From: "ama-gi ISPI" <offshore@email.msn.com> Subject: IP: ISPI Clips 5.69: EU Law Aims to Protect Privacy of Personal Data Date: Tue, 27 Oct 1998 02:34:54 -0800 To: <Undisclosed.Recipients@majordomo.pobox.com> ISPI Clips 5.69: EU Law Aims to Protect Privacy of Personal Data News & Info from the Institute for the Study of Privacy Issues (ISPI) Tuesday October 27, 1998 ISPI4Privacy@ama-gi.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This From: The New York Times, October 26, 1998 http://www.nytimes.com European Law Aims to Protect Privacy of Personal Data http://search.nytimes.com/search/daily/bin/fastweb?getdoc+site+iib-site+45+ 0+wAAA+privacy By EDMUND L. ANDREWS FRANKFURT, Germany -- The European Union put into effect a law Sunday prohibiting U.S.-style buying and selling of personal data, a move that could interrupt electronic commerce with the United States if the two sides fail to resolve deep philosophical and legal differences over protecting privacy. The goal of the European law is to prohibit companies from using information about their customers in ways the customers never intended -- for example, selling it to other companies for use as a marketing tool. The new law affects an enormous range of information that companies collect about people in the course of daily business, from credit-card transactions to magazine subscriptions to telephone records, as well as the electronic footprints that people leave when they visit sites on the World Wide Web. The law was adopted three years ago by the European Union after a majority of its 15 member nations agreed to issue what is known as a directive. Under European law, each member nation is required to implement the directive by enacting its own law. Six nations have drafted or passed such laws so far. Beyond its impact on Europe, the directive has the potential to disrupt electronic commerce with the United States. A key provision of the new measure would prohibit any company doing business in the European Union from transmitting personal data to any country that does not guarantee comparable privacy protection -- foremost among them, at this point, the United States. American direct-marketing companies, which make money buying, selling and developing business strategies based on huge data banks of personal information about consumers, have lobbied hard against government regulation of their industry. As a result, the Clinton administration has adopted a more laissez-faire approach under which data industries would be allowed to police themselves through self-regulatory organizations. U.S. officials say they agree with Europe on the basic principle that privacy should be protected but they have big differences about the best way to carry it out. "They have privacy czars and bureaucracies, and that kind of top-down approach would probably be regarded as a violation of privacy rights by many people in the U.S.," David Aaron, undersecretary of commerce, said of European nations. Aaron, who held talks on the issue with European officials in Brussels, Belgium, earlier this month, added, "We say, 'Let's create a situation where, if companies agree to follow certain data practices, they can be held harmless under the new directive."' If the issue, which neither side paid much attention to until a few months ago, is not resolved, European officials could theoretically soon begin to block trans-Atlantic data transfers by multinational corporations and the growing number of Internet companies. European officials say they have no plans for any blockades soon, and are hopeful about reaching a peaceful resolution. Officials from the United States and Europe say they held constructive positive discussions earlier this month. The European Commission has scheduled a meeting on the issue for Monday, and it is expected to seek some kind of temporary solution while the two sides negotiate. Underlying the debate is a deeper political issue that is fraught with cultural baggage. For years, European nations have been far tougher than the United States about protecting privacy. Many countries essentially ban telephone marketing to people's homes, and that prohibition is now being applied to unsolicited sales approaches by fax and e-mail. Several nations, including Germany and the Netherlands, have government agencies devoted exclusively to protecting personal data. Acting as ombudsmen, these agencies investigate complaints from individuals who believe that companies have mishandled information about them. Companies that are accused of violating privacy laws can be prosecuted under criminal laws. "There is a great difference in attitudes about privacy protection between Europe and the United States," said Ulrich Sieber, a law professor at the University of Wuertzburg in Germany. U.S. privacy laws are far more lax and consist of a hodgepodge of statutes and regulations enforced by various state and federal agencies charged with oversight of other industries, like, for instance, those that regulate banks. In sharp contrast with Europe, an entire industry has arisen in the United States that specializes in trolling public and private sources for vast quantities of personal information, like birth records, drivers' license numbers and torrents of data accumulated by retailers about customers' individual purchases. The new European directive embraces several basic principles that national governments must now translate into their own laws. It requires that companies tell people when they collect information about them and disclose how that information will be used. In addition, customers must provide informed consent before any company can legally use that data. The