Globalization is another noteworthy factor behind the increased attention being paid to privacy. To do business around the world, companies have had to adapt to local cultures and regulations. Privacy rules vary wildly throughout the globe, and navigating this thicket of laws is critical to international commerce. This is particularly important for American companies, because the U.S. has weak data-protection rules. As a result, a U.S. firm with toothless, but legal, privacy policies could be forbidden from, for instance, sending payroll files or customer purchasing records to an affiliate in a country where shipping data from one place to another is strictly regulated.
Privacy Handbook: Guidelines, Exposures, Policy Implementation, and International Issues, by IT experts Albert J. Marcella Jr. and Carol Stucki, provides an overview of global data protection regulations and laws, and a large number of resources for staying on the right side of them. The book’s country-by-country breakdown of privacy regulations is particularly well researched, covering small nations as well as large ones. Bulgaria’s constitution explicitly states that “the privacy of citizens shall be inviolable,” and in 1997 Bulgaria enacted a tough Personal Data Protection Act. This law requires that organizations collecting personal information must inform people why their data is being gathered and what it will be used for; allow people access to information about themselves and give them the right to correct it; ensure that the information is securely held and cannot be improperly used; and limit the use of personal information for purposes other than the original reason unless they have the consent of the person affected.
The effort that Bulgaria and other nations with similarly tough policies have put into enacting strong privacy policies places in stark relief how little the U.S. has done: The term privacy doesn’t appear in the Constitution, and no specific set of laws in the U.S. governs the level of data protection companies must provide. In fact, the lack of mandated privacy safeguards has gotten U.S. companies into hot water with the European Union.
In 2000, after months of negotiation with U.S. Department of Commerce officials, the United States devised a series of privacy policies that reward American firms that voluntarily agree to adhere to them. In exchange for following these rules, U.S. companies have the right to collect data from E.U. citizens, which can include anything from consumer credit information to personnel records of employees at subsidiary operations.
These so-called safe harbor rules, which are essentially a slightly watered-down version of the E.U.’s landmark 1995 Directive on Data Protection and are similar to the four principles in the Bulgaria example, are detailed in Privacy Handbook, Privacy Payoff, and at www.export.gov/safeharbor, a Department of Commerce site. Safe harbor companies are automatically granted permission to transfer data anywhere in Europe, streamlining communications between their U.S. headquarters and overseas affiliates and avoiding the cumbersome process of having to negotiate a potentially stricter privacy contract with each E.U. firm to which they want to send data. To date, nearly 500 U.S. companies have been certified by the Commerce Department as having adopted privacy policies consistent with E.U. requirements.
Few U.S. companies will be able to avoid Europe’s strict view of how data must be protected, say information strategy consultants Michael Erbschloe and John Vacca in Net Privacy: A Guide to Developing and Implementing an Ironclad E-Business Privacy Plan. Japan also recently passed its first omnibus privacy law, which Professor Westin at P&AB accurately describes as “a ‘middle way’ between the industry-sector-based privacy laws of the U.S. and the comprehensive data protection laws of the European Union.” P&AB offers the Guide to Consumer Privacy in Japan and the New Japanese Personal Information Protection Law to explain the data-protection climate in Japan and help companies navigate the legislation.