U.S. companies face stricter privacy rules abroad

Computerworld - CLEVELAND -- IT managers have long known that privacy rules can have a direct impact on database design and customer relationship systems. Now, they're also learning that foreign privacy requirements can affect IT in ways that you wouldn't expect. Take the case of Eaton Corp.

Eaton, a diversified manufacturing company here with 52,000 employees, conducts remote periodic scans of PCs at its European offices from its headquarters to ensure its systems are operating with an accurate inventory of licensed software. It also conducts remote virus scans.

But before these scans can be conducted, European rules state that the employee who works on the PC must be notified that the system is about to be scanned, said Jack Matejka, Eaton's director of IT security. The rules were intended to give employees notice if a company decided to review data files or a browser's cache files, but they also affect routine system maintenance. "This is one of the new issues that we have to learn about," he said.

And there is a lot to learn. Corporations are struggling to comply with the European Union's privacy rules as well as an emerging set of stringent data-sharing requirements in Canada.

For instance, consumer products giant The Procter & Gamble Co. in Cincinnati solved the problem of global privacy compliance by adopting a set of customer privacy rules that can meet Europe's standards, which are considered the most demanding because of provisions giving customers access to data about them and allowing them to choose how that data is used.

Adopting different privacy standards for various countries "creates added cost and potential problems," said Mel Peterson, Procter & Gamble's privacy manager. But that wasn't the only reason for adopting the higher standard. Strong privacy rules also build customer trust, he said.

"If you're not giving [consumers] control, why should they have any confidence in giving information to you?" said Peterson, at the Privacy 2001 conference sponsored by the Ohio Supercomputer Center's Technology Policy Group in Columbus, Ohio.

Companies operating in the U.S aren't required by law to offer any specific privacy protections unless they are in a regulated industry, such as financial services and health care. But foreign privacy standards will affect more U.S. companies, primarily because of actions by Canada, the U.S.'s largest trading partner.

Canada is phasing in a set of privacy rules similar to the European rules. Beginning this year, it applies to regulated Canadian businesses, including airlines, banks and telecommunications firms. Once it's fully implemented, the law will cover any business that collects personally identifiable information.

Giving customers choice on how information is used "is a better way to earn their loyalty," said Peter Cullen, the chief privacy officer at the Royal Bank of Canada in Quebec. "We think of this more as a business opportunity as opposed to a regulatory burden or law."

Related stories:

• Watchdog group rips financial firms on privacy practices, Aug. 29, 2001
• Canada's privacy law changing some privacy policies, Aug. 17, 2001
• The politics of privacy , Aug. 13, 2001

Read more about privacy in Computerworld's Privacy Knowledge Center.