A new study comparing European and US corporate privacy practices reveals that while European companies impose tighter restrictions on the sharing of sensitive personal data, US companies currently have more sophisticated systems in place to prevent breaches.

The study, sponsored by global law firm White & Case as part of its annual Global Privacy Symposium, which will be held Thursday, April 27 in New York, was conducted by the independent privacy think tank Ponemon Institute. The study surveyed 47 US and European multinationals on eight privacy practices, including privacy policy; communications and training; privacy management; data security methods; privacy compliance; choice and consent; cross-national standards; and redress.  The survey questions were reviewed by two European data protection authorities, The Information Commissioner's Office of the UK and The Commission Nationale de l'Informatique et des Libertes (CNIL) in France. 

"European companies are much more likely to have privacy practices that restrict or limit the sharing of customer or employees' sensitive personal information and are also more likely to provide employees with choice or consent on how information is used or shared," said David Bender, head of White & Case's Global Privacy practice.  "But the research also revealed that US companies are engaging in more security and control-oriented compliance activities than their European counterparts.  As a result, US corporations scored higher in five of the eight areas of corporate privacy practice."

Bender adds that ongoing concern about compliance with government rules is the lead driver for both US and European companies' privacy practices.  But 50 percent of European and 24 percent of US privacy leaders now believe that strong privacy policies also are an important part of protecting or enhancing their company's brand or image in the marketplace.

"The study further shows that European corporate privacy leaders are more likely to hold the view that their role is inextricably tied to advancing a culture of responsible information use rather than establishing technical or administrative controls over privacy and data protection," said Larry Ponemon, founder of the Ponemon Institute, who led the research team.  "In their minds, the most important thing is to convey the need for companies to act responsibly with personal information rather than using enhanced technologies like data encryption to prevent inadvertent breaches."

Among the other key findings:

• US companies are more likely to have a dedicated privacy officer or leaders responsible for privacy issues than comparable European companies.  US privacy leaders also tend to have a higher level of reporting authority within the company than their European counterparts.
• Most European companies have a strict "no share" policy for consumer and employee data.  Less than half of participating US companies have such a policy.
• US companies are more likely than their European counterparts to offer privacy training and awareness programs for employees.  In addition, US companies are more likely to impose mandatory training for all employees who routinely use sensitive personal information.
• US companies are more likely to employ information security technologies to protect or safeguard sensitive personal information than European firms, including the use of encryption, intrusion detection systems and website monitoring.  US companies are also more involved with the review and monitoring of their marketing and customer contact programs and far more likely to require all vendors, contractors and other third parties to comply with data security guidelines and practices.
• European companies have more rigorous data export controls, especially when moving personal information about employees and customers, to non-European Union nations.  In addition, European companies are more likely to incorporate privacy program objectives that focus on data relevancy and date adequacy.