Protecting Personal Privacy in the Global Business Environment
Stephens, David O., Information Management
In the electronic world, protecting personally identifiable information is a critical challenge for all companies and governments.
Editor's Note: The following is an excerpt from David O. Stephens' Records Management: Making the Transition from Paper to Electronic, published earlier this year by ARMA International.
Because records of individual customers or potential customers often have high market value, personally identifiable information has been described as the world's new currency. With the global reach of the Internet, which makes sending personal data from one continent to another nearly instantaneous, privacy is an issue of high international concern. Via the Internet, a company located in one country with one set of privacy rules can send personal data about an individual, or a database containing millions of individual records, to another country with a different set of privacy rules.
This situation is particularly worrisome because of the globalization of business operations. When companies export their business operations abroad, they may also send sensitive customer data overseas. Once sent abroad, the company may be at liberty to market or otherwise disseminate the personal data with impunity. In countries where no laws to protect personal data exist, sensitive data relating to individuals can be sold to other parties without their consent, or it may be exposed to the risks of identity theft.
The European Union (EU) has adopted strict rules, with mechanisms for global enforcement, to mitigate these risks. Europe has the world's most stringent set of rules governing how companies and governments must manage personal data such as age, marital status, buying patterns, and similar information. In Europe, privacy is generally viewed as a basic human right, enforceable by stringent legal protections, and the Europeans have become global leaders in setting the standards for privacy and attempting to promote them throughout the world.
In the United States (with the singular exception of California), such protections are considerably less stringent, as business interests have generally opposed any legislation or regulations that restrict their ability to collect and use or even sell or exchange personal information at their discretion, without government interference.
The EU's privacy laws require retailers to obtain permission to collect data, trade it to partners, sell it, or even use it for their own marketing - all common practices in the United States. European companies are required to grant individuals open access to records and data about them and correct any inaccuracies. The EU restricts how much information companies can collect on customers and employees and how long they are permitted to retain it. Video surveillance tapes, for example, must be erased after a short period of retention.
With its high global standard of tight restrictions on personal data, the EU has been quite successful in influencing the adoption of privacy laws throughout the world. EU-inspired privacy laws are now the norm in Canada, Australia, New Zealand, and parts of Asia and Latin America. The EU influence is also being felt in the United States.
The EU's Data Protection Directive
In 1998, the EU issued its Directive on Data Protection (95/46/EC). The directive was devised because some EU member states did not have privacy protection for individual citizens, while other countries had incompatible laws. To address this problem, the EU's parliament issued its directive on data protection, which was intended to harmonize European privacy laws and afford a continent-wide standard of protection for all European citizens.
The directive's most significant feature is that "data subjects" - persons from or about whom data is collected must unambiguously grant their consent before such data is collected, after having been informed about the purpose^) for which the data will be used. …