First, the good news: Negotiations are continuing between the European Union and the United States regarding the EU's privacy directive, after both sides missed the self-imposed deadline for a resolution in June. The bad news? Ditto.
The EU Directive on Data Protection, adopted in 1995, took effect last October. Under its guidelines, companies doing business in the EU must obtain an individual's consent each time their personal data is used for commercial purposes. Consumers must also have easy access to all of the data held on them. The directive allows transfers of personal data to non-EU countries only if they can provide an "adequate" level of privacy protection. In effect, the directive blocks the flow of European consumers' information from Europe to the United States, which currently has no federal privacy legislation that meets the EU's standards.
Under a proposed "safe harbor" arrangement, however, individual U.S. companies that provide adequate data protection would be allowed access to personal data from EU member states. The safe harbor principles set guidelines regarding consumer notice, choice, and access; onward transfer of information; security; data integrity and enforcement. Compliance, though, will mean significantly higher costs for American companies, warns Douglas Sacks, senior vice president of Infocore, Inc., a Wethersfield, Connecticut-based international list brokerage and marketing consultancy. "How will you contact each customer? If you call them, you have to pay for that; if you send them a letter, you have to pay postage," he says.
Those close to the privacy issue expected some action to be taken by the time the June summit was held in Bonn between the European Commission and the U.S. Department of Commerce. But although substantial progress was made, the summit ended without a handshake. The missed deadline means more waiting and hoping that an agreement will be reached this fall, as promised in a joint report presented at the meeting.
Sticking points still remain. In particular, EU member states are reluctant to allow the European Commission to review their findings regarding whether a U.S. company is in compliance, noted David L. Aaron, Undersecretary of Commerce for International Trade, in a speech presented at the summit. Implementation is another issue: The EU would like U.S. companies to adopt the safe harbor principles within six months. The U.S. prefers a longer transition, says Aaron - at least two years, in light of Y2K and industry consolidation problems, as well as the fact that fewer than half of EU member states have implemented the directive so far.
What to do while you watch and wait? Many larger, multinational companies, Infocore's Sacks says, have taken the initiative and met with privacy commissioners in individual countries to work out separate trans-border contracts, keeping open the critical flow of data. Others, such as The McGraw-Hill Companies, are waiting it out. "It's our understanding that once the safe harbor agreement is reached, we'll have time to make a choice - whether to apply through the safe harbor or do our own contracts," says Lisa Pavlok, director of Washington affairs for McGraw-Hill.
But most EU member states have had data protection laws in place for several years, points out Bill Whitehurst, director of data security and privacy programs for IBM. The directive simply harmonizes existing laws. IBM has been working with authorities in individual countries to comply with local laws for some time, he says.
The directive's implementation ma1y have other implications: Some countries outside the EU are considering using the privacy legislation as a model for their own, Sacks says.