<nettime> Europe to US: No privacy, no trade

["(--Todd Lappin-->)" <telstar@wired.com>]

>From WIRED 6.05 (May 1998), page 135.

"Europe to US: No privacy, no trade."

By Simon Davies


As marketers in the US lay the groundwork necessary to transform mountains
of consumer-profile data into nuggets of gold, the European Union is
preparing to make that task even more difficult by launching the biggest
privacy gambit in history. If the European plan succeeds, every country on
Earth will soon adhere to a global privacy code. If it fails, the United
States and Europe could end up in the throes of an ugly trade war over the
international transfer of personal information.

Beginning October 25, 1998, a group of Brussels bureaucrats (known locally
as "Eurocrats") will oversee the implementation of a new privacy policy
throughout Europe. Under this régime, known as the European Data Protection
Directive, any country that trades personal information with the UK,
France, Germany, Spain, Italy, or any of the other 10 EU states will be
required to embrace Europe's strict standards for privacy protection.

No privacy, no trade. It's that simple.

The new rules will oblige every country within the European Union to
conform to a common set of standards that bind all governments and
corporations to a rigorous system of privacy protection. Under the
directive, European citizens are guaranteed a bundle of rights, including
the right of access to their data, the right to know where the data
originated, the right to have inaccurate data rectified, the right of
recourse in the event of unlawful processing, and the right to withhold
permission to use their data for direct marketing.

Enforceability lies at the heart of the directive. In seeking to guarantee
that its citizens have privacy rights that are enshrined in explicit rules,
the EU has set up procedures that will allow individuals to appeal to a
legal authority if their rights are violated. Every European country will
have a privacy commissioner or agency to enforce the law. The EU will
expect the countries with which it does business to do the same - and that
includes the United States.

The sting on the tail is contained in Article 25 of the directive. European
countries will not be allowed to send personal information to countries
that do not maintain adequate standards of privacy. Thus, a French company
that wants to send credit card information to a data-processing company in
China will not be able to do so. China has no privacy law, and no interest
in privacy. The United States, likewise, has few guaranteed privacy
protections for the private sector. As a result, the US may soon find itself
unable to access personal data relating to almost half of the developed
world.

Unless a way forward is found in the next few months, a huge chunk of
business between the world's two biggest economic blocs may hit the
buffers. At stake is the future of banking, travel, credit card
transactions, electronic commerce, and government business. In cyberspace,
the European rules may create new headaches for Web sites that use cookies
or profiling systems such as Aptex Software's SelectCast. "If the data
collected by a cookie or profile links to the name of a specific European
individual, it can trigger the directive," says Peter P. Swire, a law
professor at Ohio State University.

The cost of implementing the European directive will be high. The United
Kingdom estimates that compliance will cost British companies roughly £1.4
billion (about US$2.3 billion) - which suggests that the combined European
figure will add up to the equivalent of $15 to $20 billion.

For US companies, the transition will be awkward. Consider one example: In
November 1994 Citibank concluded a cobranding agreement with the German
National Railway that was to form the basis of the biggest credit card
project in German history. It soon emerged, however, that personal data on
millions of German citizens would be processed in the US. The news
triggered a public outcry, and German data-protection authorities bluntly
told Citibank and the railway that the arrangement would be prohibited
unless the two companies could devise an acceptable way to protect the
privacy of cardholders. The benchmark laid down by local authorities was
even stricter than the EU directive's - Citibank must guarantee privacy
standards at least equal to those that exist under German law.

After six months of intense negotiations, the companies signed a
contractual agreement that required both parties to institute a wide range
of privacy protections. The agreement was applauded in Europe as a huge
step forward, but it also required Citibank to make significant changes in
the way it manages customer information. While Citibank has not calculated
the exact cost of these changes, one company representative describes them
as having required "a substantial expenditure of resources to implement."

As the directive's October deadline draws near, lawyers in the US and
Europe have been scrambling to find ways to reduce the potential havoc.
Nevertheless, governments on both sides of the Atlantic appear to be
spoiling for a fight.
The message from Washington, DC, has been consistent and unequivocal: The
US will not play ball with European notions of privacy, nor will it allow
privacy laws to become a barrier to trade. As White House technology
adviser Ira Magaziner recently told the National Press Club, "If we have to
go to the World Trade Organization about it, we will."

For its part Brussels has been single-minded in its determination to pursue
the privacy directive's goals. Germany's Spiros Simitis, the world's first
data-protection commissioner, told an audience in Washington, "Don't
imagine for a moment that you can get away with paying lip service to
privacy. Europe requires a régime of real protection. That is the new
global position."


Culture clash

Ulf Brühann is sitting in his office in 200 Rue de la Loi, Brussels,
contemplating the impact of the directive. As head of the EU unit
responsible for its implementation, he is anxious to ensure that the world
takes him seriously.

Brühann wants the US to understand that Europe is committed to the
directive and will fight for it. Last year he told a meeting of government
privacy commissioners from 25 countries that the EU will insist that its
trading partners embrace data-protection policies that not only guarantee
data security and the "transparency" of data-processing procedures, but
which also give citizens comprehensive access to their files.

Brühann was clear about the sort of privacy policy he expected other
countries to establish: "Appropriate institutional and enforcement
mechanisms must be in place to ensure that rules are complied with in
practice, that support and help is available to individuals who do have
problems, and that ultimately a remedy is available to individuals so that
breaches of the rules can be put right and compensation paidif appropriate."

