SECRET AGENTS.

• Author: Clifford, Anne

What data do U.S. companies doing business in Europe need to protect, and why?

The European (EU) Directive on Data Privacy was adopted by the 15 member states of the European Union to harmonize the protection of personal data. It seeks to regulate the processing of personal information under a set of quality principles and standards and prohibit the transfer of such data by companies to countries that don't adequately adhere to these guidelines.

It's been over a year since the directive became law, yet U.S. companies doing business in Europe are still searching for a solution to the issue of compliance, as the U.S. has been categorized as offering "inadequate" protection.

During the early days, it became clear that the U.S., unlike some other non-European countries, wasn't going to imitate the European model of national regulation and authority, but would continue to fine-tune its own data protection regime based on sectoral regulation, self regulation and individual choice. In addition, the U.S. came to accept that Europeans see privacy as a fundamental human right - and data protection as an essential means to protecting that right.

The directive does allow companies alternatives, such as the use of consent forms, codes of practice and contracts. Unfortunately, no one solution can encompass all the data-processing requirements of a company vis-a-vis personal information.

In a model contracts project launched in 1998, privacy experts from 60 leading U.S. companies drafted a model contract for approval by the EU data protection authorities. The model contract is a framework designed to ensure data protection, and it outlines a means of enforcement between affiliates of U.S. companies operating in the EU nation and the corporate unit in the U.S.

Over the last 12 months, the U.S. Department of Commerce has also been trying to persuade European officials to accept a system under which U.S. companies would adopt a code of behavior and be allowed to regulate themselves. The "safe harbor" concept would have a set of privacy principles to which companies would voluntarily adhere. These principles include the notification to individuals about whom information is being gathered, what type of information is being collected, why it's being assembled and who will receive the data. Individuals would be given an "opt out" mechanism that would let them determine the use of personal data.

In December 1999, the working party created to advise the EU...