Privacy Laws & Communication
By Heather Turbeville, staff writer
With the advent of the Internet and the ability to send personal
information to many places in very little time, privacy has become
an important issue for businesses across the globe. How to retain
the free flow of information without violating an individual’s
right to privacy is a difficult balance to strike and one that different
countries approach in various ways.
In the IIMA March 2003 Newsletter, Annelise Larson of eMage eMarketing
states that “People are fed up with advertising and media
messages” because of the number of images and messages that
confront them on a daily basis. While such media comes in the form
of radio, TV and billboards, a large portion of it comes through
e-mail and the Internet. According to Larson, such messages become
alarming when they are tied to personal information, so much so
that it can prevent people from buying. It is this phenomenon that
contributed to the passage of various privacy laws, all of which
a communicator has to navigate when conducting online or offline
marketing campaigns.
Privacy Laws Across the World
Most European countries, particularly those in the European Union,
have taken a hard line when it comes to privacy. As David Sheer
discussed in “Europe’s New High-Tech Role: Playing Privacy
Cop to the World,” in the 10 October 2003 issue of the Wall
Street Journal, according to the European Data Protection Directive,
a company must obtain a customer’s permission before collecting
their personal information, trading or selling it, or even using
it for his or her own marketing purposes. In addition to the above
safeguards, data may not be transmitted to countries whose privacy
practices have been deemed inadequate.
One such country with privacy protections deemed inadequate by
the EU is the United States. As Patrick Thibodeau reported in his
12 March 2001 Computerworld article “Europe's Privacy
Laws May Become Global Standard,” this created an uproar among
the American business community, and even in Congress. The result
was the Safe Harbor Act, which allows the transfer of personal information
to countries with less strict privacy laws as long as those companies
agree to use the same safeguards as the country where the information
originated. While this act has made it easier to conduct international
business, it highlights the differences between the European and
American approach to privacy.
In her presentation“International Privacy Laws,” Ashley
Michele Green explains that a majority of European countries have
enforced comprehensive laws governing privacy, whereas the U.S.
has enacted sectoral laws. For instance, there are strict U.S. laws
governing the use of medical and financial data, but not other personal
data. European countries have created independent government agencies
to enforce privacy laws, while the U.S. largely depends on existing
agencies and, in many cases, self-monitoring by most industries.
According to Sheer in his WSJ article, the modus operandi
in the U.S. is basically, as long as companies don’t hurt
their customers, their practices are legal. Some companies state
on their web sites that they will not give a customer’s personal
information to other companies, but this is not a requirement. Likewise,
some companies allow customers to opt out of receiving marketing
materials and sales calls, while others don’t.
What about the rest of the world? Several countries, such as Canada,
Australia and New Zealand, have followed Europe’s lead and
enacted tough privacy laws. In 1999, Canada passed the Personal
Information Protection and Electronic Documents Act, which went
into effect in two parts. Industries regulated by the government,
such as airlines, etc., had to begin compliance in 2001. All other
businesses have to be in compliance starting this year. The law
established the post of privacy commissioner to enforce privacy
laws. As reported in the 17 August 2001 Computerworld article,
“Canada's privacy law changing some privacy policies,”
by Brian Sullivan, Canada's privacy commissioner has the power to
bring cases to the federal court to force compliance.
There is a wide variety of privacy laws in Asia, owing to the difference
in individual countries’ economies and cultures. Generally,
Asian countries that do a lot of business with the EU are more likely
to have extensive privacy laws than those that do not. For example,
Hong Kong has adopted laws based on the European Data Protection
Directive, while countries such as India and Japan depend on sectoral
laws like those in the U.S.
Case Studies
How, specifically, do these laws affect communication? General Motors
and Air Canada offer two examples.
In 2002, GM set out to update its electronic company phonebook
to allow for easier communication between its various offices across
the world. Sounds harmless enough, but according to the EU’s
privacy laws, employee office phone numbers are personal information.
David Sheer detailed GM’s saga in “Europe’s New
High-Tech Role: Playing Privacy Cop to the World.”
In order to move such information from Europe to other countries,
GM had to adopt Safe Harbor rules and map where the phone book might
be used and who might use it. European staff members were notified
that their phone numbers would be sent to headquarters and were
offered a third-party mediator if they objected (no one did). Two
hundred GM affiliates had to sign contracts agreeing not to misuse
the phone numbers by selling them to telemarketers, etc. The process
took approximately six months, but the company phonebook was updated
and is now in use.
