Analyst: Multinationals lack uniform privacy law
(IDG) -- Despite the creation of a "safe harbor" law to help protect U.S. companies from lawsuits over their treatment of personal information in other countries, no multinational corporation is yet in the clear in dealing with privacy laws, a former U.S. trade official said here Tuesday.
The increasing ability to transmit information about consumers and employees over the Internet has helped drive many countries to come to grips with the collection and use of personal data over the past several years. In the case of the U.S. and the European Union (EU), different approaches have led to vastly different laws -- both between the two trading superpowers and among the countries of Europe, said Barbara Wellbery, former counsellor to the undersecretary for electronic commerce at the U.S. Department of Commerce's International Trade Administration.
"The future of e-commerce is at stake" if countries continue to draw up conflicting data privacy laws, said Wellbery, now an attorney at Morrison & Foerster LLP, in Washington, D.C. She spoke at a meeting of the American Chamber of Commerce in Hong Kong Tuesday. Today, the amount of trade between the U.S. and Europe that requires the transfer of personal information is estimated at $125 billion per year, she said.
However, the headaches go beyond figuring out how much information an e-retailer can ask its customers and whether it can sell that data to other companies. A simple exchange of business cards is covered under the European Union's privacy directive implemented three years ago. Likewise, multinational companies that centralize their human-resources operations in the U.S. may have to grapple with what information can and can't be carried across borders and stored.
In general, Europe has taken a stricter approach to data privacy and looks to government to enforce its rules, while the U.S. has leaned toward self-regulation by industry, backed up by the Federal Trade Commission and other government agencies when necessary, Wellbery said.
The ability to store personal data on servers in one country and make it available across a border makes it even harder to keep up with privacy laws. Laws aren't clearly defined yet on legal jurisdiction in cyberspace, but are now being worked out under the Hague Convention on Private International Law.
The EU has only verified a few countries as having "adequate" laws on data privacy, so any company that does business in Europe generally has to have a special contract to cover exporting data from the EU to another country, including the U.S. Those contracts usually have to be negotiated country by country, which can take a month or two, she said.
U.S. companies that follow certain rules can now use a blanket "safe harbor" provision to get approval in the EU for making those data transfers. It's designed to provide a common denominator of privacy rules and should make things easier for U.S. companies, for instance by saying that enforcement will happen in the U.S. if a company violates the rules.
But the "safe harbor" rule was approved only last July and is due for review in June, Wellbery said. What's more, a "standstill" on the EU doing enforcement on its own, agreed last year, isn't legally binding but just a political agreement and could change, she said.
Meanwhile, a data privacy law expected in the next few weeks in Japan so far seems compatible with the "safe harbor" guidelines, but the details aren't established yet, Wellbery said.
Representatives of two international executive search firms who attended the meeting expressed concern about the web of different privacy laws.
"It just slows everything down" when the company has to figure out what it can legally ask a job-seeker or tell a potential employer, said Kyung Yoon, area managing partner for North Asia at Heidrick & Struggles, who is based in Hong Kong. Yoon is concerned about possible lawsuits by individuals who believe their privacy rights were violated.
In the international recruiting business, a given deal may involve three countries -- a Norwegian company recruiting an executive based in Hong Kong, through an office in Germany, for example.
"We're not legal experts, and we have to deal with this all the time," said Bernadette Johnstone, managing consultant at Futurestep, in Hong Kong.
FTC workshop looks at key data privacy issues
RELATED IDG.net STORIES:
U.S. privacy rules concerns are baseless
Study: Gadget sales flat
Protest slams Dell's use of prison labor
Steve Jobs keeps Apple in the limelight
N. Y. plans to heal skyline
Stocks rise on Case departure
Lieberman's presidential announcement today
New arrests may be linked to UK ricin scare
Jordan says farewell for the third time
Shaq could miss playoff game for child's birth
Ex-USOC official says athletes bent drug rules
|Back to the top|