Foreign Privacy Law Shields U.S. Consumer

A new European privacy regulation will force some U.S. companies to overhaul their management and use of expensively collected consumer data, according to industry consultants and privacy proponents.

The impact of the new regulation could be huge for companies with consumers and employees in Europe and the United States, said Melanie Janin, a manager at the New York-based U.S. Council for International Business, which lobbied against the new regulations. "This is a new issue for any company with an internal database," she said.

The regulation, titled the Directive on Protection of Personal Data, requires companies to show individual consumers any company-held data about them, where the data was acquired, and correct any mistakes. Companies could also be barred by consumers from using the information for direct marketing of products or services, and companies must have each consumers' permission to process sensitive information, such as their health, religious beliefs or trade union memberships.

The regulation bars the transfer of personal data from European countries to other countries that do not have similar privacy legislation, such as the United States.

The regulation is more restrictive than the current privacy guidelines established by the Organization for Economic Cooperation and Development, to which many U.S. companies adhere. For example, the consumer-data company Equifax Inc., based in Atlanta, Ga., will continue to follow the development organization's guidelines, said company spokesman Dave Mooney.

Banks, insurance firms, as well as computer and software sellers such as Microsoft Corp., will be affected by the regulations, which were adopted by the pan-European Council of Ministers in late July, and will work their way into national laws throughout Europe over the next three years.

Personal information is collected by companies from their employees and customers, or from third-party firms such as Equifax. The information is used to manage employees, guide marketing campaigns, gauge the impact of advertising, track consumption of health services, software and other products, and assess the risks of insurance policies.

Numerous companies are reviewing the regulation to see how it will reshape their planned use of consumer data. For example, Marcia Sullivan, chief of government relations at the Arlington, Va.-based Consumer Banking Association, has asked some of her 750 member banks to assess the impact of the new regulation. "Everyone is looking at privacy concerns as technology enables them to manage their databases better," she said.

"American companies will scream like heck about this," said Jim Lukaszewski, privacy consultant and owner of The Lukaszewski Group Inc., White Plains, N.Y. U.S. companies will have to segregate U.S. and European consumers' data, and manage their European data more carefully, he said. But U.S. companies are so technologically advanced that they can accomplish this without much trouble, he said.

To offset the new rules, U.S. companies can also move their data-management offices to the European countries and change marketing tactics, said Robert Gellman, a privacy consultant based in Washington, D.C. U.S. companies already deal with privacy laws in the United Kingdom, Germany and other European countries, so it shouldn't be too difficult for them to cope with the new regulation, he said.

U.S. consumers will likely soon demand that Congress enact similar privacy protections, giving an advantage to U.S. companies that learn quickly how to work within the new European rules, Lukaszewski said. With the European regulation, U.S. companies "are staring their future in the face."

Privacy proponents say they hope the stringent new law will spur tougher privacy legislation in the United States. There's "good potential for seeing improved privacy legislation in the United States... because every company that wants to do international trade in information" wants uniform privacy regulations wherever it operates, said David Banisar, an attorney with the Washington-based Electronic Privacy Information Center.

Janin disagreed, saying the new regulation will be unlikely to prompt similar regulation in the United States. However, other countries such as Taiwan and Canada are also planning more stringent privacy laws, she said.