In 2001, the year the Personal Information Protection and Electronic
Documents Act took effect in Canada, Air Canada sent 60,000 of its
six million Aeroplan members a brochure detailing five situations
in which their personal information might be shared. If the members
objected to any of the situations, they had to check the appropriate
box/boxes to opt out of that category, then mail the brochure back.
Air Canada stated in the brochure that it could take up to four
months to process these requests.
Presenting his case on the Canadian privacy commissioner web site,
the commissioner balked at Air Canada’s privacy brochure.
First, the members’ information would be used in the ways
described in the brochure until their opt-out requests were processed,
which according to Air Canada this process could take up to four
months. Second, the system Air Canada planned to use to process
the opt-out requests would not be functional until seven months
after the brochure’s publication. Third, only one percent
of Aeroplan members were notified about the collection and use of
their information. Finally, the commissioner determined that the
five categories of information collection and use were sufficiently
sensitive to warrant opt-in rather than opt-out participation.
Conclusions
Privacy remains a sensitive issue, especially in the relatively
new era of the Internet. As a result of different cultural and philosophical
notions regarding privacy, various countries have a range of different
laws and approaches to dealing with the issue. Although several
countries have worked to bring their laws in line with each other,
it will be a long time, if ever, before the gap between privacy
protections closes, and while that gap exists, communicators will
have to work harder to ensure that their practices don’t infringe
on anyone’s privacy rights. Some companies, such as GM and
IMS Health, Inc., have created privacy departments within their
companies to deal with such issues. For those communicators without
such resources, begin with Annelise Larson’s article in the
IIMA March 2003 Newsletter at http://www.iimaonline.org/newsletter/newsletter-march-03.html.
From there, you can use our resource list to jump into the EU’s
laws and beyond.
Useful Resources
Privacy Commissioner of Canada - http://www.privcom.gc.ca
Computerworld articles - http://www.computerworld.com/governmenttopics/government/policy/story/0,10801,58498,00.html
http://www.computerworld.com/news/2001/story/0,11280,63149,00.html
“International Privacy Laws” by Ashley Michele Green
- zoo.cs.yale.edu/classes/cs457/Ashley_Green.ppt
“Europe’s Privacy Laws Cause Rift with U.S.,”
from the Detroit Free Press - http://www.freep.com/tech/qdata30.htm
“US Firms Protest EU Privacy Laws,” from ZDNet - http://zdnet.com.com/2100-1106-961973.html
Worldwide data protection laws from the Privacy Knowledge Base
- http://www.privacyknowledgebase.com/document.jsp?docid=REFDP000
Caslon Analytics Privacy Guide - http://www.caslon.com.au/privacyguide.htm
“Momentum grows for federal online privacy laws,” from
Cnet News.com - http://news.com.com/2100-1023-246916.html?legacy=cnet
The OECD Principles, Extract from “Guidelines on the Protection
of Privacy and Transborder Flows of Personal Data” OECD, Paris,
1980 - http://www.anu.edu.au/people/Roger.Clarke/DV/OECDPs.html
Directive 95/46/EC of the European Parliament and of the Council
of 24 October 1995 on the protection of individuals with regard
to the processing of personal data and on the free movement of such
data - http://elj.warwick.ac.uk/jilt/dp/material/directiv.htm
U.S. privacy laws - http://www.sec.gov/rules/final/34-42974.htm
U.S. privacy-related links - http://www.sec.gov/rules/final/34-42974.htm
http://www.pueblo.gsa.gov/cic_text/money/priv-choices/t_privacy.html
http://aspe.hhs.gov/admnsimp/final/pvcfact2.htm
U.S. Federal Trade Commission Privacy Initiatives - http://www.ftc.gov/privacy/index.html
European Union Data Protection Guide - http://europa.eu.int/comm/internal_market/privacy/index_en.htm
To help navigate the myriad of privacy laws, read Annelise Larson’s
article in the IIMA March 2003 Newsletter in its entirety - http://www.iimaonline.org/newsletter/newsletter-march-03.html
Discuss this topic with other IABC members at: www.iabc.com/memberspeak.
|
