Safe Harbor: U.S.-Europe agreement should lower data transfer barriers

Wars have been started for some strange reasons. In the United Kingdom, Jenkin’s ear and the King of Spain’s beard spring to mind (don’t ask). Trade wars can begin for even odder reasons. Currently, bananas and cashmere are threatening to set the United States and Europe against each other.

One potential flash point closer to the hearts of direct marketers – personal data – has just been resolved, though.

Under the data protection directive that’s been adopted by all 15 members of the European Union (EU), one key provision threatened cross-border direct marketing, along with credit card transaction processing, airline bookings and a host of other activities.

Article 29 states that personal data can only be transferred to a country that offers adequate protection to the data subject. In the EU’s opinion, the absence of federal data protection laws in the United States did not provide this protection. As a result, data transfers would not be legal. The American reaction was to threaten a trade war (DIRECT, October 1999).

Lisbon Agreement

However, at the Lisbon summit in early June, an agreement was reached that should resolve this problem. A proposal developed in March by the U.S. Department of Commerce, the international safe harbor privacy principles, has been accepted by the European Commission. If the European Parliament gives its assent in October, the barrier to data transfers will fall.

Peter Huey, legal affairs manager at the British Direct Marketing Association, says of the adequacy requirement: “Basically, it meant you couldn’t export data to the United States unless adequate controls were in place. The U.S. view was that Europe was trying to exercise extraterritorial jurisdiction by setting data protection standards the United States is not used to.”

This left international companies that are marketing across borders in a difficult position, which will remain the case until parliamentary assent is given to the principles. Meanwhile, this trade has not stopped.

“One informal approach has been that if the company in the United States is a highly respected organization, a member of the U.S. Direct Marketing Association, and has signed up to the DMA’s codes of practice, you could take the view that adequacy is achieved by those factors without being spelled out,” says Huey.

Many data owners have taken a more cautious approach, introducing specific contracts that say data will be processed and used under European terms, rather than U.S. levels of data protection. The U.K. DMA, together with the business trade body, the Confederation of British Industry, has developed a model contract for this purpose. The U.K.’s data protection commissioner has also stated that if data is simply going to be processed, rather than used in any other way (such as list rental and mailing), then contracts of this sort offer sufficient protection.

For multinational direct marketing service providers, the conflict has created an area of uncertainty when transferring data. Acxiom Data Corp., for example, regularly sends data from its European clients to the United States for processing at its center in Little Rock, AR. If all that’s being done is number crunching, the contract-based approach would appear to be suitable.

Where greater risks have occurred is if the client’s U.S. unit wants to employ that same data for marketing purposes.

“If a client organization in the United Kingdom has personal data that they might want to transfer to the United States for more than processing, our advice is to get the consent of your customers first,” says Mike Bradford, Experian’s director of compliance and data protection. Bradford adds that the safe harbor deal will remove uncertainties about how to cover liability and meet the requirements of European law. “It opens up the opportunity to transfer data to U.S. organizations for doing something different than just processing,” says Bradford.

However, he notes that despite the Lisbon agreement in principle, there still are some areas of uncertainty.

Financial services data transfers are still not confirmed as possible under safe harbor contracts. This may throw doubt on the continued success of American credit card issuers in Europe, such as Bank One, MBNA and People’s Bank, if they are unable to process European customer data at their U.S.-based operations.

For once, this is an area where the direct marketing industry has been ahead of the game: It has established model contracts and has lobbied for permission to transfer data.

The European Commission appears to have recognized the potential impact on trade that prevention of such transfers would have. If the European Parliament agrees, cross-border direct marketing may yet get the chance to flourish.