Numerous non-EU countries have already responded to the directive by
instituting tough privacy laws. Canada's federal government, for example,
has proposed a new privacy régime to control private-sector activities. But
in the US, the history of efforts to pass omnibus privacy laws is replete
with failure. Direct marketers, credit card companies, and representatives
from the US finance industry have consistently mobilized opposition, warning
of imminent financial woes should strict privacy rules become law. The
subtext to the corporate threat is the notion that the public has become
weary of expensive federal agencies. According to Jim Tobin, vice president
of public affairs for American Express in Europe, "The market can develop
privacy solutions. No one needs another cumbersome government regulator."

According to Brühann, the key question now facing the European authorities
is not whether action should be taken to enforce the directive, but "how
far do we need to go?"

SABRE rattling

Sweden has already tested the waters. Last year, in what could well be a
sign of things to come, Sweden's privacy watchdog, Anitha Bondestam,
instructed American Airlines to delete all health and medical details on
Swedish passengers after each þight unless "explicit consent" could be
obtained. These details (information about allergies, asthma notification,
dietary needs, disabled access, and so on) are routinely collected, but
Bondestam's order meant that American would be unable to transmit the
information to its SABRE central reservation system in the US.

The airline appealed to Stockholm's District Administrative Court, arguing
it was "impractical" to obtain consent. American further argued that people
would be inconvenienced if they had to repeat the information each time
they þew. The court was unconvinced. Inconvenience, it concluded, does not
constitute an exemption from legal rules for the protection of data.
American launched a second action in the Administrative Court of Appeal,
but the airline lost this case, too, and the matter now rests before
Sweden's Supreme Administrative Court. In the meantime, the export and
processing of medical data to American's reservation system has been
suspended.

Under the privacy directive, any of the EU's 350 million-plus citizens will
be able to file a claim over abuse of personal data that can be pursued all
the way to the European Court of Human Rights - one of the EU's highest
judicial authorities. At any point during this arduous process, business
contracts can be suspended, injunctions can halt data þows, and
compensation can be claimed. The publicly funded privacy watchdog of each
EU nation is required by law to act on behalf of citizens whose rights have
been violated. If the national watchdog - or, indeed, Brussels itself -
fails in this duty, the European court system can be invoked. Procedure, in
other words, must be followed.

While this prospect has sent shivers down the spines of US businesses that
trade with Europe, the Clinton administration has taken a hard line on the
question of appointing a government privacy watchdog. "We don't recognize
the validity of that approach," says Magaziner. "We would say the US has
equivalent privacy protection. I don't believe it is lesser. I believe it
is different."


The American way

Brussels is bafþed by the US position, but the White House believes that
European demands can be met by a mix of privacy-friendly
business-to-business contracts, self-regulation schemes, and
technology-based privacy-protection systems.

US businesses are eager to find nonlegislative solutions. Last December Ron
Plesser, a Washington, DC, lobbyist, announced the release of a
self-regulatory code of conduct for individual reference services such as
Metromail, CDB Infotek, and Lexis-Nexis's P-Trak. The code limits the use
and collection of personal information, while relying on independent
auditors to monitor compliance.

At the same time, US technologists are working to build privacy mechanisms
such as P3P and TRUSTe into the architecture of cyberspace. Developed by
the World Wide Web Consortium, P3P - the Platform for Privacy Preferences
Project - allows Internet users to set default preferences for the
collection, use, and disclosure of personal information on the Web. TRUSTe,
on the other hand, is more like a seal of approval - it uses a standardized
icon to link to a company's privacy practices and indicate that these
practices are monitored by outside auditors.

None of these options is perfect. To date, market acceptance of
technological tools like P3P and TRUSTe has been limited. Ron Plesser's
code of conduct for reference services has been widely criticized as a ploy
to stave off government regulation while not going nearly far enough to
protect personal privacy.

Meanwhile, the man responsible for the evolution of Citibank's contract
with the German National Railway - Berlin deputy privacy commissioner
Alexander Dix - believes that the contract model offers only a partial
answer for US businesses. Small and medium-size companies, he warns, may
not be able to afford complex contracts. "Contractual standard setting by
private corporations can only complement and support - but never replace -
national legislation," he says. The process might well be endless,
paralyzing deals and complicating intricate multilevel negotiations. In
hopes of avoiding such an outcome, several US banks and other companies are
working to develop "model" contracts that could be used in cookie-cutter
fashion.

The mere existence of such potential solutions means that for the moment,
at least, few people in Europe want to talk openly about a trade war with
the US. Anitha Bondestam says she is in constant contact with Ira Magaziner
and other US officials to arrive at a "negotiated" agreement.

But there's still a long way to go before the EU will be satisfied. The view
from Brussels is that no current US self-regulation system would be
acceptable to a European privacy commissioner. The White House has called
for submissions on what it calls "effective self-regulation," but US
industry will be required to review the fundamentals of its current
business practices if it wants to get anywhere in transactions across the
Atlantic.

In the long term, the EU's goal is to create a global privacy arrangement
similar to the intellectual property treaty now being pushed by the World
Intellectual Property Organization. For the US, accustomed to leadership in
such global matters and eager to promote ecommerce, the EU's new privacy
stance is proving difficult to comprehend.
###

=================
Simon Davies (simon@privacy.org) is a visiting fellow at the London School
of Economics and director of the watchdog group Privacy International.

Copyright © 1998 Wired Ventures Inc. and affiliated companies.
All rights reserved.
---
#  distributed via nettime-l : no commercial use without permission
#  <nettime> is a closed moderated mailinglist for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: majordomo@desk.nl and "info nettime-l" in the msg body
#  URL: http://www.desk.nl/~nettime/  contact: nettime-owner@desk.nl