Europe to U.S.: No privacy, no trade.
By
Simon Davies
The European Union has a very simple plan: they
want every country on Earth to adhere to a global privacy code.
As marketers in the US lay the groundwork
necessary to transform mountains of consumer-profile data into nuggets of gold,
the European Union is preparing to make that task even more difficult by
launching the biggest privacy gambit in history. If the European plan succeeds,
every country on Earth will soon adhere to a global privacy code. If it fails,
the United States and Europe could end up in the throes of an ugly trade war
over the international transfer of personal information.
Beginning October 25, 1998, a group of Brussels
bureaucrats (known locally as "Eurocrats") will oversee the
implementation of a new privacy policy throughout Europe. Under this régime,
known as the European Data Protection Directive, any country that trades
personal information with the UK, France, Germany, Spain, Italy, or any of the
other 10 EU states will be required to embrace Europe's strict standards for
privacy protection.
No privacy, no trade. It's that simple.
The new rules will oblige every country within
the European Union to conform to a common set of standards that bind all
governments and corporations to a rigorous system of privacy protection. Under
the directive, European citizens are guaranteed a bundle of rights, including
the right of access to their data, the right to know where the data originated,
the right to have inaccurate data rectified, the right of recourse in the event
of unlawful processing, and the right to withhold permission to use their data
for direct marketing.
Enforceability lies at the heart of the
directive. In seeking to guarantee that its citizens have privacy rights that
are enshrined in explicit rules, the EU has set up procedures that will allow
individuals to appeal to a legal authority if their rights are violated. Every
European country will have a privacy commissioner or agency to enforce the law.
The EU will expect the countries with which it does business to do the same -
and that includes the United States.
The sting on the tail is contained in Article 25
of the directive. European countries will not be allowed to send personal
information to countries that do not maintain adequate standards of privacy.
Thus, a French company that wants to send credit card information to a
data-processing company in China will not be able to do so. China has no
privacy law, and no interest in privacy.
The United States, likewise, has few guaranteed
privacy protections for the private sector. As a result, the US may soon find
itself unable to access personal data relating to almost half of the developed
world.
Unless a way forward is found in the next few
months, a huge chunk of business between the world's two biggest economic blocs
may hit the buffers. At stake is the future of banking, travel, credit card
transactions, electronic commerce, and government business. In cyberspace, the
European rules may create new headaches for Web sites that use cookies or
profiling systems such as Aptex Software's SelectCast. "If the data
collected by a cookie or profile links to the name of a specific European
individual, it can trigger the directive," says Peter P. Swire, a law
professor at Ohio State University.
The cost of implementing the European directive
will be high. The United Kingdom estimates that compliance will cost British
companies roughly £1.4 billion (about US$2.3 billion) - which suggests that the
combined European figure will add up to the equivalent of $15 to $20 billion.
For US companies, the transition will be awkward.
Consider one example: In November 1994 Citibank concluded a cobranding
agreement with the German National Railway that was to form the basis of the
biggest credit card project in German history. It soon emerged, however, that
personal data on millions of German citizens would be processed in the US. The
news triggered a public outcry, and German data-protection authorities bluntly
told Citibank and the railway that the arrangement would be prohibited unless
the two companies could devise an acceptable way to protect the privacy of
cardholders. The benchmark laid down by local authorities was even stricter
than the EU directive's - Citibank must guarantee privacy standards at least
equal to those that exist under German law.
After six months of intense negotiations, the
companies signed a contractual agreement that required both parties to
institute a wide range of privacy protections. The agreement was applauded in
Europe as a huge step forward, but it also required Citibank to make
significant changes in the way it manages customer information. While Citibank
has not calculated the exact cost of these changes, one company representative
describes them as having required "a substantial expenditure of resources
to implement."
As the directive's October deadline draws near,
lawyers in the US and Europe have been scrambling to find ways to reduce the
potential havoc. Nevertheless, governments on both sides of the Atlantic appear
to be spoiling for a fight.
The message from Washington, DC, has been
consistent and unequivocal: The US will not play ball with European notions of
privacy, nor will it allow privacy laws to become a barrier to trade. As White
House technology adviser Ira Magaziner recently told the National Press Club,
"If we have to go to the World Trade Organization about it, we will."
For its part Brussels has been single-minded in
its determination to pursue the privacy directive's goals. Germany's Spiros
Simitis, the world's first data-protection commissioner, told an audience in
Washington, "Don't imagine for a moment that you can get away with paying
lip service to privacy. Europe requires a régime of real protection. That is the
new global position."
Culture clash
Ulf BrĂ¼hann is sitting in his office in 200 Rue
de la Loi, Brussels, contemplating the impact of the directive. As head of the
EU unit responsible for its implementation, he is anxious to ensure that the
world takes him seriously.
BrĂ¼hann wants the US to understand that Europe is
committed to the directive and will fight for it. Last year he told a meeting
of government privacy commissioners from 25 countries that the EU will insist
that its trading partners embrace data-protection policies that not only
guarantee data security and the "transparency" of data-processing
procedures, but which also give citizens comprehensive access to their files.
BrĂ¼hann was clear about the sort of privacy
policy he expected other countries to establish: "Appropriate
institutional and enforcement mechanisms must be in place to ensure that rules
are complied with in practice, that support and help is available to
individuals who do have problems, and that ultimately a remedy is available to
individuals so that breaches of the rules can be put right and compensation
paid if appropriate."
