Nettime mailing list archives

<nettime> EU as Privacy Cop
. __ . on Tue, 14 Oct 2003 13:16:59 +0200 (CEST)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> EU as Privacy Cop


Well, its a start...

But it is interesting to see, that this time, the State model, where the
 state is the main protector of privacy, could move ahead and the private
 model could not live up to its function, because a balance between Privacy
 NGOs and the Private Sector seems to be more vulnerable to short-term
 "state-sabotage" as it happened in the US concerning Privacy...




[Excerpt: Europe's efforts stem primarily from Germany, where Nazi 
officials pioneered the use of data-sorting machines in their efforts to 
identify people with Jewish ancestry. Memories of that horrific past 
helped spur the state of Hessen to pass the world's first comprehensive 
data-protection rules in 1970. In the decade that followed, Germany used 
data profiling to hunt down left-wing terrorists, monitoring people's 
electricity use, for example, to find safehouses.]


10 October 2003

The Wall Street Journal, October 10, 2003
Europe's New High-Tech Role: Playing Privacy Cop to World

U.S. Firms Run Afoul Of EU Laws on Sharing And Collection of Data


BERLIN -- Last year General Motors Corp. set out to update its 
electronic company phone book, so that with a few keystrokes its 
engineers in, say, Taiwan could look up colleagues in Germany. But an 
unanticipated problem came in the way: Europe's strict privacy laws.

Employee office phone numbers were their "personal" information, 
European authorities said. Bob Rothman, the car maker's chief privacy 
officer, knew what that meant: sending numbers outside the EU would 
require months of legal work through GM's global operations -- or the 
company would be risking a criminal offense in some European countries. 
Not even GM's U.S. headquarters could know the phone numbers, if the 
company didn't take some measures first.

"They were very sympathetic," Mr. Rothman said of Europe's privacy 
watchdogs, but they didn't budge, and GM spent about six months amassing 
piles of legal documentation and other paperwork before it could finish 
the project. "We spent a lot of money, and a lot of time, and a lot of 

While the U.S. has opposed comprehensive regulations to protect 
citizens' privacy, Europe has plowed ahead with the world's toughest set 
of rules governing how companies and governments may deal with personal 
data, such as one's age, marital status, buying patterns -- even the 
information on a standard business card. And as GM's experience shows, 
those rules are increasingly shaping the way businesses operate around 
the globe.

Since establishing its privacy rules eight years ago, an increasingly 
self-assured European Union has exported the privacy standards to other 
countries with similar values. Despite outcries from the U.S., 
EU-inspired laws are now the norm in Canada, South America, Australia, 
New Zealand and parts of Asia.


European privacy laws regulate how companies transmit personal 
information to countries the EU says lack "adequate" privacy laws, 
including the U.S. Some restrictions include:

     =95 Limits on the amount of information companies can collect.

     =95 Curbs on a company's ability to share personal data with 
marketers or even its own affiliates.

     =95 Allowances for individuals to see and correct their information.

     =95 Requirements for companies to erase personal data after a short=

The debate over privacy protection is another sign of the EU's growing 
influence as a trading bloc and its emergence as a regulatory 
superpower. In recent years, Europe has flexed its muscle in mergers, 
nixing the proposed marriage of General Electric Co. and Honeywell 
International Inc. In agriculture, Europe's concerns about the potential 
risks of genetically modified food have held up crop planning around the 

Privacy rules attract less attention than these flashpoint issues but 
their impact can be just as great. JetBlue Airways recently acknowledged 
that it provided a Pentagon contractor with information on more than a 
million passengers, causing an outcry in the U.S. In Europe, the action 
wouldn't have just been bad public relations; it would have been 
illegal. In Spain, where data-protection laws are particularly stiff, 
fines for such an action can reach $500,000.

EU laws require retailers to ask permission to collect data, trade it to 
partners, sell it, or even use it for their own marketing -- all common 
practices in the U.S. In addition, companies in Europe are obliged to 
let people see their data and correct it if it is wrong. The law 
restricts how much information companies can collect on customers and 
employees and how long they can keep it. The rules cover more than files 
and statistics: Even video surveillance tapes must be erased after a 
short time.

