Distribution-industry executives are beginning to pay close attention to a European directive that could threaten the way distributors and other component suppliers conduct electronic commerce in Europe.
The European Union (EU) Data Protection Directive requires businesses to adopt national legislation to ensure adequate privacy protection when transmitting data in and out of EU member countries. Although the directive is meant to facilitate the flow of information among the 15 EU member countries, its provisions threaten to cut off data exchanges with the United States, experts said.
The problems lie in Article 25, which prohibits consumer information from being sent to jurisdictions that do not offer similar protection. The loose definition of "consumer" raises several questions for the b2b electronics industry, and trade groups are trying to figure out the exact interpretation of the language.
"Consumer is a fairly broad definition and has yet to be defined by European courts," said Robin Gray, executive vice president of the National Electronic Distributors Association (NEDA). "Legal advisers for several companies have interpreted consumer to mean customer; therefore, any business could be defined as a consumer."
The EU Directive, implemented in 1998 but only recently enforced, defines data as any information by which consumers or individuals can be personally identified. This includes information collected and maintained online by automatic systems, as well as some paper records. The directive also limits data collection, processing, storage, and dissemination activities.
Controlled data transfers from EU member countries could potentially have a profound effect on the electronics industry because U.S. privacy laws are far more liberal than those in Europe. Germany has implemented some of the most stringent laws.
"The EU is a little more open and liberal toward the business community than some local [German] governments," said Georg Steinberger, director of communication at distributor EBV Electronik GmbH. "There may be local laws and regional laws that are different, even contradictory to some extent, with EU laws. Over time, this will disappear."
The EU takes an all-encompassing approach to data protection, and depending on how the European courts define consumer, distributors may have to rethink their business model if they share point-of-sale (POS) information with suppliers that includes the customer's name or other identifiable marks, according to Gray.
"Very basic to all the franchise agreements from our suppliers is the requirement to share information, and the architect of sharing that information was never meant to invade customer privacy," said Jim Schaeffer, senior vice president of marketing at Wyle Electronics LLC, Irvine, Calif. "We don't have any issues where the customers themselves have come to Wyle because they're concerned about privacy as it relates to the normal convention of reporting POS back to our suppliers."
But consumer-privacy issues are just the beginning. An even stronger possibility is restrictions placed on multinational companies from transferring their employees' personnel records from EU member countries to other nations. For example, a multinational corporation might find itself in trouble if it sends a Germany-based employee's insurance records from Germany to the United States without prior consent.
Companies can take preliminary steps to ensure that employee and consumer data transfers meet EU privacy requirements, including obtaining consent to transfer data, establishing industry practice codes for financial services, and developing contracts.
"The directive states that before a company can release information about a consumer, it must obtain the consumer's permission each and every time," Gray said. "That includes within each company's division. If one unit collects the information, and it is a separate business unit but is owned by the same company, they still must have the consumer's permission to share the information."
In response to the EU Data Protection Directive, the U.S. Department of Commerce drafted the Safe Harbor Privacy Principles. Ambassador David L. Aaron, undersecretary for the Department of Commerce, conducted negotiations aimed at reaching an agreement with the EU.
The new document is the final version of the government's proposed remedy. The Safe Harbor Principles are designed to guide U.S. organizations seeking to comply with EU adequacy requirements. The proposal outlines information that U.S. companies must provide to European consumers, including:
A notice stating the purpose for which the company collects and uses the information. The option to choose whether or how their personal information will be disclosed to a third party.
The transfer of personal information to third parties consistent with the principles of notice and choice.
Security measures taken by organizations creating, maintaining, using, or disseminating personal information.
Data integrity relevant to the purposes for which it is to be used.
Access to data with the ability to correct, amend, or delete the information.
Enforcement and recourse mechanisms for ensuring compliance with the principles.