Skip to main content /TECH with /TECH

Analyst: Multinationals lack uniform privacy law


(IDG) -- Despite the creation of a "safe harbor" law to help protect U.S. companies from lawsuits over their treatment of personal information in other countries, no multinational corporation is yet in the clear in dealing with privacy laws, a former U.S. trade official said here Tuesday.

The increasing ability to transmit information about consumers and employees over the Internet has helped drive many countries to come to grips with the collection and use of personal data over the past several years. In the case of the U.S. and the European Union (EU), different approaches have led to vastly different laws -- both between the two trading superpowers and among the countries of Europe, said Barbara Wellbery, former counsellor to the undersecretary for electronic commerce at the U.S. Department of Commerce's International Trade Administration.

Related Stories
Visit an IDG site search

"The future of e-commerce is at stake" if countries continue to draw up conflicting data privacy laws, said Wellbery, now an attorney at Morrison & Foerster LLP, in Washington, D.C. She spoke at a meeting of the American Chamber of Commerce in Hong Kong Tuesday. Today, the amount of trade between the U.S. and Europe that requires the transfer of personal information is estimated at $125 billion per year, she said.

However, the headaches go beyond figuring out how much information an e-retailer can ask its customers and whether it can sell that data to other companies. A simple exchange of business cards is covered under the European Union's privacy directive implemented three years ago. Likewise, multinational companies that centralize their human-resources operations in the U.S. may have to grapple with what information can and can't be carried across borders and stored.

In general, Europe has taken a stricter approach to data privacy and looks to government to enforce its rules, while the U.S. has leaned toward self-regulation by industry, backed up by the Federal Trade Commission and other government agencies when necessary, Wellbery said.

The ability to store personal data on servers in one country and make it available across a border makes it even harder to keep up with privacy laws. Laws aren't clearly defined yet on legal jurisdiction in cyberspace, but are now being worked out under the Hague Convention on Private International Law.

The EU has only verified a few countries as having "adequate" laws on data privacy, so any company that does business in Europe generally has to have a special contract to cover exporting data from the EU to another country, including the U.S. Those contracts usually have to be negotiated country by country, which can take a month or two, she said.

U.S. companies that follow certain rules can now use a blanket "safe harbor" provision to get approval in the EU for making those data transfers. It's designed to provide a common denominator of privacy rules and should make things easier for U.S. companies, for instance by saying that enforcement will happen in the U.S. if a company violates the rules.

But the "safe harbor" rule was approved only last July and is due for review in June, Wellbery said. What's more, a "standstill" on the EU doing enforcement on its own, agreed last year, isn't legally binding but just a political agreement and could change, she said.

Meanwhile, a data privacy law expected in the next few weeks in Japan so far seems compatible with the "safe harbor" guidelines, but the details aren't established yet, Wellbery said.

Representatives of two international executive search firms who attended the meeting expressed concern about the web of different privacy laws.

"It just slows everything down" when the company has to figure out what it can legally ask a job-seeker or tell a potential employer, said Kyung Yoon, area managing partner for North Asia at Heidrick & Struggles, who is based in Hong Kong. Yoon is concerned about possible lawsuits by individuals who believe their privacy rights were violated.

In the international recruiting business, a given deal may involve three countries -- a Norwegian company recruiting an executive based in Hong Kong, through an office in Germany, for example.

"We're not legal experts, and we have to deal with this all the time," said Bernadette Johnstone, managing consultant at Futurestep, in Hong Kong.

FTC workshop looks at key data privacy issues
March 14, 2001
Expert: Web gadgets threaten your privacy
March 8, 2001
Top 5 encryption utilities
March 8, 2001
Monitoring e-mail: Management or thought police?
February 27, 2001
Analysis: Will wireless tech erode privacy?
February 21, 2001
If all is lost, can a sell your soul?
February 16, 2001
FTC to hold privacy workshop next month
February 8, 2001
U.S. beats Europe in online privacy protection, study finds
January 25, 2001

U.S. privacy rules concerns are baseless
Bush team opposes proposed Euro privacy rules
(The Industry Standard)
HP embraces U.S.-Europe 'safe harbor' privacy deal
U.S. to kick off series of safe harbor briefings
'Safe harbor' takes effect, but adoption may be slow
European official: 'Safe harbor' deal doesn't fully bridge data privacy divide
EU gives final OK to U.S. safe harbor privacy plan
Beware lawyers eyeing privacy

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


4:30pm ET, 4/16

Back to the top