Privacy Tectonics: The Shifting Responsibilities in U.S.-European Data Protection

by Andy Oram
November 24, 2000

The hot Web topic of our day is how online businesses are rushing across national borders and developing a global presence. Yet the legal requirements most directly affecting this rush are apparently being ignored by U.S. businesses.

As many Internet users know, Western European countries have strict laws protecting privacy. Over four months ago the U.S. reached an agreement (called a “safe harbor”) with the European Union that would let U.S. businesses collect data from people living in those countries.

When I read the safe harbor agreement, I figured major U.S. companies would be eager to go through the paperwork and get the whole issue done with. After all, the burden placed on them was minimal, but the legal penalties for ignoring it could be significant.

So I started contacting Web sites (not in any scientific or rigorous manner, admittedly) to find out what they were doing about the safe harbor. Most did not respond to my inquiries, and Webmasters who did respond knew nothing about the requirements. Furthermore, my spot checks of a list at the Department of Commerce failed to show any businesses who have signed up. Hello-o-o! Doesn’t anybody care about the years of negotiations that went on at high levels of government to enable trans-Atlantic commerce? Not to mention the European privacy laws themselves?

At rock bottom, the safe harbor determines only how a site’s policy is enforced. It says nothing about whether that policy protects privacy—nothing, nowhere, nohow. In this round, American Nohow won out over European principle. Even so, U.S. companies are slow to comply with the agreement.

Despite its threat of lawsuits and indictments, the safe harbor agreement provides only fragile protection for European users’ privacy. Governments feared the earthquakes that could result from jurisdictional wrangles and international trade wars, so they spread enforcement of privacy laws over multiple organizations. That’s why European privacy is subject to the plate tectonics of shifting responsibilities.

Unless European governments become aggressive about enforcement (as they were originally aggressive about pressing their laws on the U.S.) it may be the individual users who are responsible for navigating the various organizations that have responsibility for their privacy. If you are a European resident who feels your personal data was misused, your grievance will have to cross more fault lines than California Route 101.

In this article I will describe a way to make the safe harbor work—first from the point of view of a Webmaster running a U.S. site, and then from the point of view of an average Internet user in a European country responsible for enforcing the safe harbor.

The Safe Harbor for Webmasters

If you run a site in the United States plan on collecting any data from anyone living in a member country of the European Union, you have to conform to the safe harbor. It lets you set pretty much any policy you want, but you have to document and make sure to enforce your policy.

Although I wish this overview could give you everything you needed to protect yourself and your users, it would be safest for you to read the actual safe harbor agreement, along with a FAQ that lists guidelines that (despite a rather loose writing style) bind U.S. companies.

Step 1: Write a conforming policy

If you know anything about the massive and detailed data directive adopted by the European Union, you would expect the safe harbor agreement to impose a lot of restrictions on your behavior. But your requirements are actually quite modest compared to those made upon European companies. Your “privacy policy” could be to shout the user’s personal information through a megaphone on the Washington Mall—just post that on your site.

Still, there are generally accepted principles in the privacy community that have appeared in legal and policy statements over the years; the safe harbor agreement requires you to follow those principles.

Notice

Post a policy on your site saying what data you collect and how you use it.

Choice

Let the users choose whether you can distribute their personal data to a third party. You must also let them choose whether you can use data for another purpose (for instance, future marketing) besides the one for which you originally collected the data.

I urge readers to follow the call of privacy advocates (and European laws) by using “opt-in” choice. That means you would not send out or reuse data unless the user explicitly says OK. But the safe harbor agreement also allows “opt-out” choice, in which you get to use data in any way you like (so long as your policy states it) and users must check a box or do some other explicit action to stop you. Most U.S. sites choose “opt-out” because they can catch information from users who don’t take the trouble to check the box.

Onward Transfer

Make third parties agree to the same essential policy you follow before giving them data.

Security

Protect data from unauthorized changes or misuse.

Data integrity

Make sure the data you keep is accurate.

Access

Allow users to see the data you keep on them.

Enforcement

Put in place a means for users to complain and to be compensated if you fail to follow your policy. This leads naturally to step 2 below.

Step 2: (Optional) Sign up with an auditing program

You can be fairly sure that you are within the law if you sign up with one of the organizations formed to attain “self-regulation,” the mantra of U.S. businesses and the federal government. These organizations—TRUSTe, the Better Business Bureau’s BBBOnLine, and Secure Assure—set up guidelines for your policy and independently audit your performance.

My recommendation is to use Secure Assure, because it’s the only one of the three current auditors that offers strict protection for users’ privacy. Essentially, its principles make companies agree to an opt-in policy:

We will not make unsolicited promotional contact with a customer, unless the customer gives us explicit permission to do so.

We will not share a customer’s personally identifiable information with other parties, unless the customer gives us explicit permission.

TRUSTe and BBBOnline don’t tell you how to use your data—both opt-in and opt-out are allowed—but if you feel a responsibility toward users you can choose opt-in. In either case, you can sign up with one of them and pass off some of the paperwork and enforcement that you’d otherwise have to do on your own to conform to the safe harbor. All three sites claim to check sites by seeding information and doing other independent reviews. Gary Laden, Director of the BBBOnLine privacy program, says that BBBOnLine worked with the European Union for a long time to make sure using their service will satisfy the safe harbor. TRUSTe has filed its own certification with the Commerce Department, although that says nothing about the businesses affiliated with TRUSTe.

