WIRED on EU Data Protection


Subject: WIRED on EU Data Protection
From: Emanuella Giavarra (ecup.secr@dial.pipex.com)
Date: ma 18 touko  1998 - 14:10:59 EEST


(posted to lis-uknfp)

>From WIRED 6.05 (May 1998), page 135.

"Europe to US: No privacy, no trade."

By Simon Davies

As marketers in the US lay the groundwork necessary to transform
mountains of consumer-profile data into nuggets of gold, the European
Union is preparing to make that task even more difficult by launching
the biggest privacy gambit in history. If the European plan succeeds,
every country on Earth will soon adhere to a global privacy code.
If it fails, the United States and Europe could end up in the throes
of an ugly trade war over the international transfer of personal
information.

Beginning October 25, 1998, a group of Brussels bureaucrats (known
locally as "Eurocrats") will oversee the implementation of a new
privacy policy throughout Europe. Under this regime, known as the
European Data Protection Directive, any country that trades personal
information with the UK, France, Germany, Spain, Italy, or any of
the other 10 EU states will be required to embrace Europe's strict
standards for privacy protection.

No privacy, no trade. It's that simple.

The new rules will oblige every country within the European Union
to conform to a common set of standards that bind all governments
and corporations to a rigorous system of privacy protection. Under
the directive, European citizens are guaranteed a bundle of rights,
including the right of access to their data, the right to know where
the data originated, the right to have inaccurate data rectified,
the right of recourse in the event of unlawful processing, and the
right to withhold permission to use their data for direct marketing.

Enforceability lies at the heart of the directive. In seeking to
guarantee that its citizens have privacy rights that are enshrined
in explicit rules, the EU has set up procedures that will allow
individuals to appeal to a legal authority if their rights are
violated. Every European country will have a privacy commissioner or
agency to enforce the law. The EU will expect the countries with which
it does business to do the same - and that includes the United States.

The sting on the tail is contained in Article 25 of the directive.
European countries will not be allowed to send personal information
to countries that do not maintain adequate standards of privacy.
Thus, a French company that wants to send credit card information
to a data-processing company in China will not be able to do so. China
has no privacy law, and no interest in privacy. The United States,
likewise, has few guaranteed privacy protections for the private
sector. As a result, the US may soon find itself unable to access
personal data relating to almost half of the developed world.

Unless a way forward is found in the next few months, a huge chunk
of business between the world's two biggest economic blocs may
hit the buffers. At stake is the future of banking, travel, credit
card transactions, electronic commerce, and government business.
In cyberspace, the European rules may create new headaches for Web
sites that use cookies or profiling systems such as Aptex Software's
SelectCast. "If the data collected by a cookie or profile links to the
name of a specific European individual, it can trigger the directive,"
says Peter P. Swire, a law professor at Ohio State University.

The cost of implementing the European directive will be high. The
United Kingdom estimates that compliance will cost British companies
roughly £1.4 billion (about US$2.3 billion) - which suggests that
the combined European figure will add up to the equivalent of $15 to
$20 billion.

For US companies, the transition will be awkward. Consider one
example: In November 1994 Citibank concluded a cobranding agreement
with the German National Railway that was to form the basis of the
biggest credit card project in German history. It soon emerged,
however, that personal data on millions of German citizens would be
processed in the US. The news triggered a public outcry, and German
data-protection authorities bluntly told Citibank and the railway that
the arrangement would be prohibited unless the two companies could
devise an acceptable way to protect the privacy of cardholders. The
benchmark laid down by local authorities was even stricter than the EU
directive's - Citibank must guarantee privacy standards at least equal
to those that exist under German law.

After six months of intense negotiations, the companies signed a
contractual agreement that required both parties to institute a wide
range of privacy protections. The agreement was applauded in Europe as
a huge step forward, but it also required Citibank to make significant
changes in the way it manages customer information. While Citibank has
not calculated the exact cost of these changes, one company
representative describes them as having required "a substantial
expenditure of resources to implement."

As the directive's October deadline draws near, lawyers in the US
and Europe have been scrambling to find ways to reduce the potential
havoc. Nevertheless, governments on both sides of the Atlantic appear
to be spoiling for a fight.

The message from Washington, DC, has been consistent and unequivocal:
The US will not play ball with European notions of privacy, nor will
it allow privacy laws to become a barrier to trade. As White House
technology adviser Ira Magaziner recently told the National Press
Club, "If we have to go to the World Trade Organization about it, we
will."

For its part Brussels has been single-minded in its determination
to pursue the privacy directive's goals. Germany's Spiros Simitis,
the world's first data-protection commissioner, told an audience
in Washington, "Don't imagine for a moment that you can get away
with paying lip service to privacy. Europe requires a regime of real
protection. That is the new global position."

Culture clash

Ulf Bruhann is sitting in his office in 200 Rue de la Loi, Brussels,
contemplating the impact of the directive. As head of the EU unit
responsible for its implementation, he is anxious to ensure that the
world takes him seriously.

Bruhann wants the US to understand that Europe is committed to the
directive and will fight for it. Last year he told a meeting of
government privacy commissioners from 25 countries that the EU will
insist that its trading partners embrace data-protection policies
that not only guarantee data security and the "transparency" of
data-processing procedures, but which also give citizens comprehensive
access to their files.

Bruhann was clear about the sort of privacy policy he expected other
countries to establish: "Appropriate institutional and enforcement
mechanisms must be in place to ensure that rules are complied with
in practice, that support and help is available to individuals
who do have problems, and that ultimately a remedy is available
to individuals so that breaches of the rules can be put right and
compensation paidif appropriate."

