By Simon Davies
As marketers in the US lay the groundwork necessary to transform mountains of consumer-profile data into nuggets of gold, the European Union is preparing to make that task even more difficult by launching the biggest privacy gambit in history. If the European plan succeeds, every country on Earth will soon adhere to a global privacy code. If it fails, the United States and Europe could end up in the throes of an ugly trade war over the international transfer of personal information.
No privacy, no trade. It's that simple.
The new rules will oblige every country within the European Union to conform to a common set of standards that bind all governments and corporations to a rigorous system of privacy protection. Under the directive, European citizens are guaranteed a bundle of rights, including the right of access to their data, the right to know where the data originated, the right to have inaccurate data rectified, the right of recourse in the event of unlawful processing, and the right to withhold permission to use their data for direct marketing.
Enforceability lies at the heart of the directive. In seeking to guarantee that its citizens have privacy rights that are enshrined in explicit rules, the EU has set up procedures that will allow individuals to appeal to a legal authority if their rights are violated. Every European country will have a privacy commissioner or agency to enforce the law. The EU will expect the countries with which it does business to do the same - and that includes the United States.
The sting on the tail is contained in Article 25 of the directive. European countries will not be allowed to send personal information to countries that do not maintain adequate standards of privacy. Thus, a French company that wants to send credit card information to a data-processing company in China will not be able to do so. China has no privacy law, and no interest in privacy.
The United States, likewise, has few guaranteed privacy protections for the private sector. As a result, the US may soon find itself unable to access personal data relating to almost half of the developed world.
The cost of implementing the European directive will be high. The United Kingdom estimates that compliance will cost British companies roughly £1.4 billion (about US$2.3 billion) - which suggests that the combined European figure will add up to the equivalent of $15 to $20 billion.
For US companies, the transition will be awkward. Consider one example: In November 1994 Citibank concluded a cobranding agreement with the German National Railway that was to form the basis of the biggest credit card project in German history. It soon emerged, however, that personal data on millions of German citizens would be processed in the US. The news triggered a public outcry, and German data-protection authorities bluntly told Citibank and the railway that the arrangement would be prohibited unless the two companies could devise an acceptable way to protect the privacy of cardholders. The benchmark laid down by local authorities was even stricter than the EU directive's - Citibank must guarantee privacy standards at least equal to those that exist under German law.
After six months of intense negotiations, the companies signed a contractual agreement that required both parties to institute a wide range of privacy protections. The agreement was applauded in Europe as a huge step forward, but it also required Citibank to make significant changes in the way it manages customer information. While Citibank has not calculated the exact cost of these changes, one company representative describes them as having required "a substantial expenditure of resources to implement."
As the directive's October deadline draws near, lawyers in the US and Europe have been scrambling to find ways to reduce the potential havoc. Nevertheless, governments on both sides of the Atlantic appear to be spoiling for a fight.
The message from Washington, DC, has been consistent and unequivocal: The US will not play ball with European notions of privacy, nor will it allow privacy laws to become a barrier to trade. As White House technology adviser Ira Magaziner recently told the National Press Club, "If we have to go to the World Trade Organization about it, we will."
For its part Brussels has been single-minded in its determination to pursue the privacy directive's goals. Germany's Spiros Simitis, the world's first data-protection commissioner, told an audience in Washington, "Don't imagine for a moment that you can get away with paying lip service to privacy. Europe requires a régime of real protection. That is the new global position."
Ulf Brühann is sitting in his office in 200 Rue de la Loi, Brussels, contemplating the impact of the directive. As head of the EU unit responsible for its implementation, he is anxious to ensure that the world takes him seriously.
Brühann wants the US to understand that Europe is committed to the directive and will fight for it. Last year he told a meeting of government privacy commissioners from 25 countries that the EU will insist that its trading partners embrace data-protection policies that not only guarantee data security and the "transparency" of data-processing procedures, but which also give citizens comprehensive access to their files.
Numerous non-EU countries have already responded to the directive by instituting tough privacy laws. Canada's federal government, for example, has proposed a new privacy régime to control private-sector activities. But in the US, the history of efforts to pass omnibus privacy laws is replete with failure. Direct marketers, credit card companies, and representatives from the US finance industry have consistently mobilized opposition, warning of imminent financial woes should strict privacy rules become law. The subtext to the corporate threat is the notion that the public has become weary of expensive federal agencies. According to Jim Tobin, vice president of public affairs for American Express in Europe, "The market can develop privacy solutions. No one needs another cumbersome government regulator."