The U.S. regulates privacy in only a few sensitive areas, such as 
medical and financial records. And while European countries established 
independent government privacy agencies to actively enforce their rules, 
U.S. laws grant similar authority in only a few industries. Most 
companies are left to set their own standards, so long as they don't 
harm their customers. An Iowa State University law professor, Peter 
Swire, served two years as a privacy czar of sorts for the Clinton 
administration. President Bush dissolved the post on taking office. The 
Sept. 11, 2001, terrorist attacks have further weakened Washington's 
will to protect data. Through new laws and new offices, Washington now 
has more unfettered access to citizens' data than ever before. The 
government's top privacy officer is an adviser for the Department of 
Homeland Security.

American antiterrorism measures increasingly clash with European privacy 
laws. Those laws, for instance, don't allow airlines flying from Europe 
to release passenger names and other information that American customs 
authorities are demanding prior to a flight's arrival on U.S. soil. So 
far, European authorities are looking the other way as airlines provide 
the details, such as itineraries, credit-card information and dietary 
preferences. If airlines refuse to cooperate, they face stiff fines and 
even the loss of U.S. landing rights.

Fundamental Differences

Fundamental philosophical differences separate the U.S. and European 
approaches. Europe has defined privacy as a human right, while in the 
U.S. data-protection laws can quickly run afoul of free-speech 
protections enshrined in the Constitution. The dichotomy is most 
apparent in direct marketing. Europe's privacy laws essentially force 
businesses to get permission before they make telemarketing calls to 
their customers. In the U.S., a federal court in Denver recently blocked 
a national do-not-call registry from taking full effect this month, 
saying it violates a company's First Amendment rights. An appeals court 
put that ruling on temporary hold Tuesday, letting the registry proceed 
until the court makes a final ruling.

The U.S. was once in the forefront on data-protection laws. In 1974, 
Congress passed the Privacy Act, one of the world's first laws limiting 
the government's ability to collect, keep, use and disseminate personal 
information on citizens. In the next few decades Congress adopted 
piecemeal laws in response to crises. During congressional hearings to 
confirm Judge Robert Bork's nomination to the Supreme Court in 1987, his 
videotape-rental records became public. Congressional leaders acted 
swiftly, barring video stores from divulging their records. (The law has 
not been updated to mention DVDs, though some legal scholars suggest the 
law would still apply). A law protecting drivers' records came after an 
obsessed fan killed actress Rebecca Schaeffer, tracking her down with 
motor-vehicle records.

"We were the original leaders on privacy," says Alan F. Westin, a 
retired professor of public law and government at Columbia University 
who helped draft the landmark 1974 law and now publishes an industry 
newsletter, Privacy & American Business. "But Europeans would tell you 
that, as they see it, we went to sleep and they moved ahead."

The U.S.'s patchwork of laws crippled its chances of setting the pace 
for the globe, said Mr. Westin. The EU, by contrast, offers an 
all-encompassing system for data protection. Argentina and Chile copied 
Spain's laws, some of the stiffest in Europe, and the laws as drafted in 
Spanish are now sweeping through South America, aided by a common language.

Europe's efforts stem primarily from Germany, where Nazi officials 
pioneered the use of data-sorting machines in their efforts to identify 
people with Jewish ancestry. Memories of that horrific past helped spur 
the state of Hessen to pass the world's first comprehensive 
data-protection rules in 1970. In the decade that followed, Germany used 
data profiling to hunt down left-wing terrorists, monitoring people's 
electricity use, for example, to find safehouses.

Though the efforts were successful, the public's fear of a return to 
widespread government surveillance resulted in another backlash, and 
more data protection laws followed. Soon every German state had at least 
one privacy agency to make sure that governments and companies respected 
data on citizens. By 1995, Germany and a few other European countries 
with similar laws persuaded the European Commission to adopt a strict 
directive, requiring all EU countries to get in line -- a process that 
is now nearly done. The EU expands next year from 15 to 25 countries, 
making it the world's largest trading bloc.

