Europe July 1, 2010, 6:47AM EST

U.S. Firms Get Privacy Lessons from Europe

The differing norms and tougher laws on data privacy in Europe often shock U.S. companies, but their attitudes are evolving to be more pro-consumer

Story Tools

EU data privacy rules are shaping a change of attitude in American companies when dealing with information collected from their customers, but the US is still far from considering data protection as a basic human right.

Anyone who has bought a book online or opened an email account with Google (GOOG) has already experienced it: tailor-made advertising landing in their inbox, based on a personal profile created by the company.

The term "behavioural advertising" is a commonplace in marketing strategies, particularly in US-based companies such as Yahoo (YHOO), Amazon (AMZN) or Facebook. It is seen as a reliable revenue-making tool on the Internet.

But privacy issues arise especially when personal information is "aggregated" and passed on to other companies or when the government taps into the "data warehouses" held by private companies in order to track down criminals or terrorism suspects.

A fundamental difference between the EU and the US' approach to data privacy is the question of ownership, law and privacy experts told a group of European journalists in New York last week.

In Europe, data protection is granted even after the consumer has passed on the data, while in the US, the company's understanding is that once it has the information, it can do whatever it wants with it.

"When we explain to a US company for the first time how data privacy laws work in Europe, they say 'you must be kidding?' It takes a few years to acclimate to that," said privacy lawyer Lisa J Sotto from Hunton & Williams, a New York based law firm.

Ms Sotto argued that the cultural difference between the two continents stems from history. "Here [in the U.S.], privacy is not a fundamental human right, instead it's a consumer protection interest. In Europe...people could have been put to death because of their data; here they were marketed to to death," she said.

A self-certifing scheme dubbed "Safe Harbour," encompassing some 2,200 US companies, helps businesses comply with EU data protection law when doing business with European customers. Under the agreement, the Federal Trade Commission can put companies under increased scrutiny for up to 20 years and even give fines if they violate the terms they subscribed to.

"There is a move in having companies Safe Harbour-certified in a way that is fundamentally different from five years ago. Companies are much more tuned to the fact that they need to comply with the set of [data privacy] principles in a very significant way. It's not a rubber stamp at all," Ms Sotto said.

Big companies have started to put in place "chief privacy officers" both in the US and in their European branches and in the upcoming years there will be even more of a push for "very formal data protection structures" within these businesses.

But critics point to the low enforcement levels of the data protection rules and the fact that in its 10 years of existence, Safe Harbour has seen only seven cases brought to court in the US – all were companies wrongly stating they were part of the scheme, not actual non-compliance cases. None were notified to EU data protection authorities.

"No US company is in compliance with the EU data protection directive. If this directive was applied thoroughly, US companies couldn't do business in the EU," Adam Levitin from Georgetown Law School said. He explained that the system of "self-certification" meant that American businesses were only paying lip service to requirements such as access to and correction of data, security and integrity of the information and no automatic use for other purposes than the one stated in the notice to consumers.