Computerworld - Getting ready to pull customer data out of Europe? Be prepared to navigate the most backward regulation in the data privacy arena.
The European Union has declared that countries without privacy laws like its own -- the U.S. included -- are "inadequate" places to store a European citizen's personal data. Brussels threatens to fine your company if you try to export such data past its blockade without meeting its conditions.
This isn't about privacy. The safety of a person's data has little to do with where it's stored. Is a database server in Lisbon necessarily safer than one in Silicon Valley? Geographic location is almost meaningless in cyberspace. What matters in the information economy is whether the company collecting the data can be held accountable in a court for violating a posted privacy policy.
The EU's move isn't about privacy, but about the power of government to regulate the trade of the 21st century's raw material: information. By forcing other countries to adopt its laws, the EU hopes to isolate the U.S., home of the great IT innovators. It's no accident that Brussels targeted the goliath Microsoft for a privacy investigation of its Passport product.
So what do you need to do to spring your data from Europe?
Your short-term options are several, but unattractive. You can avoid the EU export requirements altogether by keeping the personal data you collect in Europe within European Economic Area borders. Maintaining a duplicate IT infrastructure in Europe may not be feasible for you, however.
A second option is to "depersonalize" the data before exporting it to the U.S. This involves stripping personal identifiers from the data so that no one in your U.S. office could trace the information to named Europeans. Arguably, personal data that is merely stored in the U.S. but not accessed here should fit this category as well. This option works only if your U.S. office has a narrow role, such as analytics or data backup.
A third alternative is to obtain the consent of your European customers to export their data to the U.S. While easy to engineer -- by adding a pop-up box to a checkout process, for example -- the hard part is planning for those people who won't give their consent. You'll either have to accept them abandoning the checkout process or create a duplicate fulfillment process based in Europe.
Another option is available if you have a European office or business partner that can collect the data for you. In order to export the data,
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
