Portals eNewsletters Web Seminars dataWarehouse.com DM Review Magazine
DM Review | Covering Business Intelligence, Integration & Analytics
   Covering Business Intelligence, Integration & Analytics Advanced Search

View all Portals

Scheduled Events

White Paper Library
Research Papers

View Job Listings
Post a job


DM Review Home
Current Magazine Issue
Magazine Archives
Online Columnists
Ask the Experts
Industry News
Search DM Review

Buyer's Guide
Industry Events Calendar
Monthly Product Guides
Software Demo Lab
Vendor Listings

About Us
Press Releases
Advertising/Media Kit
Magazine Subscriptions
Editorial Calendar
Contact Us
Customer Service

Business Intelligence:
What You Need to Know about the EU Data Privacy Directive

online columnist Jonathan Wu     Column published in DMReview.com
May 26, 2005
  By Jonathan Wu

Jonathan would like to thank Faisal Malik, principal with Knightsbridge Solutions, for contributing this month's column.

A significant data movement is taking place, one you probably haven't heard much about it. It's a quiet movement, overshadowed by security concerns, Sarbanes-Oxley buzz and other consumer compliance issues and is mired in underlying geopolitical complexities between countries and cultures attempting to reach a consensus on a single issue: how to handle the protection of personal and consumer data originating from European operations when processed by U.S. companies - regardless of their location. As understated the issue may seem, thousands of U.S. companies are probably working in some capacity to assess and revise their policies on transporting and processing of European personal data in light of the European Union Data Protection Directive.

Background on the EU Data Protection Directive

On October 25, 1998, the European Union (EU) Directive on data privacy went into effect. This Data Privacy Directive makes it illegal to transport EU personal data across EU and non-EU country borders without an adequate level of data protection in place. The EU Data Privacy Directive is governed with a comprehensive legislation, which has been adopted by all the EU member countries. Non-compliance with the directive can result in various types of penalties, fines, civil suits and data embargos. However, the intent of this legislation is to facilitate the free flow of data between all members and non-members of the EU countries.

To safeguard the movement of personal data for U.S. companies working in EU countries, the U.S. Department of Commerce (DoC) has developed a self-certifying process through which companies can self-certify their adherence to data privacy principles known as the Safe Harbor framework. The Department of Commerce recognizes that the framework does not have comprehensive legislative support yet, but the voluntary certification model allows U.S. companies to import personal data without prior authorization from the EU national data protection agencies.

Under Safe Harbor, U.S. companies are responsible for implementing comprehensive data protection program and policies. Adherence to this framework does not by any means relieve U.S. companies from the possibility of a European filing a criminal and civil complaint with their local authorities against a U.S. company because they feel their personal information has been compromised. Furthermore, the EU national data protection agencies will maintain rights to access the compliance of the implemented program.

Although there is much debate on the effectiveness of Safe Harbor process at present time, this is a good starting point for all organizations that are involved in conducting business in the EU countries, especially for companies that receive human resource, financial and marketing data from their EU operations. That's no small number of companies.

Impact on U.S. Companies

The enactment of European Data Protection Laws has severely impacted the way U.S. companies conduct business in Europe and, to some extent, globally. Currently, at least 25 countries are united under the EU umbrella. Observation of the European Union's track record reveals they are forcing many U.S. companies to rethink how they conduct business overseas. So far, no major cases have been filed under the EU Data Protection Directive - but this does not mean there is zero risk of a civil or criminal law suit in the European courts, or some sort of embargo that will prevent the shipment of personal data out of EU countries. This is why more than 700 U.S. companies have taken steps to comply with the Safe Harbor Principal. A complete list of U.S. companies complying with the Safe Harbor Program can be found at www.export.gov/safeharbor, which is maintained by the U.S. Department of Commerce.

Expected Areas of Enhancement for the Safe Harbor Program

The EU Data Privacy Directive remains a controversial requirement for the U.S. As such, the Safe Harbor framework - the U.S. resolution for compliance - will continue to evolve. A study completed in April 2004 at the request of European Commission sites various areas of the Safe Harbor Program that need further enhancement and clarification, such as:

  • Various terms in Safe Harbor (Example, U.S. company, data subjects, data controller vs. data processor, etc.)
  • Ease of filing complaints by data subjects
  • Onward data transfer (transfer of data to subsidiaries and/or data processing organization who are not bound by Safe Harbor or EU Data Privacy Directive)
  • Components of a privacy policy (what should be covered in a privacy policy)
  • Effective enforcement and channels of enforcements in U.S.
  • Jurisdiction clarification in term Safe Harbor enforcement of DoC, FTC, and DoT (Federal Trade Commission and Department of Transportation)

It will be prudent for the U.S. companies that have adopted Safe Harbor framework, or are considering it, to stay abreast of the working council's position on Safe Harbor framework and their plan on enhancing the current data protection policies.

