[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IP: ISPI Clips 5.69: EU Law Aims to Protect Privacy of Personal Data

From: "ama-gi ISPI" <[email protected]>
Subject: IP: ISPI Clips 5.69: EU Law Aims to Protect Privacy of Personal Data
Date: Tue, 27 Oct 1998 02:34:54 -0800
To: <[email protected]>

ISPI Clips 5.69: EU Law Aims to Protect Privacy of Personal Data
News & Info from the Institute for the Study of Privacy Issues (ISPI)
Tuesday October 27, 1998
[email protected]
This From: The New York Times, October 26, 1998

European Law Aims to Protect Privacy of Personal Data


FRANKFURT, Germany -- The European Union put into effect a law Sunday
prohibiting U.S.-style buying and selling of personal data, a move that
could interrupt electronic commerce with the United States if the two sides
fail to resolve deep philosophical and legal differences over protecting

The goal of the European law is to prohibit companies from using
information about their customers in ways the customers never intended --
for example, selling it to other companies for use as a marketing tool.

The new law affects an enormous range of information that companies collect
about people in the course of daily business, from credit-card transactions
to magazine subscriptions to telephone records, as well as the electronic
footprints that people leave when they visit sites on the World Wide Web.

The law was adopted three years ago by the European Union after a majority
of its 15 member nations agreed to issue what is known as a directive.
Under European law, each member nation is required to implement the
directive by enacting its own law. Six nations have drafted or passed such
laws so far.

Beyond its impact on Europe, the directive has the potential to disrupt
electronic commerce with the United States. A key provision of the new
measure would prohibit any company doing business in the European Union
from transmitting personal data to any country that does not guarantee
comparable privacy protection -- foremost among them, at this point, the
United States.

American direct-marketing companies, which make money buying, selling and
developing business strategies based on huge data banks of personal
information about consumers, have lobbied hard against government
regulation of their industry. As a result, the Clinton administration has
adopted a more laissez-faire approach under which data industries would be
allowed to police themselves through self-regulatory organizations.

U.S. officials say they agree with Europe on the basic principle that
privacy should be protected but they have big differences about the best
way to carry it out.

"They have privacy czars and bureaucracies, and that kind of top-down
approach would probably be regarded as a violation of privacy rights by
many people in the U.S.," David Aaron, undersecretary of commerce, said of
European nations.

Aaron, who held talks on the issue with European officials in Brussels,
Belgium, earlier this month, added, "We say, 'Let's create a situation
where, if companies agree to follow certain data practices, they can be
held harmless under the new directive."'

If the issue, which neither side paid much attention to until a few months
ago, is not resolved, European officials could theoretically soon begin to
block trans-Atlantic data transfers by multinational corporations and the
growing number of Internet companies.

European officials say they have no plans for any blockades soon, and are
hopeful about reaching a peaceful resolution. Officials from the United
States and Europe say they held constructive positive discussions earlier
this month. The European Commission has scheduled a meeting on the issue
for Monday, and it is expected to seek some kind of temporary solution
while the two sides negotiate.

Underlying the debate is a deeper political issue that is fraught with
cultural baggage. For years, European nations have been far tougher than
the United States about protecting privacy. Many countries essentially ban
telephone marketing to people's homes, and that prohibition is now being
applied to unsolicited sales approaches by fax and e-mail.

Several nations, including Germany and the Netherlands, have government
agencies devoted exclusively to protecting personal data.

Acting as ombudsmen, these agencies investigate complaints from individuals
who believe that companies have mishandled information about them.
Companies that are accused of violating privacy laws can be prosecuted
under criminal laws.

"There is a great difference in attitudes about privacy protection between
Europe and the United States," said Ulrich Sieber, a law professor at the
University of Wuertzburg in Germany.

U.S. privacy laws are far more lax and consist of a hodgepodge of statutes
and regulations enforced by various state and federal agencies charged with
oversight of other industries, like, for instance, those that regulate

In sharp contrast with Europe, an entire industry has arisen in the United
States that specializes in trolling public and private sources for vast
quantities of personal information, like birth records, drivers' license
numbers and torrents of data accumulated by retailers about customers'
individual purchases.

The new European directive embraces several basic principles that national
governments must now translate into their own laws. It requires that
companies tell people when they collect information about them and disclose
how that information will be used. In addition, customers must provide
informed consent before any company can legally use that data.

