Passing the Safe Harbor By

U.S. companies ignoring EU privacy shortcut

Dun & Bradstreet Corp. wasted no time in November when U.S. companies were given an easier way to comply with Europes tough privacy laws.

The company signed up right away to comply with the so-called Safe Harbor deal, negotiated by European Union and U.S. officials, which gives companies like D&B the chance to meet all EU privacy regulations at once by satisfying seven conditions, rather than dealing individually with each of the European countries from which they may export customer information (see chart).

But what was a no-brainer for D&B has turned into a brain teaser for most U.S. e-businesses operating in Europe. Only 48 U.S. companies had signed up for the Safe Harbor deal as of the end of last month despite the approach of an unofficial July 1 deadline when data protection officials in the EU countries may begin enforcing Europes data protection directive. The directive, among other things, bans the export of personally identifiable data from the EU to any country without adequate privacy protections. Fifteen more companies have Safe Harbor filings under review, according to the U.S. Department of Commerce, which is administering the program.

Are U.S. companies playing a dangerous game by waiting until the last minute to file for Safe Harbor status? Not necessarily, experts say. Even though European officials can begin enforcing provisions of the EU privacy directive as early as next month by cutting off the flow of private data, the odds of that happening on a widespread basis are slim, experts say.

Meanwhile, committing to the Safe Harbor provisions now could cost U.S. companies time and money and open them to investigations by U.S. government agencies. Therefore, experts say, the best course for many e-businesses is to delay declaring Safe Harbor status while preparing to comply quickly.

Despite a high-profile announcement last month by Microsoft Corp. that it plans to sign up, corporations largely remain skeptical of the Safe Harbor. Thats because it requires them to make public commitments to protecting customer privacy. And, although Safe Harbor is mainly a self-regulatory process, it exposes companies that sign up to possible enforcement by the Federal Trade Commission. Theres also uncertainty about how the EU will enforce its privacy directive and how much protection Safe Harbor will provide, said Jonathan Winer, an attorney with Alston & Bird LLP, in Washington.

"Companies are waiting to the last minute ... because theres substantial risks in moving ahead," Winer said.

For example, Winer said, U.S. companies will not be protected under Safe Harbor if, besides bringing information about European customers into the United States, they also use it in operations in other parts of the world.

The implications of Safe Harbor are particularly unclear for certain industries. Consider the financial services industry, which isnt covered by the Safe Harbor agreement because such U.S. laws as the 1999 Gramm-Leach-Bliley Act and the 1970 Fair Credit Reporting Act already govern data privacy in that industry. But the European Commission, which implements EU policies, has insisted that those laws arent enough and that U.S. financial services companies will have to enter into separate contractual agreements with EU countries guaranteeing privacy protections. The Bush administration disputed that in March, and the two sides remain at a stalemate.

Online travel site Expedia Inc. remains one of the companies waiting to decide whether to join Safe Harbor. Although Expedia prides itself on protecting personal information, it must also consider the financial and administrative burden of joining a regulatory process such as Safe Harbor, said Mark Britton, senior vice president and general counsel for Expedia, in Bellevue, Wash.

Even companies that have announced support for Safe Harbor are making sure they can live up to their promises. Although D&B, for instance, is complying with Safe Harbor for consumer data, the company is still waiting to include human resources data as part of its Safe Harbor terms.

One reason D&B was able to join Safe Harbor so quickly on the consumer side is that as a provider of information about businesses, it doesnt transmit much personally identifiable data beyond information on business owners or officers, said Jean Cantrell, executive director of government affairs, in Washington. In addition, with operations in 200 countries, D&B had already adhered to tougher privacy standards and did not have to make major changes to comply with Safe Harbor, she said.

The sort of caution demonstrated by D&B is wise, experts say. Until U.S. e-businesses know exactly how and when EU officials will enforce new privacy regulations and how and where Safe Harbor will apply, the smart move for many companies is to gather information. Specifically, they should figure out what information they are collecting and transmitting from Europe and whether they need to change their data privacy procedures and processes to meet Safe Harbor requirements, said Ruth Nelson, director of the privacy practice at PricewaterhouseCoopers, in New York.

"The worst thing a company could do is sign up for it and then be breaching it on a daily basis," Nelson said.