Self-Policing on Privacy? Forget It

Businesses love to say they can. But when given a chance, they don't, as a recent episode involving U.S. and European laws shows

By Jane Black

One of the biggest battles in online privacy centers on the extent to which businesses can police themselves. No problem, most companies say. They claim they're glad to reveal their policies to consumers on how they use and share data collected from Web surfers and online buyers. After all, an educated consumer is the best customer. Conversely, consumer advocates argue that companies can't be trusted to self-regulate, and governments should lay out laws dictating privacy standards.

Well, consumer advocates are looking pretty prescient these days, and many U.S. companies appear to be shirkers. Just look at two recent rule changes by the European Union and the U.S. governments on privacy, and you'll get the idea.

On July 1, a law banning companies doing business in Europe from sharing customer and employee data officially took hold. But to avoid an outcry from U.S. businesses, Washington and Brussels last year agreed to a "safe harbor" provision in which American companies can avoid sanctions in Europe if they voluntarily embrace a watered-down version of EU privacy standards.


  To date, only 68 U.S. companies have done so. Now, contrast that to the mad scramble by companies moving to comply with a new U.S. law, effective July 1, that stipulates rules for data sharing by financial-service companies. The difference is stark. In Europe, companies seem to thumbing their noses at easy voluntary compliance, banking that the EU can't get its act together to enforce its new law. But there's no lollygagging in complying with the new U.S. law.

That the legal stick is getting action while the voluntary program isn't does not speak highly of business' claim that it can police itself. "Experience seems to suggest that self-regulation does not work for privacy," says Joel Reidenberg, a professor at Fordham Law School and an expert in international data-privacy regulation.

The safe-harbor agreement springs from a data-privacy law passed by the EU in October, 1998. In a nutshell, the law protects EU citizens from the free-for-all collection and sharing of personal information -- apart from financial -- that is widely practiced in the U.S. American companies claimed compliance with the EU law would be too difficult and costly.


  Enter the compromise. It stipulates that U.S. companies should comply with seven basic principles. Notably, they must inform customers and employees about why they collect and use information. Companies also must offer consumers the option to choose not to have their personal information disclosed (often referred to as an opt-out policy). Finally, companies must allow consumers or employees to access information collected about them so that they can correct, amend, or delete it.

Doesn't seem too onerous, right? Safe-harbor advocates say the principles are a test of corporate mettle. "The safe harbor is the ultimate self-regulatory program. It challenges you to do the right thing in terms of privacy protection," says Barbara Lawler, Hewlett-Packard's customer-privacy manager.

Lawler can afford to crow. Among major U.S. corporations, HP is one of the few that have filed through the U.S. Commerce Dept. for European safe harbor. The lack of enthusiasm elsewhere among other global American businesses hasn't gone unnoticed by consumer-privacy advocates. "It does demonstrate to an extent that many companies are loath to provide privacy protection," says Andrew Shen, senior policy analyst at the Electronic Privacy Information Center.


  Even companies that have signed up for safe harbor in some cases haven't followed through quickly or effectively. Take Genetic Technologies, a Missouri-based DNA-analysis and forensic-consulting firm that works with companies in the Netherlands and Belgium. According to a January, 2001, filing with Commerce, its privacy policy is publicly available online at That would meet the safe-harbor standards for policy notification. But I searched the company's Web site and couldn't find a privacy statement anywhere.

When contacted by BusinessWeek Online, Genetic Technologies President Ken Harman said the site was new as of about two weeks ago. "Being a signatory to the safe-harbor act is also an implicit statement of the confidential way we test. They don't require it to be an explicit statement anywhere," he said.

Hold on. EU requirements for notification specifically require that companies must notify individuals of the purposes for which they collect and use data. Harman said an outside firm had built the site, and he hadn't been through it "...tip to toe. There are things in there that I need to investigate more closely," he said.


  Companies might have good reason to steer clear of the safe-harbor agreement. When they sign on, they open themselves up to scrutiny by the U.S. Federal Trade Commission should Europeans decide to make a formal complaint. How and when the EU would enforce the agreement also remains unclear. Three EU countries -- France, Ireland, and Luxembourg -- have not yet passed national privacy legislation.

If member countries' laws are not up to snuff, experts say it will be politically difficult for the EU to impose penalties on U.S. companies -- ergo, no legal stick and no reason to sign up for safe harbor. Some legal observers say the agreement may not meet legal muster because the FTC doesn't appear to have authority to protect foreign consumers rights in the U.S.

Moreover, FTC regulation could cause a political problem, according to Fordham Professor Reidenberg. "What if the FTC spent its limited budget protecting Europeans against American companies? Congress would be apoplectic," he says.


  Problems with the safe-harbor agreement aside, U.S. companies ignore privacy concerns at their own peril. Posting a privacy policy on every Web site that collects data is more than just the right thing to do. "There is a considerable amount of work involved. But these are good information practices -- and good business practices," says Patrick Sullivan, chief privacy officer at privacy and security firm Guardent Technologies.

Sad to say, the decision by most U.S. companies to ignore the safe-harbor program suggests to me that despite lip service paid to self-policing, they're unlikely to do anything until a government steps in and forces them to meet certain standards.

Black covers technology for BusinessWeek Online in New York

Edited by Alex Salkever

Before it's here, it's on the Bloomberg Terminal.