Europe's Eye On Privacy

Household International Inc. is a U.S. insurance company that does most of its business on its home turf. But the 5% that it does overseas has forced the company to operate two entirely separate data centers. That's because there are fundamental differences between the United States and Europe when it comes to online privacy. "In Europe, they're much stricter and they'll go after companies that don't comply with privacy practices," says Gary Clayton, CEO of the Privacy Council Inc. in Richardson, Texas.

Personal privacy is viewed as a fundamental right in European countries. Private data collected from an online transaction conducted in Europe is treated as if it were subject to a nondisclosure agreement. To ensure that consumers are protected, the 15 countries that make up the European Commission have actively regulated how companies there handle personal data since 1995.

The United States operates under much looser guidelines, generally leaving companies to self-regulate how they handle data collected online from consumers. U.S. companies that collect data online are only required to act as "good stewards" of the data, which leaves a lot open to interpretation, Clayton says.

Another major difference between the United States and Europe, according to Clayton, is that U.S. regulations only require that companies offer an "opt out" policy for online data collection and sharing. That means consumers have to specifically request that their data be treated confidentially. In contrast, European regulators require an "opt in" scenario, in which data collection and sharing is prohibited unless a consumer specifically gives permission.

Once U.S. companies figure out what the differences are, complying with European regulations can be costly. "It takes work and costs money for companies to examine internally what the implications are," says Pam Fredericks, a senior solutions specialist in E-security and privacy practice at systems integrator Unisys Corp.

For Household International, that means separate data centers, CIO Kenneth Harvey says. The overseas site in London is required because European privacy regulations prohibit the transfer of personal data collected online from the 15 EC nations to countries outside Europe. That's despite the fact that Household International has never disclosed any of the data it collects to third parties and, according to Harvey, always has taken extra precautions to protect the data.

"We have always chosen not to share data, and it's only used for [the consumer's] business within Household," Harvey says. In addition, "nobody has ever breached any level of our security."

Household International's network consists of all IP traffic, and all of the traffic is encrypted, Harvey says, adding that the company's sites are fully self-hosted and protected by firewalls. With such a setup, Household has always believed that its privacy policies and security precautions are stricter than those required by any regulations. Nonetheless, the European regulations have forced the company to maintain a separate set of mainframes and firewalls, and a separate network in Europe, "so that we're not [transmitting] data under the ocean, so to speak. That's a consequence of [European Commission] regulation," Harvey says.

Harvey declines to disclose the exact cost of maintaining the "mirrored" Web site in London. But, he says, "from a cost-structure perspective, it's not optimal."

The United States has three separate federal laws that, in addition to protecting consumer data collected in conventional ways, apply to online privacy. The Fair Credit Reporting Act covers customers' financial and credit information; the Health Insurance Portability and Accountability Act covers medical data; and the Children's Online Privacy Protection Act protects children under 13 from online collection of personal data.

In addition, the Federal Trade Commission has authority to prosecute companies that post misleading or deceptive information on their Web sites about how they collect and use consumers' data.

In the absence of a single comprehensive framework for how companies handle online data in the United States, a few non-governmental organizations offer privacy guidelines. Companies can implement those guidelines and even receive certifications from the organizations to attest that they are in compliance.

Those private, voluntary programs, administered by groups such as the Better Business Bureau Online, may help reassure U.S. consumers that their online personal data is secure. However, some experts question whether the programs effectively protect consumers' privacy rights.

"Companies like to think [those programs] prove that consumers' data is handled in a certain way," says Fredericks. In reality, privacy policies posted by U.S. companies online are vague and say as little as possible about how data is collected and used, she says.

In contrast, the European Commission has a comprehensive privacy directive that must be adhered to by companies based within an EC country or doing business there. In addition, individual countries within Europe can adopt their own rules on online privacy and appoint country-specific privacy commissioners to oversee privacy matters.

The European rules on the privacy of consumers' online data have been on the books for several years, but it's only now-with the adoption of a bilateral online privacy agreement between the Europe Commission and the U.S. government-that Europe is enforcing the rules for U.S. companies doing business in Europe.

