.
| Technology.. |
Privacy policies:
How EU differs from U.S.
When a care worker with Home Instead Senior Care, a franchise that provides in-home care to seniors, arrives at the home of a U.S. customer, she’s privy to a journal containing the client’s background, medical information, emergency contacts, a list of medications and dosages, comments, etc.
When a care worker with one of Home Instead’s European franchises arrives at the home of a customer, that journal contains just a list of emergency phone numbers.
That’s the European Union’s data privacy standards at work. More than a decade ago, the EU enacted a set of data privacy standards that require companies to guard a customer’s private information closely—be it a credit card number, health information, consumer preferences, frequency of hotel stays or a myriad of other concerns.
The EU has an “opt-in” policy when in comes to data privacy. The U.S. has an “opt-out” policy. This means that in the U.S., companies may share the personal information about customers for marketing, sales and other purposes unless customers specially ask them not to do so. In Europe, the opposite is true. In the EU, companies aren’t allowed to share the personal data of customers unless the customer specifically asks them to do so.
Because of these discrepancies, some franchises overseas have had to alter their policies, systems and procedures.
“We need to protect an individual’s privacy in the EU, but at the same time, the caregiver needs knowledge,” says Yoshino Nakajima, vice president of international development for Home Instead, based in Omaha, Neb.
There are other restrictions franchise companies need to consider when opening branches in the EU.
“Franchises cannot import data from Europe into the U.S.,” explains Lee Plave, an international franchise attorney with DLA Piper Rudnick in Washington, D.C. “Data collected in the EU stays in the EU. The EU has set the bar very high when it comes to data privacy in terms of collection, storage and use. Right now, every franchise system in the EU must comply with the EU standards or face fines and sanctions.”
Although the EU standards can be confusing and the costs of non-compliance can mean interruption in business and hefty fines if infractions are prosecuted by European authorities, U.S. companies don’t have far to look for guidance on ways to comply with the standards.
The U.S. Department of Commerce, in consultation with the European Commission, developed a program called Safe Harbor, which guides U.S. companies through the process of complying with the EU standards. The program was approved by the EU in 2000. Companies doing business in Europe need only join Safe Harbor and comply with its rules in order to assure the EU that they will provide privacy protection to customers, as defined by the EU standards.
The EU’s standards may be too strict for our American palette, Plave says. We don’t have sweeping, nationwide data privacy laws here and likely won’t in the near future. But that doesn’t mean companies themselves—especially those that are expanding into the EU —shouldn’t be looking into creating their own.
Marcus Bruninghaus, founder of PISA Security in Laguna Hills, Calif., a firm that helps the hospitality industry create secure data systems, agrees.
“I tell people to treat data like cash, because that’s what it is,” Bruninghaus says. “Companies need to have a comprehensive data privacy policy in place. It’s not regulated here in this country like it is in Europe, but it’s good business practice.”
