Sail in a Safe Harbor-The Legal Transfer of Data (1,348 words)
How to navigate the legal transfer of data from Europe to the United States
The capture and use of personal data for marketing purposes is a common practice in the United States. In other parts of the world, however, policies and laws regarding the use of personal data for such purposes are far more restrictive.
The most notable piece of global privacy legislation that affects U.S. companies is the European Data Protection Directive, which requires specific measures be met before data are transferred outside the European Union (EU).
When implementation of this directive threatened the flow of data from the EU to the United States, the U.S. Department of Commerce and the European Commission negotiated the Safe Harbor, which now allows its participants to receive data from Europe.
The European Data Protection Directive: A Brief History
In October 1998, the EU implemented its data privacy directive, which required each of its 15 member countries to draft and implement new legislation that mirrored its guidelines relating to the procurement, housing and use of data.
The first part of the directive applies to all information collected within Europe by any and all media (e.g., telephone, Internet, mail). When collecting data within the EU, the marketer must give the consumer the right to opt-out. It also must inform the consumer of any use of the data that is not apparent. For example, collecting data to solicit a sale is apparent.
However, if you as the marketer wish to disclose that information to a third party for direct marketing purposes, you may have to go back to the consumer for permission. Consumers also have the right to correct their data.
Another critical part of the directive applies to the transfer of data. Any non-EU country receiving data from the EU must provide adequate protection.
Enter: The Safe Harbor
The United States is not recognized as having adequate legal protection, as no national legislation exists. There are ways, however, in which you legally can transfer data from Europe to the United States.
The Safe Harbor is the most often promoted solution for the transfer of data between EU members and the United States. Negotiated by the U.S. Department of Commerce and the European Commission, the Safe Harbor agreement enables a U.S. company to receive data from Europe by voluntarily submitting to regulation by a U.S. government office.
Admission into the Safe Harbor indicates that a company values data-privacy protection and will make every effort to respect Europeans' requests regarding use of their personal information by adhering to a set of seven principles, as explained by The Direct Marketing Association (The DMA):
1. Notice: Inform customers in a clear and timely manner as to what information is collected, why it is collected, to whom you're forwarding it, how its use can be limited and how the customer can contact you for additional information.
2. Choice: Customers must be given a choice to opt-out of certain information uses and exchanges and opt-in if sensitive information is being used.
3. Onward Transfer: Marketers much ensure that if information is disclosed to agents or subcontractors, they agree to abide by the Safe Harbor principles.
4. Access: Give customers access to personal information maintained by the company and the ability to correct it.
5. Security: Reasonable care must be given to protect information from loss, misuse, unauthorized access, disclosure, alteration and destruction.
6. Data Integrity: Ensure that the customer's personal information is reliable, accurate, complete, current and used for intended purposes.
7. Enforcement: Marketers must promise to address consumer privacy concerns by: (1) referring consumers to your customer service department or other in-house dispute resolution program; (2) subscribing to a third-party dispute resolution mechanism to address any unresolved in-house consumer data privacy complaints; and (3) having appropriate monitoring, verification and remedy procedures in place.
If your company already has committed to The DMA's privacy promise, you're more than 80 percent of the way toward complying with the Safe Harbor agreement, reports Charles Prescott, vice president, international business development and government affairs, The DMA.
After reviewing the Safe Harbor principles, company executives should investigate their own data-protection procedures, including what information they collect and how it's used, advises Prescott. Then, they should develop corporate policies that conform to Safe Harbor principles, including compliance with enforcement.
Protection in Practice
Let's look at three situations in which Martin Abrams, executive vice president, Center for Information Policy Leadership, Hunton & Williams, says a U.S. company may need to comply with the EU's data-protection directive:
1. You're a U.S. direct marketer, and European consumers order from your Web site.
If consumers come to your Web site and give you their data for the purpose of fulfillment, it's considered a voluntary export of data and is handled per U.S. law, which has no legal requirement for marketers to give notice and choice, explains Prescott. However, if the U.S. company is a DMA member, it's required by The DMA to provide notice and a choice to opt-out of receiving marketing materials.
It's in a marketer's best interest, adds Abrams, to clearly post its privacy notice on its Web site, inform customers that their data may be used for marketing purposes, and give them the choice to opt-out.
2. You're renting a list of European individuals.
Regardless of whether it rents its list, a European list owner is required by the EU to register with its country's data controller. If a U.S. mailer seeks to rent names from the list owner, several things have to occur before the data can be released.
First, the list owner must assure adequate protection of the data. This may be done by either drawing up a contract between the two parties that specifies the requirements of adequate protection, or by the mailer certifying to the Safe Harbor. As part of the provisions of the Safe Harbor, if the mailer uses a service bureau to process the data, it too must meet an adequate level of protection by either certification to the Safe Harbor or by contract with the mailer.
3. You're a multinational company that collects data in Europe, transfers it to the United States for processing, and then uses it to market to European consumers.
In this example, says Abrams, it makes good sense to enter into the Safe Harbor rather than use individual contracts, because you must comply with the law of each country in which you collect data.
The Safe Harbor Reality
While data continues to flow back and forth across the Atlantic, it has hit a few waves along the way.
Prescott reports he's had complaints from U.S. publishers and data processing companies that have "run into an abysmal level of ignorance on the part of the European business community about Safe Harbor." This has resulted in the reluctance of some European list owners to release data.
The confusion arises regarding who needs to be registered, with whom and where. For instance, if a U.S. company wants to rent the subscriber file of a U.K.-based publisher, it's the responsibility of the U.K. publisher to register with the U.K. data protection registrar, provide its subscribers with notice of its intent to rent their data and offer a choice to opt-out from receiving third-party marketing efforts. The U.S. company must provide adequate protection under the provisions of the Safe Harbor or by individual contract.
Many European list owners erroneously assume the U.S. company is obligated to register with the U.K. data controller. Not so. Such registration is not required, provided the U.S. company doesn't have a U.K.-based subsidiary.
In these instances, Prescott has sent an explanatory memo, which so far has resulted in data being released.
The reservations some U.S. marketers have had about the difficulty of certifying with the Safe Harbor also appear to have abated.
"The development of the Safe Harbor was considered by those in the privacy arena as a revolutionary event," says Prescott. "Since then, many have come to realize that compliance doesn't require the dramatic changes we'd anticipated."