EU and US at odds over privacy

Privacy the question of who has the right to obtain, retain, and perhaps even sell personal information in digital form is becoming…

Privacy the question of who has the right to obtain, retain, and perhaps even sell personal information in digital form is becoming one of the hottest points of contention between the US and the European Union.

A pending European Data Directive, due to come into effect on October 25th, would place far-reaching restrictions on how the Americans could handle European citizens' data, whether obtained over the Internet from Website questionnaires, through product registration cards, credit-card transactions, or through routine processing of information for example, medical insurance by multinational companies.

Concern in the US is so strong, and the fallout of the directive so significant, that the issue is being approached at the highest government levels.

The US has always opted for a laissez-faire approach, preferring to let the various industries and organisations which collect data self-regulate. Europe, on the other hand, has "a philosophical view that privacy is a fundamental human right", according to Mr Fergus Glavey, the Data Protection Commissioner for Ireland, writing in the annual report for his office. The US relies mostly on non-for-profit groups to handle complaints about the activities of organisations. In Europe, there are laws.

READ MORE

The current European approach, which will be more explicitly defined in the new directive, has three basic tenets: individuals have the right to access any data relating to them and have it kept accurate and up to date; data cannot be retained for longer than the purposes for which it was obtained nor used or disclosed in a matter incompatible with that purpose and must be kept only for lawful purposes; those who control data have a special duty of care in relation to the individuals whose data they keep.

Data commissioners oversee these rights in Europe and investigate complaints.

In his report Mr Glavey wrote: "There is an imbalance between the consideration given to what can be done through the application of the latest technology and what should be done having regard to the cultural, ethical and legal assumptions which underpin our society."

The Irish data protection office receives about 1,700 inquiries per year. Most are from people seeking further information about privacy regulations; less than 100 are complaints. The office is responsible for asserting privacy rights relating to data kept on computers. and those rights were formulated back in the stone age of electronic networks, 1981. That is why there is such interest in the EU's directive, which fleshes out privacy rights in the digital age.

In the meantime, tension is increasing in Washington over online data privacy following a flurry of reports pointing up the laxness of basic privacy protection. The reports have lent fuel to the range of groups lobbying for privacy legislation in the US. Opposing them are the government-supported advocates of corporate self-regulation, led by President Clinton's senior trade adviser, Mr Ira Magaziner, who thinks a European propensity to over-regulate could stifle the online economy.

Mr Magaziner's stance is that there's no point in promising protection which the US government cannot provide. With 10,000 new Websites created daily, how can privacy be enforced? he asked while in Dublin recently.

But the European Commission does not agree, and that worries Mr Magaziner, who indicated for the first time in an earlier London talk that the US eventually may need to find points of compromise with the EU stance.

A London-based privacy advocacy group, Privacy International Ltd, has already threatened legal action if US companies do not comply. "No privacy, no trade. It's that simple," stated Privacy International's director, Mr Simon Davies, in a May Wired magazine article.

However, "someone in Brussels isn't going to go down in the basement and throw a switch, and the data stops flowing to the US," notes Mr Marc Rotenberg, director of Washington DC advocacy group the Electronic Privacy Information Center (EPIC), affiliated with Privacy International. Instead, 200 of the companies which send significant amounts of data between Europe and the US will be monitored for their use of data, he says.

Ms Deirdre Mulligan, senior counsel for the Center for Democracy and Technology in Washington, insists that self-regulation cannot work without at least some basic legal guidelines. It argues that the government should "proactively set baselines for industry". To make matters worse, she adds, flimsy existing legislation keeps organisations from self-regulation.

"There's a disincentive to actually make a privacy statement," she says, because organisations can then be liable for prosecution for deception under a federal act enforced by the US Federal Trade Commission.

"Europe is doing a better job at protecting privacy than the US," agrees Mr Rotenberg. He'd like to see: Americans have a legal right to access all data held on themselves; a legal framework for enforcement and redress of privacy rights; and a privacy agency within the federal government.

But the US shouldn't mould a policy just to keep business channels open once the EU directive takes effect. "Ultimately, I do not believe the US should base its privacy policy on the needs of the EU directive," he says.

Now, pressure is increasing to find US and European points of reconciliation before the enactment of the October directive. According to Mr Magaziner, the government is pursuing the idea of privacy-guaranteeing contracts between organisations. That's an increasingly anxious attempt to negotiate a self-regulation model, says Mr Rotenberg. "We think the government's been pursuing the wrong goal," he says. "They want to make self-regulation work. We want to make privacy work."

Karlin Lillington

Karlin Lillington

Karlin Lillington, a contributor to The Irish Times, writes about technology