IP: Privacy Rules Send U.S. Firms Scrambling

["Vladimir Z. Nuri" <vznuri@netcom.com>]

From: believer@telepath.com
Subject: IP: Privacy Rules Send U.S. Firms Scrambling
Date: Tue, 20 Oct 1998 10:15:15 -0500
To: believer@telepath.com

Source:  Washington Post
http://www.washingtonpost.com/wp-srv/frompost/oct98/privacy20.htm

Privacy Rules Send U.S. Firms Scrambling 

By Robert O'Harrow Jr. 
Washington Post Staff Writer 
Tuesday, October 20, 1998; Page C1 

Business executives and government regulators have spent years noodling
about whether new rules are needed to protect an individual's right to
privacy in this information age. The European Union, by contrast, agreed
to "harmonize" its member states' tough privacy protections three years
ago, and regulations born of that agreement take effect next Monday, Oct.
26. 

That could be a big problem for many businesses on this side of the
Atlantic. Under the new rules, the EU's 15 member countries are obliged
to prohibit the transmission of names, addresses, ethnicity and other
personal information to any country that fails to provide adequate data
protection as defined under European law. European officials have said
repeatedly over the past year that the patchwork of privacy rules in the
U.S. may not meet their standards. 

Though no one expects the flow of information from Europe to stop
suddenly on Monday, anxiety about the new laws is growing because no
one is sure how they will be applied. Each country will have separate
privacy laws that cover the mandates of the EU directive, and all have
privacy agencies to oversee those laws. 

The kind of information covered by the regulations includes direct-mail
lists, hotel and travel reservations, medical and work records, orders for
products on the World Wide Web and a host of other data. 

Companies also will have to provide detailed disclosures to individuals
about how the data will be used and give those same individuals access to
the information to correct the data. 

To weigh the task at hand, consider that Citibank alone has 7.7 million
consumer accounts and about 9,000 employees in EU countries. 

"The scope is very broad," said Peter Swire, a law professor at Ohio
State University and co-author of "None of Your Business: World Data
Flows, Electronic Commerce, and the European Privacy Directive." 

"For major companies, there will be significant compliance issues," he
said. 

Thomas P. Vartanian, a D.C. lawyer and author of "21st Century Money,
Banking & Commerce," said the effects could be both sweeping and
quotidian. Consider the case of a German tourist who breaks a leg in New
York, he said. The tourist's health plan in Berlin may be unwilling or slow
to send medical records here. 

American companies also may be prohibited from transferring work
records of European employees. Moreover, direct marketers could face
sharp limitations on how they use lists of potential customers. 

Marketers, travel companies and other information-hungry firms in the
United States - from giant International Business Machines Corp. to
start-ups on the World Wide Web - are scrambling to assess what it
could mean for them. And government officials are meeting to head off
any potential crisis on Monday. 

"It holds the potential for leading to disruptions in the flow of data," said
David Aaron, undersecretary for international trade at the Department of
Commerce, who has been involved in talks with officials from the
European Commission. "This could have a major impact." 

The deadline has sharply etched differences in approaches to data
protection. Europeans consider information privacy a human right. Their
dreadful memories of how Nazi Germany used personal records in the
Holocaust played a role in development of the laws. In the United States,
industry and government officials have stubbornly resisted the regulation of
data collection, fearing restraints would stymie commerce and tread on the
First Amendment. 

Privacy advocates in Europe have made it clear they intend to press their
governments to be strict. A group called Privacy International has already
said it intends to monitor an array of U.S. and British companies, including
American Express Co., Citigroup, Microsoft Corp. and Visa
International. 

"Until there is some sense of certainty about how these rules are going to
apply, you're going to get what you always get with business uncertainty,
that is, you get delays and you get increased costs of doing business,"
Vartanian said. 

Charles Prescott, vice president of international business for the Direct
Marketing Association, agreed. "The uncertainty over how the directive
will be turned into local law is causing tremendous anxiety," said Prescott,
adding that hundreds of the group's U.S. members do extensive business
in Europe. 

In an effort to head off disruptions, Commerce Department officials have
been talking for months with counterparts in the European Commission,
the government body that helps coordinate regulations and policies that
affect all EU members. 

Those talks have eased fears of a sudden cutoff of data. Commission
officials said they are impressed by the Clinton administration's efforts to
highlight the importance of data protection and to press industry groups to
come up with a self-regulation framework to ensure privacy on the
Internet. 

"It's [in] nobody's interest, least of all ours, that we have a trade
dispute,"
said John F. Mogg, a director general of the European Commission, who
has been involved in talks with the Commerce Department's Aaron about
the matter. Mogg described the talks as "wholly constructive." 

Both Mogg and Aaron acknowledge, however, that significant differences
remain. Among the sticking points are provisions that give every citizen of
member countries the right to find out what information about them is in a
database and the power to correct mistakes. Few U.S. companies are
prepared to offer such access because of the costs involved. 

The directive also requires each outside country to have an independent
arbitrator to decide whether a company is being forthcoming about its
data. Mogg said that is "fundamental to us." But a system for such
accountability still does not exist in the U.S. Some countries also want
remedies to be available to citizens for violations. 

But officials say there are reasons for optimism. Many companies may be
able to meet the new guidelines by writing contracts that promise to
uphold key provisions, and by giving customers, employees and others
detailed disclosure statements about how their information will be used. 

A group called Privacy & American Business has worked with experts in
the United States and Europe to draft model contracts that would be
helpful, particularly for small and medium-size businesses that can't afford
to enter into lengthy negotiations. 

Companies also may be able to collect information from individuals who
give explicit consent, officials said. 

"The mood now is cautiously optimistic," said Harriet Pearson, director of
public affairs for IBM. Pearson said IBM has been working for more than
a year to prepare for the regulations and is in good shape to comply. But
she added that many questions remain unanswered for large and small
companies alike. "It's a very uncertain equation at this point," she said. 

 � Copyright 1998 The Washington Post Company
-----------------------
NOTE: In accordance with Title 17 U.S.C. section 107, this material is
distributed without profit or payment to those who have expressed a prior
interest in receiving this information for non-profit research and
educational purposes only. For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
-----------------------


****************************************************
To subscribe or unsubscribe, email:
     majordomo@majordomo.pobox.com
with the message:
     (un)subscribe ignition-point email@address

or (un)subscribe ignition-point-digest email@address
****************************************************
www.telepath.com/believer
****************************************************