IP: Lines drawn over privacy -- from Privacy mailing

[Dave Farber <farber () cis upenn edu>]

From:    "Simson L. Garfinkel" <simsong () vineyard net> 


03/05/98 By Simson L. Garfinkel


Nearly all Western European nations have data protection laws, which are
backed by commissioners who ensure neither government nor private companies
are overstepping their bounds when handling personal information.


Many businesses go further, with their own rules about respecting the
privacy of customers and employees. These rules are implemented by data
protection officers on the corporate payroll.


But in this country, major corporations and some lawmakers have worked for
more than 20 years to prevent the passage of general privacy legislation.


With so much personal information unprotected, it's only natural for us to
experience a ''privacy Pearl Harbor'' every couple years. For example, in
1988 a Washington newspaper obtained the videocassette rental records of
Judge Robert Bork. Worried about their own privacy, lawmakers passed the
Video Privacy Protection Act, which made it illegal for video stores to
distribute this information.


As a result of that and other incidents, we now have a patchwork of state
and federal privacy statutes. But most personal information remains
unprotected.


In the United States today there is nothing to stop a big pharmacy chain
from taking information it has on prescription medications and contracting
with a direct marketer to remind customers to buy medications - a practice
CVS ceased last month after it was revealed in news reports.


You can't legally prohibit newspapers or magazines from selling your name
to people who want to send you junk mail. And nothing prevents your
supermarket from selling a list of the groceries you rolled through the
checkout line.


In this era of increasing globalization, the European and US privacy
protection regimes are fundamentally in conflict. And while a battle has
been brewing for years, the first shots in an all-out war between the
continents on personal privacy might be just about seven months away.


On Oct. 25, the European Commission's privacy directive governing
''Transborder Flows of Personal Data'' will become law for European Union
member countries. Adopted in 1995 by the EU Parliament, this directive
prohibits companies in the EU from transmitting personal data to other
countries that do not abide by a specified list of data protection
standards. Surprisingly, the privacy directive has received little
attention in the United States, but that could change soon.


The directive's scope is breathtaking. ''Personal data would include
medical data, credit card records, employee records, airline
reservations,'' and even invoices for mail-order products, says Deborah
Hurley, director of Harvard's Information Infrastructure Project, who has
studied the directive for years.


Furthermore, the directive has a number of extraterritorial provisions that
apply to American businesses when their customers are in Europe. Companies
that collect information on European citizens over their World Wide Web
sites might be found in violation of European law, just as European


companies doing business in Cuba can be found in violation of certain US laws.


Many American businesses and lawmakers throw up their hands before
questions of privacy, asking, ''How can privacy coexist with free speech?''
Europeans have been thinking about these issues for more than 20 years.
For the most part, they shake their heads at our ill-informed debates. Of
course privacy laws restrict free speech. So do laws that govern copyright,
defamation, libel, and national security. In a civilized society, both
privacy and free speech are important values.


Europeans see little reason to rehash these debates. Many feel that
Americans, after inventing the idea of data protection in the 1970s, have
given up their right to privacy in the computer age. Europeans do not wish
to follow in our footprints.


Will the Europeans actually make good on their threat and cut the flow of
data or levy fines against US companies? ''This is the international
privacy question at the moment,'' says Hurley.




In recent months Hurley has been asked this question again and again by the
Clinton administration, regulators, and US executives. After spending years
in Paris working for the Organization for Economic Cooperation and
Development on issues of privacy, cryptography, and intellectual property,
she is regarded as one of this country's leading authorities on how
European governments view these issues.


But even Hurley doesn't know the answer. In part, that's because the
Europeans haven't decided themselves.


''The Europeans are serious about it,'' says Hurley. They could start by
levying fines against US firms that violate the privacy of European citizens.


''On one side of the balance is the fact that this would be to the economic
disadvantage of the Europeans,'' says Hurley. ''It would clog or stop
transactions that are beneficial to their economy as well.  On the other
side is the strongly held belief that a citizen of an EU country enjoys
protection of his or her data and privacy, by law.''


One reason the Europeans shouldn't trust us is that we have no federal
commission or official charged with protecting personal privacy. ''There is
an international meeting of Data Protection Commissioners... every year,''
says Hurley. The group just had its 19th meeting. ''The US does not have a
seat at the table.''


Many US firms might argue it's too difficult or expensive to honor
individual privacy. But Hurley says these arguments ring hollow. ''IBM
operates in Europe. American Express operates in Europe. American Airlines
operates in Europe. In order to do that, they are already complying with
European data protection laws. They know how to do it. And they are doing
it.''


They just aren't doing it on this side of the Atlantic.


The complete text of the EU's privacy directive is at
http://www2.echo.lu/legal/en/


Technology writer Simson L. Garfinkel can be reached at
plugged-in () simson net, and runs the SIMSON-SAYS mailing list, which
reprints his Globe columns.  Send "subscribe SIMSON-SAYS" to
majordomo () vineyard net to subscribe.