You can also go it alone. But you should then be prepared to prove that you can satisfy all the principles of the safe harbor yourself—security, integrity, enforcement, and so on.

Step 3: Certify yourself!

The invocation of “self-regulation” has morphed into “self-certification” in the government credo. Any U.S. organization that wants to collect data under the safe harbor must submit a form to a Web site provided by the U.S. Department of Commerce. A glance at this form will show that you have to do some research and put your policy in place before you can certify.

Step 4: Respond to inquiries and complaints

Now you’re protected from legal action by the safe harbor agreement—so long as you follow your own policies. If someone asks to see their data, you have to provide it expeditiously (although you can charge a reasonable fee). If somebody complains, you have to provide a procedure to address the complaint. Failure to follow the principles listed under Step 1 can leave you open to consequences. Probably, it will just result in losing your access to European users’ data—but it could also lead to lawsuits, prosecution for fraud charges, and other serious consequences. If you don’t see how these things could come about—well, read the next section.

The Safe Harbor for Users

Now I’ll turn to people living in Europe who care about keeping personal data out of the hands of far-flung marketing firms, insurance companies, lawyers, and other potentially undesirable users.

Step 1: Check posted policies

If you care about privacy, before you offer data to any U.S. site you must look for a link (probably a tiny one near the bottom of a Web page) that reveals their privacy policy. If they display the Secure Assure seal, they offer you protection comparable to European countries following European laws. But if they display a TRUSTe or BBBOnLine seal, you can’t just proceed in confidence. You have to read the site’s privacy notice in order to make sure they use your data in ways you approve. If they reserve the right to give your data to third parties or use it for unrelated purposes, they have to offer an opt-out button—and if you want the same protection you have in your home country, you should check it.

True zealots can go to the Department of Commerce list and check whether it includes the company they’re dealing with. If the company is not listed, it’s not supposed to collect data from you—and you can have them sued or prosecuted for doing so. If the Department of Commerce shows poor compliance for that company, you should stay away from it. But remember: self-certification by itself means nothing. Nobody checks whether the company has done the things it claims to have done.

Step 2: Complain to sites that violate policies, or to their auditing programs

Given the shifting responsibilities within the safe harbor, there are lots of ways companies can violate it (and your privacy):

All these things allow you to touch off a minor earthquake of your own. But nothing is going to shake up a company unless you take action. (An auditing firm or a government agency could take action on its own, but one has to realistically assume that they’ll wait for a complaint from an individual.) Start by following the procedures posted by the company or by the organization responsible for auditing them. If these do not prove satisfactory, you can get governments involved.

Step 3: Take complaints to your country’s privacy commissioner

Every member nation of the European Union, as part of passing a law that implements its data directive, must appoint a government official that the directive calls a “controller.” Your controller is empowered to “suspend data flows” to any company outside your country that violates the safe harbor agreement. Furthermore, your government can contact relevant agencies in the U.S. government and ask them to take legal action against a U.S. company. The details of how you contact the controller and prove that your privacy was violated may vary from one country to another.

Step 4: Sue the bastards

Suppose you’ve submitted sensitive information about a gasto-intestinal condition to some U.S. site (and you checked their opt-out button so they weren’t supposed to pass the information on). You then start getting marketing literature from various firms for gasto-intestinal treatments, and when you complain to the original site they fob you off with the casual apology, “Oh, we got our customers’ records mixed up.”

Is it worthwhile suing the firm in a U.S. court? For you as an individual, probably not. But if dozens of individuals like you document such infractions, a lawsuit may become feasible. If the site is monitored by an auditing firm, you should be able to get them to take legal action. You (or your government’s privacy controller) should also be able to pressure the Federal Trade Commission in the U.S. to prosecute the site for fraud. These can be serious charges, and can lead to significant damages.

When the European Union agreed to the safe harbor, the Federal Trade Commission apparently convinced them in a letter that “the FTC has taken a leadership role” in developing “a comprehensive response to consumer privacy issues.” Privacy advocates in the U.S. might disagree, pointing out that the FTC has only gradually and partially let go of its commitment to “self-regulation” (now “self-certification”), and conducted reviews only after private organizations (notably the Electronic Privacy Information Center, EPIC) did so. Still, the FTC has repeatedly stated its commitment to prosecuting companies that post privacy policies and then violate them. You may be able to start a lava flow they can’t ignore.

The FTC is not just available to Europeans, of course. It is also committed to investigating privacy violations where U.S. residents are the victims. But if you’re a U.S. citizen, you can do better than go through the tortuous route outlined in this article. You can sit down and write your Congressional representatives and your President (or a cheap facsimile) to insist on legislation protecting the privacy of all Internet users, domestic and foreign. Bills offering privacy protection of various kinds were introduced in Congress in the past session, but none of them made it into law. Let’s show the Europeans next year that we’re not slouches.


Andy Oram is an editor at O’Reilly & Associates. This article represents his views only. It was originally published in the online magazine Web Review.