Privacy Standards: Coping With Global Trade But Local Legislation

posted by Ajit Jaokar on Thursday, February 11th, 2010 at 9:12 am

I have always been interested in Privacy, Security and Reputation from a research perspective. The Tech Policy blog has a good overview of the basics of Data privacy law to commemorate Data privacy day . They start by saying that ‘the United States doesn’t have a single, overarching data privacy law. Instead, data privacy is regulated by many different statutes and rules at the federal and state levels.’

That statement resonates with me since I have some familiarity of EU legislation in this space and it is also very diverse. So, I wondered for a company operating globally, how many privacy laws do they have to follow?

It appears that this is a complex landscape. CRM trends makes an attempt to list some of these privacy laws. To summarize some of the complexity and diversity:

• Canada: has very comprehensive Personal Information Protection and Electronic Documents Act (PIPEDA) legislation

• China on the other hand has none according to CRM trends

• The European Union has a privacy directive, but every country within the EU also has its own data protection legislation – ex UK, Germany and France

• The United States has a wide variety of laws that touch on Privacy and also specific bodies like Federal Trade Commission (FTC), Fair Credit Reporting Act, Bank Secrecy Act, Children’s Online Privacy Act, Freedom of Information Act (FOIA) and PATRIOT Act

• The USA also has State laws!! Specifically California, Louisiana, Massachusetts, New Jersey, and New York, have passed, or are considering, legislation that impacts privacy

• If you are a US company operating internationally, then there are International laws affecting the USA (ex Safe Harbor regulations)

• There is also sector specific regulation, ex Health Insurance Portability and Accountability Act (HIPAA) creates some privacy protections for personal health information

• Different laws apply online and offline

• Agencies like the DMA (the Direct Marketing Association) are also trying to sort out the good guys from the bad guys by developing guidelines for e-mail marketers

So, there seems to be no shortage of standards, but it is more a question of: How could international businesses comply with all these standards?

The issue is not specific to LARGE companies, but many medium size and small companies also operate globally. So, the problem of diversity and complexity of privacy standards is a much more sweeping problem.

Sadly, I suspect it may be an indicator of the things to come in future with a rapidly growing global trade but with legislation which is local and lacking.