According to Brühann, the key question now facing the European authorities is not whether action should be taken to enforce the directive, but "how far do we need to go?"
Sweden has already tested the waters. Last year, in what could well be a sign of things to come, Sweden's privacy watchdog, Anitha Bondestam, instructed American Airlines to delete all health and medical details on Swedish passengers after each flight unless "explicit consent" could be obtained. These details (information about allergies, asthma notification, dietary needs, disabled access, and so on) are routinely collected, but Bondestam's order meant that American would be unable to transmit the information to its SABRE central reservation system in the US.
The airline appealed to Stockholm's District Administrative Court, arguing it was "impractical" to obtain consent. American further argued that people would be inconvenienced if they had to repeat the information each time they flew. The court was unconvinced. Inconvenience, it concluded, does not constitute an exemption from legal rules for the protection of data. American launched a second action in the Administrative Court of Appeal, but the airline lost this case, too, and the matter now rests before Sweden's Supreme Administrative Court. In the meantime, the export and processing of medical data to American's reservation system has been suspended.
Under the privacy directive, any of the EU's 350 million-plus citizens will be able to file a claim over abuse of personal data that can be pursued all the way to the European Court of Human Rights - one of the EU's highest judicial authorities. At any point during this arduous process, business contracts can be suspended, injunctions can halt data flows, and compensation can be claimed. The publicly funded privacy watchdog of each EU nation is required by law to act on behalf of citizens whose rights have been violated. If the national watchdog - or, indeed, Brussels itself - fails in this duty, the European court system can be invoked. Procedure, in other words, must be followed.
While this prospect has sent shivers down the spines of US businesses that trade with Europe, the Clinton administration has taken a hard line on the question of appointing a government privacy watchdog. "We don't recognize the validity of that approach," says Magaziner. "We would say the US has equivalent privacy protection. I don't believe it is lesser. I believe it is different."
The American way
Brussels is baffled by the US position, but the White House believes that European demands can be met by a mix of privacy-friendly business-to-business contracts, self-regulation schemes, and technology-based privacy-protection systems.
US businesses are eager to find nonlegislative solutions. Last December Ron Plesser, a Washington, DC, lobbyist, announced the release of a self-regulatory code of conduct for individual reference services such as Metromail, CDB Infotek, and Lexis-Nexis's P-Trak. The code limits the use and collection of personal information, while relying on independent auditors to monitor compliance.
At the same time, US technologists are working to build privacy mechanisms such as P3P and TRUSTe into the architecture of cyberspace. Developed by the World Wide Web Consortium, P3P - the Platform for Privacy Preferences Project - allows Internet users to set default preferences for the collection, use, and disclosure of personal information on the Web. TRUSTe, on the other hand, is more like a seal of approval - it uses a standardized icon to link to a company's privacy practices and indicate that these practices are monitored by outside auditors.
None of these options is perfect. To date, market acceptance of technological tools like P3P and TRUSTe has been limited. Ron Plesser's code of conduct for reference services has been widely criticized as a ploy to stave off government regulation while not going nearly far enough to protect personal privacy.
Meanwhile, the man responsible for the evolution of Citibank's contract with the German National Railway - Berlin deputy privacy commissioner Alexander Dix - believes that the contract model offers only a partial answer for US businesses. Small and medium-size companies, he warns, may not be able to afford complex contracts. "Contractual standard setting by private corporations can only complement and support - but never replace - national legislation," he says. The process might well be endless, paralyzing deals and complicating intricate multilevel negotiations. In hopes of avoiding such an outcome, several US banks and other companies are working to develop "model" contracts that could be used in cookie-cutter fashion.
The mere existence of such potential solutions means that for the moment, at least, few people in Europe want to talk openly about a trade war with the US. Anitha Bondestam says she is in constant contact with Ira Magaziner and other US officials to arrive at a "negotiated" agreement.
But there's still a long way to go before the EU will be satisfied. The view from Brussels is that no current US self-regulation system would be acceptable to a European privacy commissioner. The White House has called for submissions on what it calls "effective self-regulation," but US industry will be required to review the fundamentals of its current business practices if it wants to get anywhere in transactions across the Atlantic.
In the long term, the EU's goal is to create a global privacy arrangement similar to the intellectual property treaty now being pushed by the World Intellectual Property Organization. For the US, accustomed to leadership in such global matters and eager to promote ecommerce, the EU's new privacy stance is proving difficult to comprehend.
Simon Davies (firstname.lastname@example.org) is a visiting fellow at the London School of Economics and director of the watchdog group Privacy International.