Photonics companies seem unaware, but the recently implemented European Union Data Protection Directive applies to them and to the personal data they collect and transfer out of Europe. The directive specifically covers any data that can be used to identify an individual, including direct marketing lists, the resale of catalog lists with customer or subscriber names, invoices and even the transfer of human resources information. The directive, which was implemented in October 1998, affects photonics companies in two key ways. First, individuals must be notified any time identifying data is used for a purpose other than that for which it was originally collected. Second, data transfers are not allowed from Europe to any other country, such as the US or Japan, that does not have adequate privacy protection, as determined by European standards. "If you transfer data out of Europe with names in it, then you are covered by the directive and you have to decide what you're going to do," said Ohio State University law professor Peter Swire. Legal experts say they believe enforcement of the directive will be targeted to specific sectors and practices, rather than across-the-board action. Swire has cited protective measures in the US credit-reporting industry as an example that will likely meet the adequacy criteria. Photonics companies with subsidiary holdings in Europe and Japan or the US will need to establish procedures that meet privacy standards to be allowed to transfer employee information internally. According to Swire, a significant number of enforcement measures have been taken against companies, including a ban by the Swedish government preventing American Airlines from transferring personal data such as passenger lists or requests for special services, and a fine imposed by UK regulators on 3Com Corp. in Santa Clara, Calif., manufacturer of the PalmPilot. The options for avoiding trouble are clear-cut. Photonics companies need to register each database in a single designated Euro pean country where they do business or have a branch office. That country will interpret the directive as it applies to all data transfers out of the European Union. To assure compliance, databases should include information on where and why they were collected. Where issues seem tricky, Swire advises, talk with government regulators and negotiate a solution. Meanwhile, the US Department of Commerce is working on plans to create a safe harbor for US companies that adhere to certain privacy principles. Photonics manufacturers could enter the safe harbor by certifying the adequacy of their safeguards on privacy. In return, they would be able to transfer data without violating the law.