Companies with European subsidiaries can shield themselves from privacy-related lawsuits under a "safe harbor" agreement negotiated between the United States and the European Union (EU) last summer. The pact lets U.S. businesses send personnel and customer data stateside, an exception to EU rules that prohibit transfer of personal information to any country that doesn't follow Europe's stringent privacy laws.
Businesses that join the pact (which is voluntary) agree to follow the EU's Directive on Data Privacy, which says they can share only info they collect with other companies if the subject of the data consents. In return, Europeans unhappy with how U.S. companies use their data have to sue in U.S. courts under privacy laws that are less stringent than Europe's. Businesses that decide not to join risk having European governments prohibit them from sending data back home. Jeff Rohlmeier, an international trade specialist with the U.S. Department of Commerce (DOC), says the agreement was needed to prevent disrupting $350 billion in trade with Europe, which is now mostly conducted electronically.
So far only 13 companies have signed the pact. The reason isn't clear. Companies appear to be procrastinating because the agreement isn't currently being enforced. That's likely to change later this year, when the EU will decide whether to seek even stricter rules.
Whether or not a company signs on, it still has to build systems that comply with the EU's privacy standards in each European country where they handle personal data, says lawyer Catriona Hatton, whose practice in the Brussels office of Hogan & Hartson focuses on EU antitrust law and regulatory affairs.
At press time, the Bush administration hadn't taken a position on the pact. Meanwhile, CIOs can keep tabs on future negotiations through the DOC (www.doc.gov).
-- Joe Kendall
The drumbeat from consumers about protecting privacy online is amplifying the political rhetoric in Congress. How long before talk turns into action?
Sen. Ron Wyden (D-Ore.), an e-commerce advocate, predicts Congress will pass a privacy bill this year. According to his Chief Staff Josh Karden, Wyden thinks the feds need to act before state legislatures under pressure from their constituents enact rules about what customer info companies can share. The result: 50 different data privacy laws that might require companies to treat customer data differently depending on where those customers live.
Eyeing this possible patchwork of state laws, some companies are rethinking their opposition to federal rules. In January, the American Electronics Assoc., which represents over 3,500 companies and had been against a national privacy law, reversed itself, joining consumer-oriented groups like the Consumers Union and the Consumer Federation of America. But that doesn't mean a bill can get passed. At least one influential business group, the U.S. Chamber of Commerce, still wants the feds to keep their hands off. Rick Lane, the group's director of e-commerce and Internet technology, says there's no privacy problem: "When you say show us the harm, there are no victims." And plenty of politicians including the new chairman of the House Commerce Committee, Rep. Billy Tauzin (R-La.), are in the laissez-faire camp for now. Tauzin's spokesman, Ken Johnson, says Tauzin won't meddle as long as he thinks companies are trying to do the right thing.
So, without a crisis, Congress will keep studying the issue. "During the next couple of years there will be an intense set of hearings and discussions," says Andrew Shen, policy analyst with the proconsumer Electronic Privacy Information Center. That gives CIOs who are becoming the guardians of data privacy plenty of opportunities to let their representatives know what they think ought to be done.
-- Joe Kendall
This story, "Any safe harbor? " was originally published by CIO.