Despite Stricter Rules in Europe, U.S. Companies More Advanced in Protecting Data

A new study comparing European and U.S. corporate privacy practices reveals that while European companies impose tighter restrictions on the sharing of sensitive personal data, U.S. companies overall provide a higher level of privacy.

Sponsored by global law firm White & Case LLP as part of its annual Global Privacy Symposium, this 'Benchmark Study of European and U.S. Corporate Privacy Practices' was conducted by the independent privacy think-tank Ponemon Institute. The study confidentially surveyed 47 U.S. and European multinational companies on eight privacy practices, including: privacy policy; communications and training; privacy management; data security methods; privacy compliance; choice and consent; cross-national standards; and redress.

The survey revealed that European companies are much more likely to have privacy practices that restrict or limit the sharing of customer or employees' sensitive personal information, and are also more likely to provide employees with choice or consent on how information is used or shared. But the research also showed that U.S. companies are engaging in more security and control-oriented compliance activities than their European counterparts. As a result, contrary to conventional wisdom, U.S. corporations scored higher in five of the eight areas of corporate privacy practice.

Ongoing concern about compliance with government rules is the lead driver for both U.S. and European companies' privacy practices. But according to the survey, 50% of European and 24% of U.S. privacy leaders now believe that strong privacy policies also are an important part of protecting or enhancing their company's brand or image in the marketplace. Concern about potentially losing customers or diluting corporate brand as a result of negative press following security breach notifications may also have played a major role in inducing U.S. corporations to introduce enhanced security measures such as encryption, intrusion detection systems, and Web site monitoring ' outscoring their EU counterparts by 15%. This may be a result of the California security breach notification statute that became effective July 1, 2003, (Cal. S.B. 1386 (2002), codified at Cal. Civ. Code ”1798.80, 1798.81, 1798.82, 1798.83, and 1798.84), and the subsequent passage of similar laws in 28 other states that require corporations to notify customers whose personal information has been compromised.

The study further shows that European corporate privacy leaders are more likely to hold the view that their role is inextricably tied to advancing a culture of responsible information use, rather than establishing technical or administrative controls over privacy and data protection. The EU focus seems to be on the need for companies to act responsibly with personal information rather than using enhanced technologies like data encryption to prevent inadvertent breaches.

Among the other key findings:

• U.S. companies are more likely to have a dedicated privacy officer or leaders responsible for privacy issues than comparable European companies. U.S. privacy leaders also tend to have a higher level of reporting authority within the company than their European counterparts.
• Most European companies have a strict 'no share' policy for consumer and employee data. Less than half of participating U.S. companies have such a policy.
• U.S. companies are more likely than their European counterparts to offer privacy training and awareness programs for employees. In addition, U.S. companies are more likely to impose mandatory training for all employees who routinely use sensitive personal information.
• U.S. companies are more likely to employ information security technologies to protect or safeguard sensitive personal information than are European firms, including the use of encryption, intrusion detection systems, and Web site monitoring. U.S. companies are also more involved with the review and monitoring of their marketing and customer contact programs and far more likely to require all vendors, contractors, and other third parties to comply with data security guidelines and practices.
• European companies have more rigorous data export controls when moving personal information about employees and customers to non-European Union nations. In addition, European companies are more likely to incorporate privacy program objectives that focus on data relevancy and data adequacy.

European businesses also appear to lean more heavily on their respective data protection authorities for feedback about their privacy programs. By comparison, U.S. companies rely on more sophisticated technology and training programs to impose adequate privacy protections on their operations.

Finally, it's important to note that while U.S. companies came out on top overall in the survey, they only scored 61%, a D-minus, when it came to compliance with privacy regulations, and just 56% when it came to utilizing enhanced security technologies. This means that when it comes to achieving good privacy, there is still substantial room for improvement on both sides of the Atlantic.

In 2004, the Ponemon Institute conducted a similar survey comparing Canadian and U.S. corporate privacy practices, and in that report Canadian firms outperformed their U.S. counterparts.

For more information or to obtain a copy of the 'Benchmark Study of European and U.S. Corporate Privacy Practices,' visit www.whitecase.com/corporateprivacy.

David Bender heads White & Case LLP's Global Privacy practice in New York, where he regularly advises clients on data privacy issues, including cross-border transfers, privacy audits, and compliance.