The rules are so broad that global companies assign dozens, and in some 
cases hundreds, of employees to deal with them, enacting far-reaching 
policies and restructuring entire databases. This has helped spur the 
creation of a new breed of executive such as GM's Mr. Rothman: the chief 
privacy officer. Virtually unheard of just five years ago, privacy 
officers have quickly become a fixture, with hundreds of them in the 
U.S. About 40% of top 500 global financial services companies have one, 
according to a survey of 78 companies released this year by Deloitte 
Touche LLP. A cottage industry has sprung up to help guide companies 
into compliance with rules. Lawyers are specializing in the field, and 
consultants in Brussels advertise seminars on data protection.

Global Privacy Center

When GM first encountered the emerging privacy laws, it dealt with them 
as they arose, with GM offices in each country taking whatever steps 
they saw fit to adapt to local legislation. But as the laws multiplied, 
GM last year created a global privacy center, assigning Mr. Rothman to 
lead it. He now coordinates nearly 100 people with at least part-time 
privacy duties in GM offices around the world. The car maker also has a 
variety of special privacy councils focused on specific issues such as 
human resources and marketing.

Mr. Rothman was already familiar with the EU's rules but doubted they 
would apply to something as innocuous as a company's internal phone 
book. One important clause makes it illegal to transfer any personal 
information to countries with "inadequate" laws -- including the U.S. So 
to be safe, Mr. Rothman's office contacted a few European countries to 
make sure it could export GM's office telephone numbers to a U.S. 
computer server and make them available to staff around the world. It 

So how does a U.S. company move data outside Europe? One option is to 
adopt Safe Harbor rules negotiated by the U.S. Department of Commerce. 
Under the program, U.S. companies essentially promise to handle European 
data by Europe's standards outside the EU. Some 394 U.S. companies have 
signed up to handle at least part of their records that way. EU privacy 
authorities say it's one of several ways aimed at helping foreign 
companies move data internationally and avoiding harm to commerce.

At GM, exporting the phone numbers via the Safe Harbor program meant 
spending several months mapping where the phone book might be used and 
by whom. Mr. Rothman's staff then notified the car maker's European 
employees that their office numbers would be sent to headquarters, and 
following European practice, offered them a third-party mediator if they 
objected (nobody did). Finally, the company pressed 200 of its 
affiliates around the world to sign contracts, vowing not to misuse the 
phone numbers -- by, say, selling them to telemarketers. "Can you 
imagine having to have 200 entities sign one contract?" said Mr. 
Rothman. His office set up a special Web site to coordinate the project.

Many of the largest U.S. companies are searching for simpler solutions. 
Some have adopted global, one-size-fits-all approaches, usually based on 
the EU's model. Procter & Gamble Co. and DuPont Co. have announced such 
policies in recent years. "That tends to be the gold standard nowadays," 
said DuPont's corporate counsel, Donald A. Cohn. The company is 
collecting consent forms from all its employees -- even in countries 
where it's not required -- and is asking all its affiliates to sign 
contracts vowing not to abuse the information. When it's done, DuPont 
says it will be prepared to move data easily in any country that adopts 
EU-style laws. A P&G spokeswoman says its global policy is based on the 
European system and already brings its use of phone numbers in 
compliance with EU laws.

A few years ago, GE launched an effort like GM's so its phone book could 
pass EU muster. Since then, it has applied EU-like standards for its 
employee data around the world, says Ivan Fong, GE's CPO.

IMS Health Inc., which collects and then sells information on 
pharmaceutical usage, gathers data from some 29,000 sources in more than 
100 countries. The company employs four chief privacy officers and 
hundreds of employees helping it keep up with privacy regulations, and 
it consults with lawmakers to shape bills, says chairman and chief 
executive David M. Thomas.

Among companies' chief complaints are costs, though numbers remain 
elusive. It can take a company years to enact major and minor changes in 
all its operations, say chief privacy officers. "It's not unlike the 
environmental measures of 30 or 40 years ago," said GE's Mr. Fong. "It's 
so new that companies don't know how to measure the costs."

Write to David Scheer at david.scheer {AT} dowjones.com

Updated October 10, 2003

#  distributed via <nettime>: no commercial use without permission
#  <nettime> is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: majordomo {AT} bbs.thing.net and "info nettime-l" in the msg body
#  archive: http://www.nettime.org contact: nettime {AT} bbs.thing.net