Numerous non-EU countries have already responded to the directive
by instituting tough privacy laws. Canada's federal government, for
example, has proposed a new privacy regime to control private-sector
activities. But in the US, the history of efforts to pass omnibus
privacy laws is replete with failure. Direct marketers, credit card
companies, and representatives from the US finance industry have
consistently mobilized opposition, warning of imminent financial woes
should strict privacy rules become law. The subtext to the corporate
threat is the notion that the public has become weary of expensive
federal agencies. According to Jim Tobin, vice president of public
affairs for American Express in Europe, "The market can develop
privacy solutions. No one needs another cumbersome government
regulator."

According to Bruhann, the key question now facing the European
authorities is not whether action should be taken to enforce the
directive, but "how far do we need to go?"

SABRE rattling

Sweden has already tested the waters. Last year, in what could well be
a sign of things to come, Sweden's privacy watchdog, Anitha Bondestam,
instructed American Airlines to delete all health and medical details
on Swedish passengers after each flight unless "explicit consent"
could be obtained. These details (information about allergies, asthma
notification, dietary needs, disabled access, and so on) are routinely
collected, but Bondestam's order meant that American would be unable
to transmit the information to its SABRE central reservation system in
the US.

The airline appealed to Stockholm's District Administrative Court,
arguing it was "impractical" to obtain consent. American further
argued that people would be inconvenienced if they had to repeat
the information each time they flew. The court was unconvinced.
Inconvenience, it concluded, does not constitute an exemption from
legal rules for the protection of data. American launched a second
action in the Administrative Court of Appeal, but the airline lost
this case, too, and the matter now rests before Sweden's Supreme
Administrative Court. In the meantime, the export and processing of
medical data to American's reservation system has been suspended.

Under the privacy directive, any of the EU's 350 million-plus citizens
will be able to file a claim over abuse of personal data that can be
pursued all the way to the European Court of Human Rights - one of the
EU's highest judicial authorities. At any point during this arduous
process, business contracts can be suspended, injunctions can halt
data flows, and compensation can be claimed. The publicly funded
privacy watchdog of each EU nation is required by law to act on behalf
of citizens whose rights have been violated. If the national watchdog
- or, indeed, Brussels itself - fails in this duty, the European court
system can be invoked. Procedure, in other words, must be followed.

While this prospect has sent shivers down the spines of US businesses
that trade with Europe, the Clinton administration has taken a hard
line on the question of appointing a government privacy watchdog. "We
don't recognize the validity of that approach," says Magaziner. "We
would say the US has equivalent privacy protection. I don't believe it
is lesser. I believe it is different."

The American way

Brussels is baffled by the US position, but the White House believes
that European demands can be met by a mix of privacy-friendly
business-to-business contracts, self-regulation schemes, and
technology-based privacy-protection systems.

US businesses are eager to find nonlegislative solutions. Last
December Ron Plesser, a Washington, DC, lobbyist, announced the
release of a self-regulatory code of conduct for individual reference
services such as Metromail, CDB Infotek, and Lexis-Nexis's P-Trak.
The code limits the use and collection of personal information, while
relying on independent auditors to monitor compliance.

At the same time, US technologists are working to build privacy
mechanisms such as P3P and TRUSTe into the architecture of
cyberspace. Developed by the World Wide Web Consortium, P3P - the
Platform for Privacy Preferences Project - allows Internet users to
set default preferences for the collection, use, and disclosure of
personal information on the Web. TRUSTe, on the other hand, is more
like a seal of approval - it uses a standardized icon to link to a
company's privacy practices and indicate that these practices are
monitored by outside auditors.

None of these options is perfect. To date, market acceptance of
technological tools like P3P and TRUSTe has been limited. Ron
Plesser's code of conduct for reference services has been widely
criticized as a ploy to stave off government regulation while not
going nearly far enough to protect personal privacy.

Meanwhile, the man responsible for the evolution of Citibank's
contract with the German National Railway - Berlin deputy privacy
commissioner Alexander Dix - believes that the contract model offers
only a partial answer for US businesses. Small and medium-size
companies, he warns, may not be able to afford complex contracts.
"Contractual standard setting by private corporations can only
complement and support - but never replace - national legislation,"
he says. The process might well be endless, paralyzing deals and
complicating intricate multilevel negotiations. In hopes of avoiding
such an outcome, several US banks and other companies are working to
develop "model" contracts that could be used in cookie-cutter fashion.

The mere existence of such potential solutions means that for the
moment, at least, few people in Europe want to talk openly about
a trade war with the US. Anitha Bondestam says she is in constant
contact with Ira Magaziner and other US officials to arrive at a
"negotiated" agreement.

But there's still a long way to go before the EU will be satisfied.
The view from Brussels is that no current US self-regulation
system would be acceptable to a European privacy commissioner. The
White House has called for submissions on what it calls "effective
self-egulation," but US industry will be required to review the
fundamentals of its current business practices if it wants to get
anywhere in transactions across the Atlantic.

In the long term, the EU's goal is to create a global privacy
arrangement similar to the intellectual property treaty now being
pushed by the World Intellectual Property Organization. For the US,
accustomed to leadership in such global matters and eager to promote
ecommerce, the EU's new privacy stance is proving difficult to
comprehend.

###

+++++++++++++++++
Simon Davies (simon@privacy.org) is a visiting fellow at the London
School of Economics and director of the watchdog group Privacy
International.

Copyright © 1998 Wired Ventures Inc. and affiliated companies.
All rights reserved.



This archive was generated by hypermail 2a24 : to 28 maalis 2024 - 01:20:15 EET