U.S. Firms Get Privacy Lessons from Europe

EU data privacy rules are shaping a change of attitude in American companies when dealing with information collected from their customers, but the US is still far from considering data protection as a basic human right.

Anyone who has bought a book online or opened an email account with Google (GOOG) has already experienced it: tailor-made advertising landing in their inbox, based on a personal profile created by the company.

The term "behavioural advertising" is a commonplace in marketing strategies, particularly in US-based companies such as Yahoo (YHOO), Amazon (AMZN) or Facebook. It is seen as a reliable revenue-making tool on the Internet.

But privacy issues arise especially when personal information is "aggregated" and passed on to other companies or when the government taps into the "data warehouses" held by private companies in order to track down criminals or terrorism suspects.

A fundamental difference between the EU and the US' approach to data privacy is the question of ownership, law and privacy experts told a group of European journalists in New York last week.

In Europe, data protection is granted even after the consumer has passed on the data, while in the US, the company's understanding is that once it has the information, it can do whatever it wants with it.

"When we explain to a US company for the first time how data privacy laws work in Europe, they say 'you must be kidding?' It takes a few years to acclimate to that," said privacy lawyer Lisa J Sotto from Hunton & Williams, a New York based law firm.

Ms Sotto argued that the cultural difference between the two continents stems from history. "Here [in the U.S.], privacy is not a fundamental human right, instead it's a consumer protection interest. In Europe...people could have been put to death because of their data; here they were marketed to to death," she said.

A self-certifing scheme dubbed "Safe Harbour," encompassing some 2,200 US companies, helps businesses comply with EU data protection law when doing business with European customers. Under the agreement, the Federal Trade Commission can put companies under increased scrutiny for up to 20 years and even give fines if they violate the terms they subscribed to.

"There is a move in having companies Safe Harbour-certified in a way that is fundamentally different from five years ago. Companies are much more tuned to the fact that they need to comply with the set of [data privacy] principles in a very significant way. It's not a rubber stamp at all," Ms Sotto said.

Big companies have started to put in place "chief privacy officers" both in the US and in their European branches and in the upcoming years there will be even more of a push for "very formal data protection structures" within these businesses.

But critics point to the low enforcement levels of the data protection rules and the fact that in its 10 years of existence, Safe Harbour has seen only seven cases brought to court in the US – all were companies wrongly stating they were part of the scheme, not actual non-compliance cases. None were notified to EU data protection authorities.

"No US company is in compliance with the EU data protection directive. If this directive was applied thoroughly, US companies couldn't do business in the EU," Adam Levitin from Georgetown Law School said. He explained that the system of "self-certification" meant that American businesses were only paying lip service to requirements such as access to and correction of data, security and integrity of the information and no automatic use for other purposes than the one stated in the notice to consumers.

While big online names such as Yahoo, Google or Facebook are part of the Safe Harbour scheme, most US air carriers are not.

"Nobody from the air sector is in Safe Harbour: Delta (DAL), American Airlines (AMR), none of them are. When you give them the information in Europe, I am sure beyond any doubt that the information goes to Atlanta (US)," Edward Janger from Brooklyn Law School said.

He pointed to the fact that these companies are subject to EU law if their branches operate on European soil, but that there is little scrutiny of their responsibilities. "I don't know of any EU audit on whether these companies have adequate data protection," he said.

Swift agreement

One company which is part of the Safe Harbour agreement is Swift, the Belgian-based financial communications company handling some 80 percent of the world's international bank transactions.

Ms Sotto's legal firm has helped Swift comply with EU data protection laws, despite its image being seriously dented by the scandal which broke out in 2006, when it emerged that the US government was secretly tapping into the company's data as part of an anti-terrorism program.

"We helped Swift solely with the Safe Harbour certification, not the law enforcement side. From my perspective, it was a whole bunch of nonsense. The data was being transferred in a secure way. They just put a legal framework around it, which is fine, but it cost a lot of money in legal fees," she said, in reference to the years of legal wrangling with the EU.

The Swift saga seems to be nearing its end, however, as the EU and the US on Monday (28 June) formally put their signatures on a legal agreement likely to be approved by the European Parliament next week after gaining some extra layers of auditing and control over the program.

Back in February, the legislature rejected an interim deal, citing privacy concerns and an inter-institutional quarrel. The veto interrupted the data flow from Swift's European server to the US authorities, triggering concerns in Washington at the "security gap" created thereby.

If the deal wins the approval of Parliament next week, Swift will resume sending data on 1 August, including for the months lapsed since February.

Before it's here, it's on the Bloomberg Terminal.