According to the Data Protection Directive of the European Union (EU), which went into effect Oct. 25, nations belonging to the EU are forbidden to transmit data to countries, such as the U.S., that have not implemented the EU’s standards of privacy protection. And while the EU has not yet banned all stateside companies from sharing data with companies in EU nations, U.S. companies without “adequate” privacy policies may not be able to move, either physically or via the Internet, personal data on their customers, employees, or vendors to and from the EU.
“It’s still too early to tell what impact the directive will have on the catalog industry,” says Charlie Prescott, vice president of international business development and government affairs for the Direct Marketing Association. “The pessimists believe it will have a dramatic impact on useful database marketing for international markets. And companies that rent from overseas list brokers that don’t comply or don’t know about the directive may find themselves in trouble.”
The EU directive requires that the 15 member nations adopt common guidelines governing the collection and use, including transmission abroad, of data on European consumers. Companies must allow consumers to access their data, to know where it originated, to correct information, to withhold personal data from direct marketers, and to take recourse in the event of unlawful processing.
At issue is whether the U.S.’s self-regulation model complies with the EU’s directive and is “adequate” to protect European consumers’ privacy. While the U.S. and the EU agree on an elementary level of privacy protection, they disagree on what constitutes the right to privacy. Europeans have traditionally favored government intervention to protect privacy, while the U.S. endorses self-regulation.
In the meantime, the U.S. Commerce Department continues to work with EU officials on a compromise. As long as they continue to negotiate, according to the Commerce Department, the transmission of data will not be interrupted.
The U.S. isn’t the only nation not yet compliant with the directive. So far, only six EU members have implemented all of the necessary policies. All 15 nations are expected to be compliant by the end of 1999.
Becoming data-compliant in the EU Conduct an information audit of your data collection process in each country in which you operate so that you understand where your customer information comes from and what happens to the data.
Make sure that the data can be used for direct marketing purposes. Every name on the list should have had an opportunity to opt out. And always give customers notice about how their information will be used.
If a mail preference service or a telephone preference service exists in the country of data origin, make sure your rented lists are run against it.
If required by local law, register your European offices as data processors and/or controllers with the Data Protection Authority.
Get permission from the local Data Protection Authority to export any European lists.
Don’t rent European lists without a guarantee from your list broker that your possession and stated use of the lists will be legal under the list renter’s home country laws.
Check out your list broker with the local Data Protection Authority to be sure that he or she has the proper registration to export data to you.