E-Business 101, Part 3: Privacy - International Implications
(Page 4 of 4 )
Privacy is not just a domestic issue. In fact, the policies of many foreign countries often are more conservative and restrictive than those found in the United States. As the flow of information across international borders is growing, the need for Web site operators to be aware of foreign regulations on privacy is also growing.
The European Directive on Privacy requires ISPs and e-businesses within the European Community to disclose how they intend to use any personal information they collect. More importantly, the European Directive on Privacy requires countries trading with any member country of the European Community to adopt measures that adequately protect personal information and to prevent data transfers to countries that do not adopt appropriate safeguards. On July 26, 2000, the European Commission approved the latest U.S. Safe Harbor proposal. The Safe Harbor agreement formally went into affect on November 1, 2000, and allows U.S. based Web sites to voluntarily subscribe to a set of principles and procedures for the handling of information originating in the European Union. The European Commission has agreed that any U.S. Web site that subscribes to Safe Harbor should be considered to be providing an adequate level of privacy protection for such information.
Practice Pointers:
- When advising a client with a Web site, conduct due diligence to understand how the client is gathering, storing, and using information about visitors to the Web site. Determine each political state that may claim jurisdiction over the activities of the Web site. As discussed in our last article, Web sites present unique jurisdictional issues. Then review the applicable privacy laws and work with the client to ensure that the clients' practices comply with the applicable law.
- If any business is transacted in Europe, then we recommend utilization of the Safe Harbor provisions adopted by the European Community this past summer.
- Comprehensive privacy policies should be created for each website. Clients should be instructed to make the Privacy Policy easily accessible from each page of the website (and especially introductory pages and pages where information is gathered). The Privacy Policy should disclose whether Persistent Cookies are utilized by the website. If Persistent Cookies are used, the Privacy Policy should also disclose what information will be collected from the visitors, and how the information will be stored, used and distributed.
A number of website operators are not choosing to participate in commercial privacy certification programs like that offered by Truste (www.TRUSTe.com). Website Operators should be reminded of the "hot bottons" associated with Privacy Concerns and encouraged to only collect information that is absolutely necessary. Avoid drafting absolute statements or guarantees regarding the security of the Web site or the information collected from visitors via the Web site. Further, clients should be cautioned to be careful when changing aspects of a Web site's privacy policy. In particular, they should use caution to avoid any possible conflict with prior Privacy Policies that will apply to information gathered before a change in policy. To minimize risk, Privacy Policies should be drafted that anticipate future uses, sales, distributions, of personal information.
E-mail the Author
Author's Biography
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
