The Death of Privacy - ' Where Privacy Matters ' (
Page 3 of 4 )
The EU's data directive is the most stringent in the world. Passed in 1995, the legislation forbids companies in EU nations from using confidential information, which is quite broadly defined, for secondary purposes without the explicit approval of the consumer. That rule, and other restrictions allowing individuals access to companies' personal data and providing ways to correct errors, go well beyond the privacy protections practiced by almost every U.S. company. Consequently, with the adoption of the EU directive, U.S. companies with European operations and sales activities found themselves in danger of being legislated out of a lucrative market.
In 2000, after months of negotiations, the EU and the U.S. Commerce Department forged a safe-harbor agreement that allows U.S. companies to collect and share data in Europe in the course of doing business, as long as they promise to abide by a slightly watered-down version of the EU's data protection rules. Since then, hundreds of U.S. organizations have signed on to the accord.
Safe-harbor companies are required to follow the EU's austere data protection standards only when dealing with European consumers, or when managing subsidiary or affiliate businesses on the continent. The result: Most U.S. companies now have two sets of privacy rules—one for the European market, and another set of less rigid policies in the U.S. and other nations. However, a few companies were convinced that the EU approach served the consumer's appropriate expectation of privacy quite well. These companies saw safe harbor as an opportunity to create a single, strict data-protection regimen for the entire organization, wherever on the globe it operated.
In 2001, Eli Lilly & Co., the maker of Prozac, made the embarrassing mistake of sending out an e-mail to 600 users of the anti-depressant that contained the e-mail addresses of every recipient. In effect, Lilly had broadcast the names of Prozac patients to perfect strangers around the world. That incident resulted in a deal with the FTC under which Lilly agreed to improve its privacy practices, and coincided with Lilly's signing on to the EU's safe-harbor agreement. With these two activities on the front burner at the company, Lilly management, with the strong urging of Global Privacy Officer Stan Crosley, decided to make data protection a centerpiece of the company's strategic direction.
"Europe was a significant driver on privacy for Lilly," says Crosley. "It showed us that there was a different approach that could have a nice return for the company—not necessarily in dollars and cents, but in the gains a company can get from having good business practices. There is a distrust of large corporations among consumers. But we cannot survive in the pharmaceutical industry as a target of that distrust."
Lilly spent tens of millions of dollars
over many months to develop a global data-protection system that contains a series of approval layers for accessing private information. Its information protocols are designed to ensure that the only people permitted to view discrete, confidential data are those who must access it to do their jobs. Furthermore, sensitive information is clearly marked and segregated from less classified data in order to make it difficult to inadvertently leak customer records.
"Information is valuable to us, and we realized that we would only be able to continue to collect it if we convinced consumers that we appreciated that things of value should be protected," Crosley adds.
Story Guide:
The Death of Privacy
The Risky Business of Privacy
Where Privacy Matters
Why Privacy Matters
Sidebar:Privacy's Preemptive Strike
Next page: Why Privacy Matters
