|
EU Model
Since 1995, the EU has been the global leader on how governments and companies approach privacy. Its DP Directive affords omnibus protections to any PII that is processed by automatic means or is part of a filing system. It has seven principles, adopted primarily from the Organization for Economic Co-operation and Development (OECD) Guide-lines on the Protection of Privacy and Transborder Flows of Personal Data and the Council of Europe Convention on Data Protection.
These principles were largely incorporated into the Safe Harbor agreement between the EU and U.S. in 2000. They require:
- Collection of PII be limited to only what is necessary
- The data be fairly and lawfully processed
- It be used only for the stated limited purpose
- The data be kept up to date
- It be kept only as long as necessary
- It be accessible to the person, with an avenue for objection to the processing
- It not be transferred to non-EU countries without adequate protections.
The consistency of the DP Directive is undercut, however, by uneven enforcement by the member states' supervisory authorities. Spain, for example, has levied millions of dollars of fines against corporations (primarily in the health and telecommunications sectors) for failure to comply with particular provisions of the directive. Meanwhile, the EU launched actions against Germany and Austria for lax implementation of the directive. The EU regulatory powers may get even stronger if a recent EU proposal requiring entities to notify regulators in the event of a security breach of PII is adopted.
Although the DP Directive was intended to facilitate data flows within the EU, it also works to control the transmission of data outside the EU. In a nutshell, data cannot be sent outside the EU unless it meets one of the following requirements:
- The data is being sent to a country that has received an "adequacy ruling" from the European Commission that its data protection laws afford equivalent protections to those of the DP Directive
- Clear and informed consent has been obtained from the person whose information will be sent outside the EU
- The data is subject to EU-approved contractual clauses between the sender of the data and the recipient
- The data is subject to binding corporate rules (BCR) that have been approved by the data protection authorities of the countries where the data is obtained
- The data is going to a U.S. entity that is registered in the U.S. Safe Harbor program (an option only for U.S. organizations).
This cross-border data flow restriction has created the largest privacy compliance burden for companies. To date, only five countries have received "adequacy rulings" that their data protection laws afford equivalent protections to that of the DP Directive: Argentina, Canada, Switzerland, Guernsey and Isle of Man.
The U.S. Safe Harbor framework is the U.S. solution to the adequacy requirement. It provides an important mechanism for U.S. companies to meet EU DP compliance requirements and avoid prosecution by EU authorities. Administered by the U.S. Department of Commerce and enforced by the Federal Trade Commission, U.S. companies can join the Safe Harbor program and self-certify annually that they are adhering to the seven Safe Harbor principles. Those principles include taking reasonable steps to protect personal data and notifying individuals about why their information is collected. As of November, 1,050 companies had joined.
Even though Verispan participates in the Safe Harbor program, Ganow says "the additional burden for the prudent company comes with the due diligence it must complete on each member state's individual requirements," which can be more stringent than the directive.
|
 |
|
