European Union countries this week rejected the U.S. Commerce Department’s proposal for complying with the EU's new data privacy law, saying it had too many loopholes to offer adequate protection, but no firm decisions on the transfer of data is expected until the New Year.
The decision comes on the heels of the Direct Marketing Association’s urge to commerce officials to soften the codes slightly so that they cover firms complying with industry-based self-regulatory codes. The DMA gave cautious endorsement to the proposal saying that the rules do not reflect the network of privacy protections that currently exist in the U.S. marketplace.
The proposed International Safe Harbor Privacy Principles, issued on Nov. 4, was intended to help U.S. companies meet the European Union's Directive on Data Protection, which called for all 15 member nations to adopt common data privacy protection laws as of October 24.
The Commerce Department came up with its pan-industry code of conduct so that companies — who may not have what the European Union believes is adequate privacy protection guidelines — can have a simplified process to gain approval for the collection of European data. The mandate urged companies to abide by seven privacy protection principles, including telling consumers what information a company collected and how it would be used and providing access to independent entities to resolve disputes, with companies facing unspecified consequences for violating the guidelines.
According to Charles Prescott, vice president of international business development and government affairs at the DMA, a number of EU members specifically questioned enforcement and consumer information access guidelines. These issues have always been critical issues to Europeans, he said, and are “two of the hardest ones for American companies to come to grips with.”
Prescott said that he does not think that the Europeans have rejected, in principle, a set of safe harbor guidelines as a solution to sending data to the U.S., and are not threatening to cut off exports of data. He said the Department of Commerce will continue its efforts to reach consensus with American businesses and will then return to the European Commission with its next proposal.
The EU is planning to discuss the issue with U.S. Undersecretary of Commerce David Aaron in Washington on December 1, and a committee of EU national government representatives will meet on December 9. The EU said it will stand still until the end of this year, and will not cut off the data flow.
The DMA is also working on drafting a contract form with the International Chamber of Commerce that will let companies exporting data out of Europe show that they can protect the data through forms of contracts that cover the movement of the data from abroad, Prescott said.
“If these contracts are deemed acceptable by the European Commission, data can continue to flow,” he said. “Within three or four weeks we hope to submit a final draft of a contract that can be used in these circumstances. This actually continues the European protection of the data no matter where it goes, and I believe it is very well-suited to the direct marketing community.”
The DMA said that privacy protection must be judged in an historical and cultural context, since U.S. laws and protections are different from those in Europe–but no less effective in protecting individual citizens.
“Our systems allows information to be put to beneficial use, without comprising personal privacy,” said H. Robert Weitzen, president and CEO of the DMA. “Europeans generally favor a more centralized control of information and have a different perspective historically.”
Most direct marketers have not yet experienced any impact from the law, and it is still unclear when they will experience any repercussions at this point. To prepare DMers, the Center of Social and Legal Research, Hackensack, NY, Dec. 2 will launch its Web site PrivacyExchange to give global companies information and resources about privacy issues and data protection laws around the world.
The site contains over 250 voluntary privacy codes of companies and industry associations, a technology and Internet tutorial department to keep policymakers abreast on the latest privacy tools, a global dialogue section, and extensive materials on the European Union Directive On Data Privacy.