What You Can Do

All U.S. companies interested in consolidating their IT operations, importing data from EU operations or processing data in third countries should have a comprehensive privacy program in place. (An example of a third country could be a U.S.-based company processing European personal data in an Indian processing center). Third countries involved in data processing should either have privacy programs in place, or have contracts to cover data processing in light of the EU Data Protection Directive.

This is especially critical if data is personal in nature and originates from any of the 25 EU countries. U.S. companies should start by appointing a "C" level data privacy officer with the overall responsibility for the data security and privacy initiatives. This corporate data security office should have some form of presence in the EU countries where the personal data in originating.

The Corporate Data Privacy Office (including the staff in EU countries) should work closely with the information technology director(s) and their staff to develop a comprehensive set of data security and privacy policies. The Data Privacy and Information Technology Offices should start by adopting the Safe Harbor Certification, which can be achieved by either working with the in-house resources, if they exist, or by engaging the consulting companies with expertise in the EU Data Privacy initiatives.

The Corporate Data Privacy Office and the Information Technology Office should not only develop in-depth understanding of Safe Harbor certification process but also develop expertise in the EU Data Privacy Directive and its intent. It will also help to understand the inner workings of the EU working councils on data privacy, and the working arrangement between the DoC and EU Data Protection Authority.

Some tips to get started:

  • U.S. companies should seek an appropriate level of legal help (both internal and external) while developing or reviewing privacy policies.
  • While developing these policies, companies should keep in mind the term "adequacy requirements" for the safety of data and the emphasis on individual rights vs. business needs of data processing.
  • U.S. companies should involve the local data protection authorities in the countries where the data has originated and have formal communication channels in place with the local authorities in order to handle disputes brought on by local data subjects.
  • Companies that have already signed up for the Safe Harbor Certification should review their privacy policy in light of EU Data Privacy Directive, "the standard contractual clause for transfer of personal data to third countries" as developed by the EU authorities, and be prepared to address various issues raised in the studies conducted by the EU Data Privacy Authority in April 2004.

The privacy concern is no longer just a European issue. It is creeping into the U.S. mainstream economy by various routes. HIPPA, the "Do No Call List" and Safe Harbor are a few initiatives that have spurred an increasing awareness about the privacy and safety of personal and consumer data. We can foresee more emphasis on privacy and security due to increasing globalization of our economies given mergers, acquisition and the desire to leverage cost effective human capital around the globe.

Faisal Malik is a principal with Knightsbridge Solutions. He has 13 years of experience in the consulting and IT areas, and has worked as a solutions architect and project manager during his career in the IT Industry. Malik has successfully led various large-scale, multidiscipline, global, data warehousing projects. He has developed and delivered strategic solution for the Fortune 100 companies to optimize various back office business functions. He can be reached at fmalik@knightsbridge.com.


For more information on related topics visit the following related portals...
Business Intelligence (BI) and Privacy.

Jonathan Wu is a senior principal with Knightsbridge Solutions. He has extensive experience designing, developing and implementing information solutions for reporting, analysis and decision-making purposes. Serving Fortune 500 organizations, Knightsbridge delivers actionable and measurable business results that inform decision making, optimize IT efficiency and improve business performance.  Focusing exclusively on the information management disciplines of data warehousing, data integration, information quality and business intelligence, Knightsbridge delivers practical solutions that reduce time, reduce cost and reduce risk. Wu may be reached at jwu@knightsbridge.com.

E-mail This Column E-Mail This Column
Printer Friendly Version Printer-Friendly Version
Related Content Related Content
Request Reprints Request Reprints
Site Map Terms of Use Privacy Policy
SourceMedia (c) 2006 DM Review and SourceMedia, Inc. All rights reserved.
SourceMedia is an Investcorp company.
Use, duplication, or sale of this service, or data contained herein, is strictly prohibited.