| At Intranets 2001 this year, I gave two pre-conference workshops: one on facilitating access to external information resources, and the other on managing multinational intranets. Both subjects raise some interesting legal issues, with regards to intranet content management, that perhaps need a wider airing. From the outset, I have to state that I am not a lawyer, and that any comments I make in this column should be used as the basis for your own discussion with a lawyer, and not as a definitive statement of the law in either the U.S. or Europe.
There is a fundamental difference in the approach to data privacy law in the U.S. and Europe, which has some major implications on the transfer of personal data between the two using a corporate intranet. The legal position in the EU (strictly speaking, the European Economic Area, which includes Norway and Iceland) is set out in the Directive on Protection of Personal Data. The Directive is not in itself "law." It sets the minimum requirements that have to be complied with by the national legislation of member states, and the date (October 25, 1998-three years after adoption in October 1995) that this compliance has to be implemented. Personal data is any data about an individual person, such as his or her date of birth, job position, home address, and just about anything else you can think of. In addition, there is a further category of Sensitive Personal Information, which includes information about race, health, religion, and political affiliation.
The Directive, and the legislation enacted in individual countries, does not prohibit the transfer of personal information across country boundaries. Indeed, the main purpose of the legislation is to ensure that this information can be passed across these boundaries, but only under conditions that ensure that the rights of the citizen to control the use of this information are consistent across Europe. When setting up the legislation, the EU was concerned about what might happen if personal information was passed onto a country that did not have equivalent controls over the use of the information. As a result, any transfer of information between the EU and the U.S. requires companies to inform employees about any possible transfers, and to gain their explicit consent.
The problem for intranet managers is that intranets often provide information about the activities of the staff, and exchange information on staff with specific expertise and knowledge. Adding photographs of employees to their profile on the intranet is usually regarded as very useful. However, a photograph reveals all sorts of personal information and, according to the Directive, a photo should only be posted with the explicit consent of the individual.
Safe Harbor Under Siege
As a way of getting around the lack of equivalent data privacy legislation in America, the EU and U.S. authorities have come up with the Safe Harbor protocols, which effectively provide a similar measure of protection for personal information in the USA as in Europe (http://www.export.gov/safeharbor). U.S. companies have been slow to sign up for the protocols, and there is a feeling in the U.S. government, and among many lobbying groups, that this is an unfair barrier to trade. The topic came back into prominence in May, because the Safe Harbor protocols did snot apply to the financial services industry since the Gramm-Leitch-Bliley consumer protection law had just been enacted in mid-2000, when the Safe Harbor issues were being discussed. The EU proposed to hold further talks about financial services within the framework of this law, but no talks have yet taken place, and the EU is getting restless, since the temporary exemption on these particular issues ends in October 2001.
The danger for intranet managers is that the entire question of the Safe Harbor protocols may be put back on the table, especially since so few U.S. companies have signed up for the provisions. As a result, it is of very considerable importance that intranet managers of multinational companies ensure that they have all the appropriate approvals and audit trails for any personal information stored on, or traversing, their intranets-and that includes email communications as well. The Data Privacy regulators in all the European countries (especially Germany, the Netherlands, and the U.K.) are keen to test how far their powers actually extend, and to date there have been no prosecutions. One would be well advised not to be a test case. [For more on this topic, see the article I wrote in EContent, August/September 2000, pp 45-47.]
Disabled Access to Intranets
One area where there is broadly similar legislation in the U.S. and in Europe relates to the provision of access to an intranet by employees with disabilities.
The most obvious area is visual disability, but it is important not to overlook physical disabilities. It is quite possible to navigate around Microsoft applications using the arrow keys for staff who do not have adequate motor control for a mouse. Intranets often depend entirely on precise control of a mouse for drop-down menus or for mouse roll-overs on index terms. This may require either a substantial redesign of the intranet or the provision of special areas of the intranet for disabled access. If using the latter approach, it is vital to ensure that the content available to someone using a specialized area is equivalent to the main site.
For more information on Web accessibility, have a look at the Web Access Initiative guidelines of the World Wide Web Consortium at http://www.w3.org/WAI, and also read pp. 298-311 in Jakob Nielsen's book, Designing Web Usability (New Riders Publishing, 1999). There is also an excellent article in EContent, April/May 2000, pp. 15-23 by John Lescher.