Protecting personal privacy in the global business environment: in the electronic world, protecting personally identifiable information is a critical challenge for all companies and governments.

Because records of individual customers or potential customers often have high market value, personally identifiable information has been described as the world's new currency. With the global reach of the Internet, which makes sending personal data from one continent to another nearly instantaneous, privacy is an issue of high international concern. Via the Internet, a company located in one country with one set of privacy rules can send personal data about an individual, or a database containing millions of individual records, to another country with a different set of privacy rules.

This situation is particularly worrisome because of the globalization of business operations. When companies export their business operations abroad, they may also send sensitive customer data overseas. Once sent abroad, the company may be at liberty to market or otherwise disseminate the personal data with impunity. In countries where no laws to protect personal data exist, sensitive data relating to individuals can be sold to other parties without their consent, or it may be exposed to the risks of identity theft.

The European Union (EU) has adopted strict rules, with mechanisms for global enforcement, to mitigate these risks. Europe has the world's most stringent set of rules governing how companies and governments must manage personal data such as age, marital status, buying patterns, and similar information. In Europe, privacy is generally viewed as a basic human right, enforceable by stringent legal protections, and the Europeans have become global leaders in setting the standards for privacy and attempting to promote them throughout the world.

In the United States (with the singular exception of California), such protections are considerably less stringent, as business interests have generally opposed any legislation or regulations that restrict their ability to collect and use or even sell or exchange personal information at their discretion, without government interference.

The EU's privacy laws require retailers to obtain permission to collect data, trade it to partners, sell it, or even use it for their own marketing--all common practices in the United States. European companies are required to grant individuals open access to records and data about them and correct any inaccuracies. The EU restricts how much information companies can collect on customers and employees and how long they are permitted to retain it. Video surveillance tapes, for example, must be erased after a short period of retention.

With its high global standard of tight restrictions on personal data, the EU has been quite successful in influencing the adoption of privacy laws throughout the world. EU-inspired privacy laws are now the norm in Canada, Australia, New Zealand, and parts of Asia and Latin America. The EU influence is also being felt in the United States.

The EU's Data Protection Directive

In 1998, the EU issued its Directive on Data Protection (95/46/EC). The directive was devised because some EU member states did not have privacy protection for individual citizens, while other countries had incompatible laws. To address this problem, the EU's parliament issued its directive on data protection, which was intended to harmonize European privacy laws and afford a continent-wide standard of protection for all European citizens.

The directive's most significant feature is that "data subjects"--persons from or about whom data is collected--must unambiguously grant their consent before such data is collected, after having been informed about the purpose(s) for which the data will be used. The directive applies to the collection, transmission, and processing of personal data, which is defined as "any information relating to an identified or identifiable natural person" residing within a member state of the EU. The directive applies to data that directly or indirectly identifies an individual, which includes a person's name, as well as other personal data about the person, such as address, telephone number, or other information of a personal nature. However, the directive expressly forbids the collection of personal information that could be characterized as sensitive, which is defined as a person's racial or ethnic origin, political opinions, religious beliefs, or sexual preferences.

The directive consists of regulations relating to the collecting, processing, and handling of personal data maintained within the EU, as well as personal data transferred from the EU to other countries. The directive requires that personal data be managed such that it is

* Collected for specified and legitimate purposes and not processed further

* Relevant and not excessive for the purpose collected

* Accurate and updated as necessary

* Kept in a form that permits identification of data subjects for no longer than necessary

Privacy in the United States

In sharp contrast to the situation in Europe, the United States does not have a comprehensive privacy law and, generally, has promoted industry self-regulation rather than legislation as the best means of balancing privacy interests against the demands of electronic commerce.

The Privacy Act of 1974 protects personal information about U.S. citizens captured in records maintained by agencies of the federal government, but the law has no applicability outside the federal sector. However, specific laws and regulations do apply to personal records and information--such as credit history and other financial records, telephone records, educational records, and patient medical records--maintained by certain types of businesses. For example:

* Health Information--The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Privacy Rule of 2001 impose privacy restrictions applicable to health information, typically in the form of patient-specific medical records. Regulations promulgated under the Act and Privacy Rule require regulated parties (i.e., health plans, healthcare clearinghouses, and certain healthcare providers) to implement a variety of privacy measures for patients, insured parties, or other individuals subject to protection under the rules. These include rules governing access to patient medical records, requirements for patient consent to permit the sharing or disclosure of such records, patient recourse for privacy violations, and other restrictions.

* Financial Information--The Granma-Leach-Bliley Act of 1999 requires financial services companies to establish privacy policies and governs how customer financial data can be shared within and between institutions. Title V of the Act contains provisions pertaining to the privacy of customer-specific financial records by banks and other financial institutions. As of July 2001, financial institutions are required to provide notice and an opportunity for customers to opt out of disclosures of nonpublic personal information to nonaffiliated third parties.

The U.S. Safe Harbor Agreement

One of the main features of the EU privacy directive is that it is designed to ensure that corporations, including U.S. multinational companies doing business in Europe, do not circumvent the EU's data protection requirements by exporting personal data to countries that are not subject to the EU's privacy rules. The directive prohibits data transfers to non-EU countries, including the United States, unless those countries provide adequate protection for the data.

Through this mechanism, Europe is attempting to make its data protection rules the enforceable global standard for privacy. At the time of this writing, the U.S. has not been deemed to provide adequate protection of personal data. During the past several years, negotiations have been continuous, often contentious, between Europe and the United States to seek an acceptable compromise. To date, this has taken the form of "safe harbor" data protections.

The U.S. Department of Commerce, in consultation with the European Commission, developed the Safe Harbor Agreement by which U.S. companies can avoid sanctions imposed by the EU if they voluntarily embrace a somewhat less stringent version of the EU privacy directive. Under the agreement, before personal data about European citizens may be transferred to the United States, American companies must promise to handle data about EU citizens in accordance with the EU's standards while the data is maintained in the United States. However, detailed provisions, including enforcement, have yet to be worked out between the United States and the EU.

California: Leading the U.S. in Privacy

In the United States, the State of California has positioned itself at the forefront of the privacy movement. On July 1, 2004, the first online privacy law ever enacted in the United States--California's Online Privacy and Disclosure Act of 2003--went into effect. The new law requires all commercial entities operating in the state that collect personal information online to clearly post a privacy policy to inform citizens concerning the collection and use of data about them. In recent years, California has enacted a plethora of new privacy laws. In brief, these laws:

* Require businesses to inform customers when personal data is shared with other parties

* Require businesses to notify customers when their personal data has been exposed to a security breach

* Restrict the use of Social Security numbers as a means of identification

* Prohibit unsolicited advertising by means of fax and e-mail

* Prohibit the sending of text messaging advertising to cell phones and pagers