A new study comparing European and U.S. corporate privacy practices reveals that while European companies impose tighter restrictions on the sharing of sensitive personal data, U.S. companies overall provide a higher level of privacy.

Sponsored by global law firm White & Case LLP as part of its annual Global Privacy Symposium, this 'Benchmark Study of European and U.S. Corporate Privacy Practices' was conducted by the independent privacy think-tank Ponemon Institute. The study confidentially surveyed 47 U.S. and European multinational companies on eight privacy practices, including: privacy policy; communications and training; privacy management; data security methods; privacy compliance; choice and consent; cross-national standards; and redress.

The survey revealed that European companies are much more likely to have privacy practices that restrict or limit the sharing of customer or employees' sensitive personal information, and are also more likely to provide employees with choice or consent on how information is used or shared. But the research also showed that U.S. companies are engaging in more security and control-oriented compliance activities than their European counterparts. As a result, contrary to conventional wisdom, U.S. corporations scored higher in five of the eight areas of corporate privacy practice.

Ongoing concern about compliance with government rules is the lead driver for both U.S. and European companies' privacy practices. But according to the survey, 50% of European and 24% of U.S. privacy leaders now believe that strong privacy policies also are an important part of protecting or enhancing their company's brand or image in the marketplace. Concern about potentially losing customers or diluting corporate brand as a result of negative press following security breach notifications may also have played a major role in inducing U.S. corporations to introduce enhanced security measures such as encryption, intrusion detection systems, and Web site monitoring ' outscoring their EU counterparts by 15%. This may be a result of the California security breach notification statute that became effective July 1, 2003, (Cal. S.B. 1386 (2002), codified at Cal. Civ. Code ”1798.80, 1798.81, 1798.82, 1798.83, and 1798.84), and the subsequent passage of similar laws in 28 other states that require corporations to notify customers whose personal information has been compromised.

The study further shows that European corporate privacy leaders are more likely to hold the view that their role is inextricably tied to advancing a culture of responsible information use, rather than establishing technical or administrative controls over privacy and data protection. The EU focus seems to be on the need for companies to act responsibly with personal information rather than using enhanced technologies like data encryption to prevent inadvertent breaches.

Among the other key findings:

• U.S. companies are more likely to have a dedicated privacy officer or leaders responsible for privacy issues than comparable European companies. U.S. privacy leaders also tend to have a higher level of reporting authority within the company than their European counterparts.
• Most European companies have a strict 'no share' policy for consumer and employee data. Less than half of participating U.S. companies have such a policy.
• U.S. companies are more likely than their European counterparts to offer privacy training and awareness programs for employees. In addition, U.S. companies are more likely to impose mandatory training for all employees who routinely use sensitive personal information.
• U.S. companies are more likely to employ information security technologies to protect or safeguard sensitive personal information than are European firms, including the use of encryption, intrusion detection systems, and Web site monitoring. U.S. companies are also more involved with the review and monitoring of their marketing and customer contact programs and far more likely to require all vendors, contractors, and other third parties to comply with data security guidelines and practices.
• European companies have more rigorous data export controls when moving personal information about employees and customers to non-European Union nations. In addition, European companies are more likely to incorporate privacy program objectives that focus on data relevancy and data adequacy.

European businesses also appear to lean more heavily on their respective data protection authorities for feedback about their privacy programs. By comparison, U.S. companies rely on more sophisticated technology and training programs to impose adequate privacy protections on their operations.

Finally, it's important to note that while U.S. companies came out on top overall in the survey, they only scored 61%, a D-minus, when it came to compliance with privacy regulations, and just 56% when it came to utilizing enhanced security technologies. This means that when it comes to achieving good privacy, there is still substantial room for improvement on both sides of the Atlantic.

In 2004, the Ponemon Institute conducted a similar survey comparing Canadian and U.S. corporate privacy practices, and in that report Canadian firms outperformed their U.S. counterparts.

For more information or to obtain a copy of the 'Benchmark Study of European and U.S. Corporate Privacy Practices,' visit www.whitecase.com/corporateprivacy.

David Bender heads White & Case LLP's Global Privacy practice in New York, where he regularly advises clients on data privacy issues, including cross-border transfers, privacy audits, and compliance.