strategy+business is published by PwC Strategy& LLC.
or, sign in with:
strategy and business
 / Spring 2004 / Issue 34(originally published by Booz & Company)


Privacy in the Age of Transparency

Globalization is another noteworthy factor behind the increased attention being paid to privacy. To do business around the world, companies have had to adapt to local cultures and regulations. Privacy rules vary wildly throughout the globe, and navigating this thicket of laws is critical to international commerce. This is particularly important for American companies, because the U.S. has weak data-protection rules. As a result, a U.S. firm with toothless, but legal, privacy policies could be forbidden from, for instance, sending payroll files or customer purchasing records to an affiliate in a country where shipping data from one place to another is strictly regulated.

Privacy Handbook: Guidelines, Exposures, Policy Implementation, and International Issues, by IT experts Albert J. Marcella Jr. and Carol Stucki, provides an overview of global data protection regulations and laws, and a large number of resources for staying on the right side of them. The book’s country-by-country breakdown of privacy regulations is particularly well researched, covering small nations as well as large ones. Bulgaria’s constitution explicitly states that “the privacy of citizens shall be inviolable,” and in 1997 Bulgaria enacted a tough Personal Data Protection Act. This law requires that organizations collecting personal information must inform people why their data is being gathered and what it will be used for; allow people access to information about themselves and give them the right to correct it; ensure that the information is securely held and cannot be improperly used; and limit the use of personal information for purposes other than the original reason unless they have the consent of the person affected.

The effort that Bulgaria and other nations with similarly tough policies have put into enacting strong privacy policies places in stark relief how little the U.S. has done: The term privacy doesn’t appear in the Constitution, and no specific set of laws in the U.S. governs the level of data protection companies must provide. In fact, the lack of mandated privacy safeguards has gotten U.S. companies into hot water with the European Union.

In 2000, after months of negotiation with U.S. Department of Commerce officials, the United States devised a series of privacy policies that reward American firms that voluntarily agree to adhere to them. In exchange for following these rules, U.S. companies have the right to collect data from E.U. citizens, which can include anything from consumer credit information to personnel records of employees at subsidiary operations.

These so-called safe harbor rules, which are essentially a slightly watered-down version of the E.U.’s landmark 1995 Directive on Data Protection and are similar to the four principles in the Bulgaria example, are detailed in Privacy Handbook, Privacy Payoff, and at, a Department of Commerce site. Safe harbor companies are automatically granted permission to transfer data anywhere in Europe, streamlining communications between their U.S. headquarters and overseas affiliates and avoiding the cumbersome process of having to negotiate a potentially stricter privacy contract with each E.U. firm to which they want to send data. To date, nearly 500 U.S. companies have been certified by the Commerce Department as having adopted privacy policies consistent with E.U. requirements.

Few U.S. companies will be able to avoid Europe’s strict view of how data must be protected, say information strategy consultants Michael Erbschloe and John Vacca in Net Privacy: A Guide to Developing and Implementing an Ironclad E-Business Privacy Plan. Japan also recently passed its first omnibus privacy law, which Professor Westin at P&AB accurately describes as “a ‘middle way’ between the industry-sector-based privacy laws of the U.S. and the comprehensive data protection laws of the European Union.” P&AB offers the Guide to Consumer Privacy in Japan and the New Japanese Personal Information Protection Law to explain the data-protection climate in Japan and help companies navigate the legislation.

Follow Us 
Facebook Twitter LinkedIn Google Plus YouTube RSS strategy+business Digital and Mobile products App Store


Privacy Resources:
Works mentioned in this review.

  1. Ann Cavoukian and Tyler J. Hamilton, The Privacy Payoff: How Successful Businesses Build Consumer Trust (McGraw-Hill, 2002), 288 pages, $24.95.
  2. Michael Erbschloe and John Vacca, Net Privacy: A Guide to Developing and Implementing an Ironclad E-Business Privacy Plan (McGraw-Hill, 2001), 318 pages, $24.95.
  3. Simson Garfinkel, Database Nation: The Death of Privacy in the 21st Century (O’Reilley & Associates, 2001), 336 pages, $16.95.
  4. Albert J. Marcella Jr. and Carol Stucki, Privacy Handbook: Guidelines, Exposures, Policy Implementation, and International Issues (John Wiley & Sons, 2003), 384 pages, $80.
  5. Don Tapscott and David Ticoll, The Naked Corporation: How the Age of Transparency Will Revolutionize Business (Free Press, 2003), 368 pages, $28.
  6. Guide to Consumer Privacy in Japan and the New Japanese Personal Information Protection Law, by Alan F. Westin and Vivian van Gelder (Privacy & American Business, 2003). For a free copy, e-mail Irene Oujo at [email protected]
  7. Privacy & American Business newsletter: Click here.
  8. Privacy Diagnostic Tool Workbook: Click here.
  9. U.S. Department of Commerce Safe Harbor site: Click here.
Sign up to receive s+b newsletters and get a FREE Strategy eBook

You will initially receive up to two newsletters/week. You can unsubscribe from any newsletter by using the link found in each newsletter.