Privacy Rules Cross The Pond

Strict European Union rules governing the way businesses handle online consumer data are finally getting the attention of U.S. companies, just as a crackdown appears imminent.

This month marks the end of a de facto amnesty period that has kept EU nations from suing U.S. companies for misusing Europeans' personal consumer data. At risk are companies that haven't signed on to the "safe harbor" framework designed jointly by the U.S. Department of Commerce and the European Commission, the EU's executive body.

Most significantly for IT managers, the safe harbor rules dictate that businesses must let individuals access, and even edit, their own personal data. At the same time, businesses must safeguard that data against unauthorized access. The safe harbor also requires businesses to tell consumers how they will use personal data and let them opt out of data sharing. Businesses are forbidden from transferring data to third parties that don't meet the same privacy requirements.

Only 71 U.S. companies have signed the safe harbor agreement. They include Microsoft, Intel, Hewlett-Packard, Procter & Gamble and Dun & Bradstreet.

Complying with the standards is no small feat. Companies that store consumer data across disparate legacy systems in multiple locations must conduct expensive internal audits to verify compliance. They must implement applications that can validate the identity of people accessing their data. Companies must either link separate databases or make those databases separately accessible so consumers can see all of their personal data.

Experts point out that there's often a conflict between offering access to information and keeping it secure. "If I make it easier for individuals to access their information, by definition I make it easier for other [individuals] to access it," said Rick Lane, director of e-commerce and Internet technology at the U.S. Chamber of Commerce. Microsoft, which signed the safe harbor pact on June 29, operates a myriad of information management systems behind its various properties, such as MSN.com and Microsoft.com. It also stores personal data on numerous smaller databases that manage information for both product and event registrations.

The company typically uses a password and user ID authentication mechanism to verify consumer identities. Consumer-accessible Web properties then make encrypted queries to other Microsoft databases that might hold information about an individual. If more data turns up on another application, Microsoft forwards the user to that application's server to provide access to the information.

The alternative--actually moving the data from a remote application to the one being used by the consumer--would pose grave security risks, said Richard Purcell, Microsoft's chief privacy officer. "You don't move data around trivially," he said. "That's a dangerous process."

Intel, which signed the safe harbor agreement on June 22, makes personal data accessible per application. A consumer can't see all the personal information in one place; he must log on separately to, say, the product registration app or the newsletter registration app and piece together what Intel knows about the consumer. Intel uses varying levels of authentication, depending on the sensitivity of the data within a given database.

For example, a database containing credit-card data might require the consumer to provide multiple layers of validation--name, password, e-mail address or postal address--before allowing access. And even then, Intel's internal site-development guidelines would dictate that only the last four credit-card digits be made visible.

The sheer volume of personal data Intel holds makes centralizing all of the information impractical, said Jeff Nicol, manager of Intel's corporate privacy programs. "We don't have a big database in the sky that cross-tabs all the 'Bob Smiths,' " Nicol said.

Microsoft and Intel assert that their existing privacy policies were strict enough that adhering to the EU safe harbor meant only minor tweaking to their business practices. For its part, Microsoft conducted its largest-ever internal systems review, Purcell said. Microsoft paid $500,000 to two undisclosed accounting firms to manage the audits.

In a recent Zona Research survey, about a quarter of respondents said they plan to spend $50,000 or less on privacy upgrades, while 30 percent plan to spend more than $1 million this year and next.

Crackdown Likely
The European Commission agreed at the end of last year to give U.S. companies six months to study and comply with the safe harbor rules. Though the EU is playing down the threat to U.S. companies, experts believe European states will soon begin cracking down.

"I don't think there's any reason to think that people are going to suddenly get beaten about with big sticks," said European Commission first secretary Matthew King. But he does expect EU countries to review how companies that aren't on the safe harbor list handle European consumer data.

There is precedent for such legal action. In 1999 Microsoft paid $60,000 to settle charges brought by Spain that Microsoft didn't "clearly and conspicuously" disclose to Spanish consumers what happens to personal data when they register for Windows.