What’s going on in both Washington and the EU, with regards to online privacy, should be of primary importance to anybody involved with online business. Why? Well, the two official bodies have very different opinions on how stringent their region’s online privacy laws should be. To put it simply, Europeans favor tighter rules, while American politicians and online business entities seem to be pushing for more share-friendly laws.
What does that mean for the increasingly global marketplace? In short, it means that US-based businesses, who plan on marketing to European citizens, should make an effort to adhere to the stricter EU laws. If your goal is to reach an international clientèle, the United Kingdom’s Data Protection Act of 1998 is a good rule of thumb to follow.
UK Data Protection Act of 1998
The UK Data Protection Act of 1998 governs how personally identifiable electronic data is to be collected and processed. The law was enacted, in part, to align British regulations with a European Union regulatory initiative passed in 1995 that dealt with securing the privacy of citizens.
The law does not apply to personal and domestic use. For example, people who keep an electronic address book are not subject to Data Protection Act standards. Neither are operations that collect very little data (check with a lawyer to see if your company qualifies for exemption).
There are eight primary principles of the act:
1) Data Transfer: Information that doesn’t adhere to at least the same level of user protections cannot be transferred or shared to entities outside of the EU economic region .
2) Management: It is the responsibility of the company or entity collecting data to ensure they have sufficient business procedures in place to thwart security breaches and data loss.
3) Control: All users retain the right to have their data removed, in whole or in part, at any time.
4) Longevity: Collected data should not be kept for a longer period of time than what is needed for the original purpose of collection.
5) Accuracy: Standards and procedures must be established to ensure that the collected information is accurate and timely.
6) Info Scope: Data should not be collected that is outside the stated purpose.
7) Use Scope: Data should not be used for any reason other than the stated purpose.
8) Legal: All collected data must be processed fairly and lawfully.
In addition to the above principles, the UK Data Protection Act of 1998 obliges every processor to register with the Information Commissioner’s Office.
If you run an online business and need counsel to determine if your operation adheres to the stricter EU online privacy laws, contact our firm today. We’ll square you away quickly so you can get back to the business of making money.