Privacy groups slam US data protection scheme

The latest US initiative to tackle self-regulation of data protection, BBB Online, has come under attack from privacy groups for giving its stamp of approval to a company accused of violating federal privacy law.

In an open letter to the chief operating officer of BBB Online, three privacy groups called into question the credibility of the agency's privacy seal.

Representatives of Junkbusters, Privacy International and Privacy Journal demanded to know if BBB Online intended to revoke the privacy seal.

The groups accused the Atlanta-based credit rating agency, Equifax of violating the Fair Credit Reporting Act (FCRA), which outlines the practices agencies must follow in the event of a dispute with a consumer.

In the letter, the groups contend: "In 1995, the Federal Trade Commission (FTC) reached an agreement with Equifax in an enforcement action accusing the company of systematically violating the FCRA."

A spokesman for Equifax said the privacy groups had it wrong. "They're rehashing history in that letter," he said. He explained the FTC incident in 1995 was part of a wider industry investigation and it concluded with a consent agreement. Such an agreement does not constitute an admission of a violation by the company involved, he said.

"The BBB Online deals with fair information practice," the spokesman continued. "They found we met their criteria. Out of 300 companies who applied to them, we were the tenth to be awarded the seal. We were the first credit agency to take on a privacy consultant - in 1987. We have conducted privacy surveys every year from 1990 to 1996, and based on those surveys we learn and modify our practices."

The argument points to a potential problem in US use of self-regulation over privacy law. The EU and the US are still negotiating to over the issue. The EU data protection law could stop the flow of data to the US if their privacy protections are not considered adequate.