Sail in a Safe Harbor-The Legal Transfer of Data (1,348 words)
If your company already has committed to The DMA's privacy promise, you're more than 80 percent of the way toward complying with the Safe Harbor agreement, reports Charles Prescott, vice president, international business development and government affairs, The DMA.
After reviewing the Safe Harbor principles, company executives should investigate their own data-protection procedures, including what information they collect and how it's used, advises Prescott. Then, they should develop corporate policies that conform to Safe Harbor principles, including compliance with enforcement.
Protection in Practice
Let's look at three situations in which Martin Abrams, executive vice president, Center for Information Policy Leadership, Hunton & Williams, says a U.S. company may need to comply with the EU's data-protection directive:
1. You're a U.S. direct marketer, and European consumers order from your Web site.
If consumers come to your Web site and give you their data for the purpose of fulfillment, it's considered a voluntary export of data and is handled per U.S. law, which has no legal requirement for marketers to give notice and choice, explains Prescott. However, if the U.S. company is a DMA member, it's required by The DMA to provide notice and a choice to opt-out of receiving marketing materials.
It's in a marketer's best interest, adds Abrams, to clearly post its privacy notice on its Web site, inform customers that their data may be used for marketing purposes, and give them the choice to opt-out.
2. You're renting a list of European individuals.
Regardless of whether it rents its list, a European list owner is required by the EU to register with its country's data controller. If a U.S. mailer seeks to rent names from the list owner, several things have to occur before the data can be released.
First, the list owner must assure adequate protection of the data. This may be done by either drawing up a contract between the two parties that specifies the requirements of adequate protection, or by the mailer certifying to the Safe Harbor. As part of the provisions of the Safe Harbor, if the mailer uses a service bureau to process the data, it too must meet an adequate level of protection by either certification to the Safe Harbor or by contract with the mailer.