Second in a two-part series
With less than two weeks before the European Union's data protection directive becomes law in all 15 member states, international direct marketers are eyeing it like a Y2K problem.
That is, no one knows what will happen on Oct. 24, but everyone's pretty sure it is important and its effects, if any, won't be pleasant.
In other privacy news, the Online Privacy Alliance, a coalition of more than 60 companies and trade associations, last week called on companies attending the Fall Internet World conference in New York to post privacy policies on their Web sites.
Eight Internet companies also announced an online privacy awareness campaign to demonstrate that the industry can regulate itself. The companies — which include America Online, Microsoft and Netscape — have agreed to donate space beginning this month for the campaign on their Web sites for public service banner ads to promote privacy awareness.
“This education effort by the portal companies should help consumers better understand how to protect their privacy and should encourage businesses to take steps to foster an online environment that respects privacy,” said Christine Varney, a former Federal Trade Commissioner and adviser to the Online Privacy Alliance.
Under the EU directive, personal information about individuals in Europe can't be sent to countries that don't provide “adequate” privacy protection.
“Thus far, European officials in charge have described what they deem as 'adequate' to look very much like only countries that have data protection-directive-type legislation with a central authoritative body and law that creates privacy rights,” said Charles Prescott, vice president of international business development and government affairs at the DMA. “It is politically impossible for us to have that in the United States.”
Direct marketers who export data from Europe, however, can take comfort in the likelihood that the EU directive won't cut the flow of data off like a spigot. Half of the EU countries probably won't meet the directive until sometime in 1999, according to the Federation of European Direct Marketing. Four have adopted legislation that follows the EU directive — Sweden, Greece, Italy and the United Kingdom. Portugal, Denmark and Spain may meet the date. There has been no clear proposal from France, and the recent change in Germany's government could send its efforts back to square one.
Also, there is an exception in the directive for companies that have current customer relationships, Prescott said.
“If you need the name and the address and bank account details and whatever else in order to fulfill contractual commitment to that customer, you can continue to do that,” he said. “The guillotine doesn't come down on that.”
But threats loom.
“What I suspect will happen is that data commissioners who are more active than the others will pick out some nice little cases where they can make a big fuss,” said Allistair Tempest, director general of public affairs and self regulation at FEDMA. “These will almost certainly be multi-nationals.”
Case in point: The Italian data protection commissioner has said that he had identified one “bad-actor” American company and that he will issue a blocking order preventing it from sending data out of Italy, Prescott said. Also, British privacy advocate Simon Davies has issued press statements saying he will file complaints on Oct. 25 against American Express and EDS to force the UK's data protection commissioner to block the firms' use of Europeans' personal data.
To illustrate how sweeping the directive is, Tempest noted that if a U.S. firm sends an employee to work in an EU member state, personnel records maintained in that country fall under the directive.
Also, FEDMA is working on a European code of conduct to interpret the directive in an understandable way for marketers. Prescott said he thinks U.S. firms can formulate contracts that will provide the kind of protection Europe is looking for. American companies shouldn't be afraid to approach European data commissioners in the countries from which they're importing data, he said.
“When you go to them with a question, their first thought is not, 'How can I sniff out the crime here,' their first thought is, 'How can I help this person understand good privacy practices' and 'Is there a way that I can help them comply with the law,' ” Prescott said.