In July 1995, the 15 member countries of the European Commission adopted Internet privacy rules that prohibit the transfer of consumers' private data to countries outside the EC unless those countries met what the EC defines as "adequate" privacy rules. The regulations are spelled out in the EC's Directive on Data Protection.

The directive is based on a number of general principles, including that data be used fairly and lawfully; that it be collected for explicit and legitimate purposes; that it should be relative to, and not in excess of, what is required; and that it be kept for no longer than required.

The specific rules codified in the directive say data can be collected only if the data subject has given consent, if the data is necessary for the performance of a contract, if it's required by law, if it's needed to protect a subject's vital interests, or if it's necessary to carry out tasks that are in the public interest.

A final provision of the directive says that, in general, the collection and use of data must be balanced between a company's business interests and a consumer's privacy interests.

Though adopted in 1995, the directive didn't take effect until October 1998. Further, the directive hasn't had much teeth for U.S. companies, and won't until next month, when the so-called "Safe Harbor" agreement between the U.S. Commerce Department and the EC takes effect.

The Safe Harbor guidelines are intended to bridge the gap between the stricter European privacy rules and the more lenient regulations in the United States. The guidelines also offer U.S. companies a single set of rules under which they can operate with confidence in all 15 EC countries.

The requirements are voluntary, but companies that don't comply could face prosecution by European regulators if they're the subject of a complaint by an individual or a group of individuals in any of the 15 countries. Enforcement of the rules hasn't been tested, but the Safe Harbor rules give the FTC the authority to fine companies up to $12,000 a day if they're found in violation.

Companies that join the Safe Harbor program are open to prosecution from the FTC if the agency finds that a company is misusing personal data collected about European consumers and in violation of the EC regulations.

For now, because the Safe Harbor rules are so new, most U.S. companies are holding off signing on to them until it's clear what the risks of not joining are, says Unisys' Fredericks. In most cases, companies are waiting because of the effort and expense of conforming with the guidelines. As of mid-June, only about 100 U.S. companies had signed up to participate in the Safe Harbor program, according to the FTC.

Companies are aware of the issue and they take it very seriously, Fredericks says, but it's not likely that most companies will sign up for the Safe Harbor program until they see something bad happen to another company.

That uncertainty is bound to be around for a while, because many of the issues surrounding online privacy are still evolving, says T.J. Kilgore, director of E-business in North America for Logica plc, a London systems integrator that advises companies in Europe and the United States.

In the meantime, companies must balance their own business requirements in collecting customer data online with the effort and cost of protecting that data or, perhaps, against the risk of bad publicity and legal liability that could ensue from improper disclosure of the data, Kilgore says. To be fully safe, "our default is to adopt the most stringent privacy policy required and build toward that," Kilgore says.

For now, without examining the complexities of U.S. and European law, many companies simply trust that their own privacy policies are sufficient. "We don't have or anticipate any problems, [because] for us it's very simple. We don't share any data with third parties," says James Hong, CEO of Eight Days Inc., the Mountain View, Calif., operator of the popular "Am I Hot or Not" Web site. The site, which does a small percentage of its business in Europe, lets users post photos of themselves and lets visitors rank them for attractiveness.

About 1.7 million photos from people around the world have been posted on the site; about 8,000 pictures are posted at any one time. Hong says. In addition to the free portions of the site that involve the posting and rating of photos, the site now has an area for paid, personal online ads.

Eight Days discloses its privacy practices in its terms of service and doesn't have a link displayed on the site specifically for consumers to look up the policy. To minimize privacy concerns, the company collects only the data relevant to its service, Hong says.

Eight Days also purposefully outsourced the payment process for its online personal ads to PayPal Inc. to avoid the responsibility of having to encrypt and otherwise protect the confidentiality of payment data, Hong says.

"We're fairly confident that we're so conservative with how we treat data that it keeps us from violating those types of [government] privacy policies. We take normal precautions with our site, and the database as well," Hong says. Besides, he adds, "researching privacy policies in every country is a very expensive task."

Expensive or not, American companies that do business beyond U.S. borders must be sure that they're in compliance with the numerous regulations overseas. If not, the price could be prosecution.