Magazine article Security Management

If It's Personal, It's Protected: Companies That Do Business in the European Union Must Understand the Rules for Handling Personal Data. (International Security)

Magazine article Security Management

If It's Personal, It's Protected: Companies That Do Business in the European Union Must Understand the Rules for Handling Personal Data. (International Security)

Article excerpt

Thanks to the Internet, companies can now easily gather, analyze, and market customer data throughout Europe and the world. But businesses must tread carefully through a thicket of legal dos and don'ts that has grown up in the European Union (EU), lest they be hit with huge fines or worse. Microsoft, for example, was forced to pay a fine to Spanish data protection authorities two years ago for failing to obey EU data laws when sending details about its staff based in Spain to and from its U.S. headquarters in Seattle. Microsoft fell afoul of an EU law that forbids data transfers to any country beyond the EU that is considered to have "inferior data protection policies." Microsoft, along with a number of other American companies, has since signed on to the EU/U.S. safe harbor agreement, which grants U.S. businesses immunity from some of the tougher privacy laws found in Europe as long as they comply with its provisions.

The two key documents governing data-sharing business practices are the European Commission (EC) Directive on the processing and movement of personal data; and Article 8 of the European Convention on Human Rights (ECHR), which guarantees the protection and privacy of private and family life. These governing documents not only affect the way businesses process personal data belonging to clients, customers, employees, and business partners, but they also affect the way in which security surveillance is carried out.

The eight principles in the EU directive stipulate that data must be: fairly and lawfully processed; processed for limited purposes; adequate, relevant, and not excessive; accurate; not kept longer than necessary; processed in accordance with the data subjects fights; secure; and not transferred to countries without adequate protection.

Companies that comply with the EC directive on data protection will automatically fall in line with Article 8 of the ECHR, according to Jonathan Bamford, assistant commissioner, strategic policy group, at the U.K.'s Office of the Information Commissioner (OIC), which enforces data protection laws in Britain. Article 8 is just a statement about guaranteeing the protection and privacy of private and family life, rather than an absolute right of privacy at all costs," says Bamford. "What the EC directive does is bring Article 8 to life by incorporating its message.

Both documents have been in effect for a few years now, but the EU countries have taken years to pass laws that specify how these general directives will be implemented. Governments have also taken time to create their own privacy and data protection bodies to enforce these laws. Consequently, the way in which companies doing business in Europe process personal data has only recently become a pressing issue.

Businesses in Italy, for instance, now have to think carefully before processing personal data, according to Roger Warwick, owner of Pyramid International, a corporate investigation and security consultancy based in Bologna, Italy. Warwick, whose clients include Italian fashion designers Valentino and La Perla, Italian State Railways, and multinationals such as Kimberly-Clark and British American Tobacco, says that before the data protection laws were introduced, personal details such as date of birth were considered to be in the public domain. "But now," he says, "you have to declare why you are using anybody's name and address and get them to sign a document that gives you permission to do so."

Inconsistencies. Although data protection laws are supposed to be harmonized, inconsistencies have been created as various EU countries have set up their own regimes, says Giulia Cipressi, workshop manager for data protection at the European Committee for Standardization (CEN) in Brussels, Belgium. CEN is lobbying the EC to make greater efforts to standardize data protection laws throughout Europe, she says.

The current inconsistencies in European data laws prompted leading insurance group Prudential, which has offices throughout Europe, to consider implementing the most stringent approach to data protection for all countries. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.