This morning’s keynote covered an issue that every host needs to know about. Unfortunately, the 8:15 am timeslot seemed to have been a bit early after a night of parties, so the crowd was sparse. That’s a pity, because understanding how to handle personal data from the EU is key to successfully marketing to Europeans. Simply put, if you don’t comply with EU Directive 95/46 (EU Privacy Directive), Europeans *can’t* send data to you. It doesn’t matter that your servers are in the U.S., or even if you have the world’s best written privacy policy.
In general the EU Privacy Directive was drafted to ensure fairness and transparency when processing data that identifies an individual European. What the EU Privacy Directive covers is: information (about an individual, for example gender, religion, etc), access and rectification(the Directive requires that the holder of the data gives the individual the ability to access it, and make changes to it, an important point, since in the U.S. we generally believe that the entity possessing the data owns it), Objection to further processing and transfer, the ability to complain to an entity other than the holder or processor of the data, and judicial redress.
As a U.S. company, the *only* way to receive information about EU citizens is to comply with the Department of Commerce’s Safe Harbor standards. All hosts are subject to the jurisdiction of the FTC, so they are eligible for the Safe Harbor program. When you join the Safe Harbor program, you must meet the Safe Harbor standards:
-Notice
-Choice
-Onward Transfer
-Security
-Data Integrity
-Access
-Enforcement
In order to join, you must comply with the standards, and make a “public declaration” that you are in compliance. In reality, it’s a bit more difficult. The process in general takes about 6 months to revise your privacy practices, privacy policy, design compliance policies and get approval from the Department of Commerce. Also, something that wasn’t mentioned in the presentation, is that you need to choose a company to whom EU nationals can complain about your handling of their data. A number of U.S. companies offer this service, Etrust being one.
It’s important to note, that by signing up for the Safe Harbor Program, you add additional legal obligations. Not only can the FTC take action based on your failure to meet your obligations under the Safe Harbor program, you can also be subject to civil suits based on those failures. Remember, your Privacy Policy is a contract.
More information about the Safe Harbor program is here
