Why Backupify Supports European Style Data Privacy Standards

The Wall Street Journal has an interesting article on whether or not the U.S. should adopt European data privacy protections.

In Europe, there are strict rules about what companies can and can’t do in terms of collecting, using, disclosing and storing personal information, and governments are pushing to make the regulations even stronger. That has prompted renewed debate about whether it is time for the U.S. to toughen its relatively lax privacy regulations.

When we started Backupify, we discussed these issues in depth quite a bit, and decided early on to take a more European approach to data privacy. You can read our views in our privacy policy, but in general, we have tried to adhere to the 7 principles of the Safe Harbor program, which we think captures the right data privacy spirit from what is a very complex set of issues.

So of course our view on this debate is that yes, the U.S. should adopt standards more like the ones in Europe. In general, we would like to see something similar to the 7 Safe Harbor principles.

1. NOTICE 

An organization must inform individuals about the purposes for which it collects information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information, and the choices and means the organization offers individuals for limiting its use and disclosure. This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or discloses it to a third party.

2. CHOICE 

An organization must offer individuals the opportunity to choose (opt out) whether and how personal information they provide is used or disclosed to third parties (where such use is incompatible with the purpose for which it was originally collected or with any other purpose disclosed to the individual in a notice). They must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise this option. For sensitive information, such as medical and health information, information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information concerning the sex life of the individual they must be given affirmative or explicit (opt in) choice.(4)

3. ONWARD TRANSFER

An organization may only disclose personal information to third parties consistent with the principles of notice and choice. Where an organization has not provided choice because a use is compatible with the purpose for which the data was originally collected or which was disclosed in a notice and the organization wishes to transfer the data to a third party, it may do so if it first either ascertains that the third party subscribes to the safe harbor principles or enters into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant safe harbor principles.(5)

4. SECURITY 

Organizations creating, maintaining, using or disseminating personal information must take reasonable measures to assure its reliability for its intended use and reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.

5. DATA INTEGRITY 

Consistent with these principles, an organization may only process personal information relevant to the purposes for which it has been gathered. To the extent necessary for those purposes, an organization should take reasonable steps to ensure that data is accurate, complete, and current.

6. ACCESS 

Individuals must have [reasonable] access to personal information about them that an organization holds and be able to correct or amend that information where it is inaccurate. [Reasonableness of access depends on the nature and sensitivity of the information collected, its intended uses, and the expense and difficulty of providing the individual with access to the information.](6)

7. ENFORCEMENT 

Effective privacy protection must include mechanisms for assuring compliance with the safe harbor principles, recourse for individuals to whom the data relate affected by non-compliance with the principles, and consequences for the organization when the principles are not followed. At a minimum, such mechanisms must include (a) readily available and affordable independent recourse mechanisms by which an individual’s complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) follow up procedures for verifying that the attestations and assertions businesses make about their privacy practices are true and that privacy practices have been implemented as presented; and (c) obligations to remedy problems arising out of failure to comply with these principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations.

As a startup that is very concerned about efficient use of resources, we have managed to build the tools and processes necessary to live up to this kind of data privacy policy. If it isn’t too much of a burden on us, other U.S. companies should have no problem with it either.