Hands off that data -- I'm European!

In the transatlantic trade war that's brewing over data privacy rules, the U.S. pushes laissez-faire while the European Union embraces tough laws.

By Karlin Lillington
Published July 7, 1998 7:00PM (EDT)

So far this year, I have received a grand total of perhaps seven pieces of what might be construed as junk mail. I have never received a badgering phone call at dinner time, demanding that I consider the delights of aluminum siding, sets of encyclopedias or an alternative credit card to the one I possess.

How did I get so lucky? Simple: I'm a European resident. Marketers can only acquire my personal information in carefully defined and controlled ways.

If I return a product registration card, I know that the personal information I offer cannot be sold to others as part of a sales database unless my permission has been obtained. I am never asked, except by the government department that issued it, to identify myself by a nationally assigned number. And any organization that holds any information about me -- banks, medical offices, telephone companies, the supermarket whose loyalty program I belong to, my gym, the video rental shop or the place where I returned a product registration card -- must, at my request, supply me with full details of its computer records bearing my name.

These are my rights, legally guaranteed to me as a resident of the European Union. Those rights, which are due to be further solidified in a pending European Data Directive on October 25, are based on "a philosophical view that privacy is a fundamental human right," according to Fergus Glavey, the Data Protection Commissioner for Ireland. (Each European country appoints its own data watchdogs charged with protecting its citizens' privacy rights.)

In the meantime, tension is increasing daily in Washington over online data privacy, following a flurry of condemning reports pointing up the laxness of basic privacy protections in the U.S. As government-supported advocates of corporate self-regulation square off against those who say privacy legislation is a must, Europeans are watching the battle with some bemusement.

- - - - - - - - - - - --->

Europeans can't understand why Americans would want to rely on the promises of self-regulation by market-driven companies, instead of having legislation in place that compels, rather than requests, compliance from data-gathering organizations. Laws, they believe, provide better protections for human rights than corporate benevolence. In opposition, the U.S. contingent, led by President Clinton's senior advisor Ira Magaziner, thinks a European propensity to overregulate could stifle the nascent online economy.

Magaziner's stance is that there's no point in promising protections that the American government can't provide. While visiting Dublin two weeks ago, he asked: With 10,000 new Web sites created daily, how can privacy rules be enforced? "We believe privacy should be private-sector led," he said. "There's a risk in being overregulated and not having the mechanism in place to do anything about it."

But Europeans don't agree, and that's clearly worrying Magaziner, who indicated in a London talk at the start of that week that the U.S. eventually may need to find points of compromise with the E.U. stance.

The current European approach, which will be more explicitly defined in the new directive, has three basic tenets: Individuals have the right to access any data relating to them and have it kept accurate and up-to-date; data cannot be retained for longer than the purposes for which it was obtained nor used or disclosed "in a matter incompatible with that purpose" and must be kept only for "lawful purposes"; those who control data have "a special duty of care" in relation to the individuals whose data they keep. Data commissioners oversee these rights in each European country and require most "data controllers" -- people who handle data -- to register with them to track what information is being collected and where. They are charged also with investigating all complaints from citizens.

Glavey's perspective on his role is clear: "There is an imbalance between the consideration given to what can be done through the application of the latest technology and what should be done, having regard to the cultural, ethical and legal assumptions which underpin our society," wrote Glavey in last year's annual report for his department. "In short, we must decide whether [information technology] will be our master or our servant, and what role privacy protection laws have to play in this matter."

The Irish data-protection office receives about 1700 inquiries per year from a population of 3.5 million. Most are from people seeking further information about privacy regulations; less than 100 are actual complaints. (With only seven staff members, the office would be hard pressed to investigate many more, admits assistant commissioner Michael O'Donovan.) The office is also charged only with asserting privacy rights relating to data kept on computers, not general privacy rights -- and those rights were formulated during the stone age of electronic networks, back in 1981. That's why there is much interest in the E.U.'s forthcoming directive, which more comprehensively fleshes out privacy rights in the digital age.

On the other side of the Atlantic, the new European rules are not bringing joy to the U.S. government or the corporate world. Gradually, people are realizing it's actually a significant threat to business as usual -- and likely to have an impact not just on Net-related transactions but on the routine transfer of data between companies in Europe and the U.S. The directive prohibits the data of Europeans' being used in any way incompatible with the protections afforded those citizens under the directive. In other words, a multinational company in Dubuque that processes insurance information in Dubuque for its customers in France can handle that data only in ways compliant with the directive.

A London-based privacy advocacy group, Privacy International Ltd., has already threatened legal action if American companies don't comply. "No privacy, no trade. It's that simple," stated Privacy International's director, Simon Davies, in a May Wired article explaining the directive.

However, "someone in Brussels isn't going to go down in the basement and throw a switch, and the data stops flowing to the U.S.," notes Marc Rotenberg, director of the Washington, D.C.-based Electronic Privacy Information Center (EPIC), an advocacy group affiliated with Privacy International. Instead, 200 of the companies that send significant amounts of data between Europe and the U.S. will be monitored for their use of data, he says.

Rotenberg points out that the U.S. position is inconsistent: On one hand, in its stand on encryption, the Clinton administration insists that regulatory legislation is necessary. It also supports regulation to control copyright in the administration-backed World Intellectual Property Organization (WIPO) bill currently making its way through Congress. And it supported attempts to legislate online content, in the ill-fated Communications Decency Act.

Deirdre Mulligan, senior counsel for the Center for Democracy and Technology in Washington, insists that self-regulation cannot work without at least some basic legal guidelines; the organization is arguing for the government "to proactively set baselines for industry." To make matters worse, she adds, flimsy existing legislation keeps organizations from effective self-regulation. "There's a disincentive to actually make a privacy statement," she says, because organizations can then be liable for prosecution for deception under a federal act enforced by the Federal Trade Commission. "In the '70s, the U.S. was out in the front on privacy," she says. "We dropped the ball and other people" -- the Europeans -- "picked it up."

"Europe is doing a better job at protecting privacy that the U.S.," agrees Rotenberg, but emphasizes that he thinks the E.U. setup is "preferable, not perfect." He'd like to see Americans have a legal right to access all data held about themselves, a legal framework for enforcement and redress of privacy-rights infringements and a privacy agency within the federal government. But he argues that the U.S. shouldn't mold a policy simply out of a need to keep business channels open once the E.U. directive takes effect. "Ultimately, I do not believe the U.S. should base its privacy policy on the needs of the E.U. directive," he says. "It should be based on the needs of the citizens of the United States."

Now, pressure is increasing to find U.S. and European points of reconciliation before the enactment of the October directive. According to Magaziner, the government is pursuing the idea of privacy-guaranteeing contracts between organizations. Rotenberg views this approach as an increasingly anxious attempt to save the self-regulation model through negotiation; it might indeed work for companies, he says, but still does nothing for individuals.

"We think the government's been pursuing the wrong goal," he says. "They want to make self-regulation work. We want to make privacy work."

Karlin Lillington

Karlin Lillington is a technology writer in Dublin whose work appears regularly in the Guardian, the Irish Times and other publications.

MORE FROM Karlin Lillington

Related Topics ------------------------------------------