Numerous non-EU countries have already responded
to the directive by instituting tough privacy laws. Canada's federal
government, for example, has proposed a new privacy régime to control
private-sector activities. But in the US, the history of efforts to pass
omnibus privacy laws is replete with failure. Direct marketers, credit card
companies, and representatives from the US finance industry have consistently
mobilized opposition, warning of imminent financial woes should strict privacy
rules become law. The subtext to the corporate threat is the notion that the
public has become weary of expensive federal agencies. According to Jim Tobin,
vice president of public affairs for American Express in Europe, "The
market can develop privacy solutions. No one needs another cumbersome
government regulator."
According to BrĂ¼hann, the key question now facing
the European authorities is not whether action should be taken to enforce the
directive, but "how far do we need to go?"
SABRE rattling
Sweden has already tested the waters. Last year,
in what could well be a sign of things to come, Sweden's privacy watchdog,
Anitha Bondestam, instructed American Airlines to delete all health and medical
details on Swedish passengers after each flight unless "explicit
consent" could be obtained. These details (information about allergies,
asthma notification, dietary needs, disabled access, and so on) are routinely
collected, but Bondestam's order meant that American would be unable to
transmit the information to its SABRE central reservation system in the US.
The airline appealed to Stockholm's District
Administrative Court, arguing it was "impractical" to obtain consent.
American further argued that people would be inconvenienced if they had to
repeat the information each time they flew. The court was unconvinced.
Inconvenience, it concluded, does not constitute an exemption from legal rules
for the protection of data. American launched a second action in the
Administrative Court of Appeal, but the airline lost this case, too, and the
matter now rests before Sweden's Supreme Administrative Court. In the meantime,
the export and processing of medical data to American's reservation system has
been suspended.
Under the privacy directive, any of the EU's 350
million-plus citizens will be able to file a claim over abuse of personal data
that can be pursued all the way to the European Court of Human Rights - one of
the EU's highest judicial authorities. At any point during this arduous
process, business contracts can be suspended, injunctions can halt data flows,
and compensation can be claimed. The publicly funded privacy watchdog of each
EU nation is required by law to act on behalf of citizens whose rights have
been violated. If the national watchdog - or, indeed, Brussels itself - fails
in this duty, the European court system can be invoked. Procedure, in other
words, must be followed.
While this prospect has sent shivers down the
spines of US businesses that trade with Europe, the Clinton administration has
taken a hard line on the question of appointing a government privacy watchdog.
"We don't recognize the validity of that approach," says Magaziner.
"We would say the US has equivalent privacy protection. I don't believe it
is lesser. I believe it is different."
The American way
Brussels is baffled by the US position, but the
White House believes that European demands can be met by a mix of
privacy-friendly business-to-business contracts, self-regulation schemes, and
technology-based privacy-protection systems.
US businesses are eager to find nonlegislative
solutions. Last December Ron Plesser, a Washington, DC, lobbyist, announced the
release of a self-regulatory code of conduct for individual reference services
such as Metromail, CDB Infotek, and Lexis-Nexis's P-Trak. The code limits the
use and collection of personal information, while relying on independent
auditors to monitor compliance.
At the same time, US technologists are working to
build privacy mechanisms such as P3P and TRUSTe into the architecture of
cyberspace. Developed by the World Wide Web Consortium, P3P - the Platform for
Privacy Preferences Project - allows Internet users to set default preferences
for the collection, use, and disclosure of personal information on the Web.
TRUSTe, on the other hand, is more like a seal of approval - it uses a
standardized icon to link to a company's privacy practices and indicate that
these practices are monitored by outside auditors.
None of these options is perfect. To date, market
acceptance of technological tools like P3P and TRUSTe has been limited. Ron
Plesser's code of conduct for reference services has been widely criticized as
a ploy to stave off government regulation while not going nearly far enough to
protect personal privacy.
Meanwhile, the man responsible for the evolution
of Citibank's contract with the German National Railway - Berlin deputy privacy
commissioner Alexander Dix - believes that the contract model offers only a
partial answer for US businesses. Small and medium-size companies, he warns,
may not be able to afford complex contracts. "Contractual standard setting
by private corporations can only complement and support - but never replace -
national legislation," he says. The process might well be endless,
paralyzing deals and complicating intricate multilevel negotiations. In hopes of
avoiding such an outcome, several US banks and other companies are working to
develop "model" contracts that could be used in cookie-cutter
fashion.
The mere existence of such potential solutions
means that for the moment, at least, few people in Europe want to talk openly
about a trade war with the US. Anitha Bondestam says she is in constant contact
with Ira Magaziner and other US officials to arrive at a "negotiated"
agreement.
But there's still a long way to go before the EU
will be satisfied. The view from Brussels is that no current US self-regulation
system would be acceptable to a European privacy commissioner. The White House
has called for submissions on what it calls "effective
self-regulation," but US industry will be required to review the fundamentals
of its current business practices if it wants to get anywhere in transactions
across the Atlantic.
In the long term, the EU's goal is to create a
global privacy arrangement similar to the intellectual property treaty now
being pushed by the World Intellectual Property Organization. For the US,
accustomed to leadership in such global matters and eager to promote ecommerce,
the EU's new privacy stance is proving difficult to comprehend.
