Safe Harbor privacy standards elude US multinationals

The Andersen study used the general privacy guidelines developed jointly between the EU and the US, known as the "Safe Harbor" principles, as a means to benchmark the studied companies. These principles were agreed to in July 2000 as a means by which certain US companies could comply with the EU Directive on Data Protection, Europe's baseline privacy law. Recognising there is no single worldwide standard, Safe Harbor principles were chosen for this study because they meet the EU Directive’s requirements for an “adequate level of protection.”

“Disruption to the conduct of business is a very real risk,” said Kerry Shackelford, of Andersen, who focuses on providing privacy services. “The EU could block data transfer to US companies that don’t meet the Directive’s requirements. US companies that take the lead in embracing privacy standards will safeguard customer loyalty, enhance reputation and image, and enjoy the freedom to structure business operations unrestricted by data protection laws.”

Andersen selected 75 FORTUNE 500 and medium-sized, well-known US companies that will potentially need to meet emerging privacy standards because they conduct commerce with individuals outside the US. The companies represent five industries: financial services, retail, technology, telecommunications/media/entertainment, and travel/leisure. Andersen evaluated the privacy standards evidenced in the companies’ web sites.

Study findings include:

• Overall, none of the 75 companies studied completely met the 6 principles. Just 2 of the 75 companies passed 5 principles and 8 companies only passed one.
• Only 5% of the companies provided "enforcement" - having mechanisms for assuring compliance, recourse for individuals whose privacy is breached, and consequences for the company breaching the principle.
• 25% included proper "notice" - informing individuals before using their information for a purpose other than originally intended or before disclosing their information.
• 34% addressed issues around "access" - providing individuals access to their personal information held by an organisation as well as the ability to correct, amend, block, or delete it.
• 46% offered acceptable levels of "security" - taking precautions to protect against loss, misuse or unauthorised access to the data.
• 74% addressed "data integrity" - requiring the personal information captured be relevant to the purpose for which it is used.
• 80% provided sufficient "choice" - allowing individuals to opt-out of disclosing information to a third party or for a purpose other than its initial intent.

Additionally, the study highlights differences between industry sectors in implementing fair information practices:

• Companies in the travel/leisure industry were found to have the best scores of any industry in "notice" and "security" with 47 percent and 73 percent respectively.
• The technology industry scored highest in the "access" principle at 60 percent, and also received the highest rating of any industry group in "enforcement."
• The telecommunications/media/entertainment organizations scored the highest in the "data integrity" principle at 83 percent.
• The financial services industry scored the highest on any single principle with 92 percent meeting benchmarks on "choice."

“Any company can take a few simple actions to begin improving their privacy practices,” added Shackelford. “First, companies can review the completeness of their on-line notices. More than a third of the companies we studied did not address if and how a user could inquire about and amend or erase personal information possessed by the company. Second, they can make sure they have addressed how a user could submit a complaint and what follow-up they could expect. Finally, companies can protect personal identity information with the same rigor as they protect payment data. More than a third of the companies studied failed to take this easy step.”