Microsoft To Sign EU Privacy Accord

Microsoft announced Tuesday that it will sign the “Safe Harbor” privacy protection agreement between the United States and the European Union.

Signing the agreement will allow Microsoft to transfer personal information between its European and U.S. operations with less risk of privacy claims being filed against the company.

Microsoft director of corporate privacy Richard Purcell said that the software giant’s privacy policies “are consistent with the EU principles for data protection,” which means the company can sign the agreement this summer.

Multinational companies that do not sign the agreement — which details the EU’s minimum standards for data protection — by June 30th will be prohibited from transferring personal data from European countries to non-European countries.

Annual Certification

Microsoft said it was in the process of registering with the Department of Commerce, which oversees the safe harbor program in the U.S., and would have all necessary paperwork completed before the June 30th deadline.

To qualify for safe harbor status, a company must certify to the Commerce Department annually that it adheres to the safe harbor principles and must include a notice in its privacy policy to that effect.

Additionally, companies must either develop their own self-regulatory privacy program or join another program that adheres to the standards, such as the one rolled out by TRUSTe in November.

The Seal Deal

The TRUSTe program offers Web site privacy certification and oversight, as well as an alternative dispute resolution mechanism.

The privacy program includes enforcement of TRUSTe privacy policies through quarterly site monitoring. In order to receive the TRUSTe seal of approval, companies must provide TRUSTe with regular access to information to their data use and security policies.

Cost of Compliance

Redmond, Washington-based Microsoft reportedly spent approximately US$500,000 complying with the conditions of the safe harbor doctrine, which covers not only information gathered electronically, but also contracts, phone calls and other correspondence.

Microsoft said that its internal review process included surveys of customer-data handling, employee training and reviews of major properties and systems. The process also includes education initiatives.

Safe Harbor Standards

The safe harbor standards were jointly developed by the Department of Commerce and the EU in response to the European Commission’s Directive on Data Privacy, which prohibits the transfer of personal data to non-European Union nations that do not meet the European “adequacy” standard for privacy protection.

The seven basic principles of the safe harbor agreement are:

• Notice. Companies must notify consumers what information is being collected, how that information will be used, and who that information will be shared with.
• Choice. Consumers must be provided with an opt-out mechanism for any secondary uses of data and for disclosures to third parties.
• Access. Consumers must be provided with reasonable access to personal information being held by the company.
• Security. Companies are required to take reasonable precautions to protect personal information.
• Transfer. Companies disclosing personal data to a third party must, with certain exceptions, adhere to the notice and choice principles.
• Data Integrity. Reasonable steps must be taken to ensure that data collected is reliable, accurate, complete and current.
• Enforcement. Companies must ensure there are readily available and affordable independent mechanisms to investigate consumer complaints.

Companies that comply with the voluntary data privacy pact are granted immunity from legal action by the European governments who adopt the agreement.