law also requires companies to give people access to information about themselves. U.S. officials say they agree with those requirements in principle, but disagree with giving people unconditional access to information about themselves, saying access should be allowed only if it is reasonable or practical to do so. The more difficult issues are enforcement and policing. Aaron says the United States wants to give companies a variety of "safe harbors" to satisfy privacy protection. One idea is to create independent self-regulatory organizations that would monitor a company's data practices and would give well-behaved companies what amounts to a stamp of approval. Another option, they say, should be for companies to deal directly with European officials and demonstrate that their systems and practices are appropriate. But legal experts say the new law could easily take on a life of its own, because it gives individuals and private organizations the right to sue companies that they say fail to provide adequate privacy protections. Industry and government officials worry that independent privacy advocates in Europe will simply invoke the letter of the law and begin taking U.S. companies to court. "I'm not sure the idea of creating safe harbors will be practical, because people can still go ahead and sue a company regardless of whether the governments reach an agreement among themselves," said Christopher Kuner, a lawyer in Frankfurt who specializes in European information law. In the short term, government and industry officials predict that nothing much will happen. Most countries have yet to implement their own laws to carry out the directive. And several countries, including Germany, have had tough laws in place for years, and companies have found ways to deal with the requirements. One of the pioneering cases in Germany involved Citibank, which ran afoul of German data-protection authorities in 1995. But since Citibank, which has a major business presence in Germany, demonstrated to government officials there how its system protected data in the United States, it has operated without conflicts. Executives of American Express Co. said they had reached similar agreements in many countries and that they believed they could live with the new directive. "It is a crucial issue for us, but it has not been a burden so far," said James Tobin, an American Express spokesman in London. John Borking, vice president of the Data Protection Authority of the Netherlands, said, "We are not information police, and I expect that in the whole of Europe nothing will happen." But, added Borking, European governments will always take privacy protection seriously. "We are at the beginning of a new information society, and no one really knows the outcome," he said. "But privacy and trust are important parts of this society." Copyright 1998 The New York Times Company --------------------------------NOTICE:------------------------------ ISPI Clips are news & opinion articles on privacy issues from all points of view; they are clipped from local, national and international newspapers, journals and magazines, etc. Inclusion as an ISPI Clip does not necessarily reflect an endorsement of the content or opinion by ISPI. In compliance with Title 17 U.S.C. section 107, this material is distributed free without profit or payment for non-profit research and educational purposes only. --------------------------------------------------------------------------- ISPI Clips is a FREE e-mail service from the "Institute for the Study of Privacy Issues" (ISPI). To receive "ISPI Clips" on a regular bases (up to 3 - 8 clips per day) send the following message "Please enter [Your Name] into the ISPI Clips list: [Your e-mail address]" to: ISPIClips@ama-gi.com . The Institute for the Study of Privacy Issues (ISPI) is a small contributor-funded organization based in Victoria, British Columbia (Canada). ISPI operates on a not-for-profit basis, accepts no government funding and takes a global perspective. ISPI's mandate is to conduct & promote interdisciplinary research into electronic, personal and financial privacy with a view toward helping ordinary people understand the degree of privacy they have with respect to government, industry and each other and to likewise inform them about techniques to enhance their privacy. But, none of this can be accomplished without your kind and generous financial support. If you are concerned about the erosion of your privacy in general, won't you please help us continue this important work by becoming an "ISPI Supporter" or by taking out an institute Membership? We gratefully accept all contributions: Less than $60 ISPI Supporter $60 - $99 Primary ISPI Membership (1 year) $100 - $300 Senior ISPI Membership (2 years) More than $300 Executive Council Membership (life) Your ISPI "membership" contribution entitles you to receive "The ISPI Privacy Reporter" (our bi-monthly 12 page hard-copy newsletter in multi-contributor format) for the duration of your membership. For a contribution form with postal instructions please send the following message "ISPI Contribution Form" to ISPI4Privacy@ama-gi.com . We maintain a strict privacy policy. Any information you divulge to ISPI is kept in strict confidence. It will not be sold, lent or given away to any third party. **************************************************** To subscribe or unsubscribe, email: majordomo@majordomo.pobox.com with the message: (un)subscribe ignition-point email@address or (un)subscribe ignition-point-digest email@address **************************************************** www.telepath.com/believer ****************************************************