Hogan & Hartson focuses on EU antitrust law and regulatory affairs.
At press time, the Bush administration hadn't taken a position on the pact. Meanwhile, CIOs can keep tabs on future negotiations through the DOC (www.doc.gov).
-- Joe Kendall
The drumbeat from consumers about protecting privacy online is amplifying the political rhetoric in Congress. How long before talk turns into action?
Sen. Ron Wyden (D-Ore.), an e-commerce advocate, predicts Congress will pass a privacy bill this year. According to his Chief Staff Josh Karden, Wyden thinks the feds need to act before state legislatures under pressure from their constituents enact rules about what customer info companies can share. The result: 50 different data privacy laws that might require companies to treat customer data differently depending on where those customers live.