The law also requires companies to give people access to information about

U.S. officials say they agree with those requirements in principle, but
disagree with giving people unconditional access to information about
themselves, saying access should be allowed only if it is reasonable or
practical to do so.

The more difficult issues are enforcement and policing. Aaron says the
United States wants to give companies a variety of "safe harbors" to
satisfy privacy protection. One idea is to create independent
self-regulatory organizations that would monitor a company's data practices
and would give well-behaved companies what amounts to a stamp of approval.

Another option, they say, should be for companies to deal directly with
European officials and demonstrate that their systems and practices are

But legal experts say the new law could easily take on a life of its own,
because it gives individuals and private organizations the right to sue
companies that they say fail to provide adequate privacy protections.

Industry and government officials worry that independent privacy advocates
in Europe will simply invoke the letter of the law and begin taking U.S.
companies to court.

"I'm not sure the idea of creating safe harbors will be practical, because
people can still go ahead and sue a company regardless of whether the
governments reach an agreement among themselves," said Christopher Kuner, a
lawyer in Frankfurt who specializes in European information law.

In the short term, government and industry officials predict that nothing
much will happen. Most countries have yet to implement their own laws to
carry out the directive. And several countries, including Germany, have had
tough laws in place for years, and companies have found ways to deal with
the requirements.

One of the pioneering cases in Germany involved Citibank, which ran afoul
of German data-protection authorities in 1995. But since Citibank, which
has a major business presence in Germany, demonstrated to government
officials there how its system protected data in the United States, it has
operated without conflicts.

Executives of American Express Co. said they had reached similar agreements
in many countries and that they believed they could live with the new
directive. "It is a crucial issue for us, but it has not been a burden so
far," said James Tobin, an American Express spokesman in London.

John Borking, vice president of the Data Protection Authority of the
Netherlands, said, "We are not information police, and I expect that in the
whole of Europe nothing will happen."

But, added Borking, European governments will always take privacy
protection seriously.

"We are at the beginning of a new information society, and no one really
knows the outcome," he said. "But privacy and trust are important parts of
this society."

Copyright 1998 The New York Times Company

ISPI Clips are news & opinion articles on privacy issues from
all points of view; they are clipped from local, national and international
newspapers, journals and magazines, etc. Inclusion as an ISPI Clip
does not necessarily reflect an endorsement of the content or opinion
by ISPI. In compliance with Title 17 U.S.C. section 107, this material is
distributed free without profit or payment for non-profit research
and educational purposes only.

ISPI Clips is a FREE e-mail service from the "Institute for the Study
of Privacy Issues" (ISPI). To receive "ISPI Clips" on a regular bases
(up to 3 - 8 clips per day) send the following message  "Please
enter [Your Name] into the ISPI Clips list: [Your e-mail address]" to:
[email protected]  .

The Institute for the Study of Privacy Issues (ISPI) is a small
contributor-funded organization based in Victoria, British Columbia
(Canada). ISPI operates on a not-for-profit basis, accepts no
government funding and takes a global perspective.

ISPI's mandate is to conduct & promote interdisciplinary research
into electronic, personal and  financial privacy with a view toward
helping ordinary people understand the degree of privacy they have
with respect to government, industry and each other and to likewise
inform them about techniques to enhance their privacy.

But, none of this can be accomplished without your kind and
generous financial support. If you are concerned about the erosion
of your privacy in general, won't you please help us continue this
important work by becoming an "ISPI Supporter" or by taking out
an institute Membership?

We gratefully accept all contributions:

  Less than $60    ISPI Supporter
          $60 - $99    Primary ISPI Membership (1 year)
      $100 - $300    Senior ISPI Membership (2 years)
More than $300    Executive Council Membership (life)

Your ISPI "membership" contribution entitles you to receive "The ISPI
Privacy Reporter" (our bi-monthly 12 page hard-copy newsletter in
multi-contributor format) for the duration of your membership.

For a contribution form with postal instructions please send the following
message "ISPI Contribution Form" to [email protected] .

We maintain a strict privacy policy. Any information you divulge to ISPI
is kept in strict confidence. It will not be sold, lent or given away to
any third party.

To subscribe or unsubscribe, email:
     [email protected]
with the message:
     (un)subscribe ignition-point [email protected]

or (un)subscribe ignition-point-digest [email protected]