From: believer@telepath.com Subject: IP: Privacy Rules Send U.S. Firms Scrambling Date: Tue, 20 Oct 1998 10:15:15 -0500 To: believer@telepath.com Source: Washington Post http://www.washingtonpost.com/wp-srv/frompost/oct98/privacy20.htm Privacy Rules Send U.S. Firms Scrambling By Robert O'Harrow Jr. Washington Post Staff Writer Tuesday, October 20, 1998; Page C1 Business executives and government regulators have spent years noodling about whether new rules are needed to protect an individual's right to privacy in this information age. The European Union, by contrast, agreed to "harmonize" its member states' tough privacy protections three years ago, and regulations born of that agreement take effect next Monday, Oct. 26. That could be a big problem for many businesses on this side of the Atlantic. Under the new rules, the EU's 15 member countries are obliged to prohibit the transmission of names, addresses, ethnicity and other personal information to any country that fails to provide adequate data protection as defined under European law. European officials have said repeatedly over the past year that the patchwork of privacy rules in the U.S. may not meet their standards. Though no one expects the flow of information from Europe to stop suddenly on Monday, anxiety about the new laws is growing because no one is sure how they will be applied. Each country will have separate privacy laws that cover the mandates of the EU directive, and all have privacy agencies to oversee those laws. The kind of information covered by the regulations includes direct-mail lists, hotel and travel reservations, medical and work records, orders for products on the World Wide Web and a host of other data. Companies also will have to provide detailed disclosures to individuals about how the data will be used and give those same individuals access to the information to correct the data. To weigh the task at hand, consider that Citibank alone has 7.7 million consumer accounts and about 9,000 employees in EU countries. "The scope is very broad," said Peter Swire, a law professor at Ohio State University and co-author of "None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive." "For major companies, there will be significant compliance issues," he said. Thomas P. Vartanian, a D.C. lawyer and author of "21st Century Money, Banking & Commerce," said the effects could be both sweeping and quotidian. Consider the case of a German tourist who breaks a leg in New York, he said. The tourist's health plan in Berlin may be unwilling or slow to send medical records here. American companies also may be prohibited from transferring work records of European employees. Moreover, direct marketers could face sharp limitations on how they use lists of potential customers. Marketers, travel companies and other information-hungry firms in the United States - from giant International Business Machines Corp. to start-ups on the World Wide Web - are scrambling to assess what it could mean for them. And government officials are meeting to head off any potential crisis on Monday. "It holds the potential for leading to disruptions in the flow of data," said David Aaron, undersecretary for international trade at the Department of Commerce, who has been involved in talks with officials from the European Commission. "This could have a major impact." The deadline has sharply etched differences in approaches to data protection. Europeans consider information privacy a human right. Their dreadful memories of how Nazi Germany used personal records in the Holocaust played a role in development of the laws. In the United States, industry and government officials have stubbornly resisted the regulation of data collection, fearing restraints would stymie commerce and tread on the First Amendment. Privacy advocates in Europe have made it clear they intend to press their governments to be strict. A group called Privacy International has already said it intends to monitor an array of U.S. and British companies, including American Express Co., Citigroup, Microsoft Corp. and Visa International. "Until there is some sense of certainty about how these rules are going to apply, you're going to get what you always get with business uncertainty, that is, you get delays and you get increased costs of doing business," Vartanian said. Charles Prescott, vice president of international business for the Direct Marketing Association, agreed. "The uncertainty over how the directive will be turned into local law is causing tremendous anxiety," said Prescott, adding that hundreds of the group's U.S. members do extensive business in Europe. In an effort to head off disruptions, Commerce Department officials have been talking for months with counterparts in the European Commission, the government body that helps coordinate regulations and policies that affect all EU members. Those talks have eased fears of a sudden cutoff of data. Commission officials said they are impressed by the Clinton administration's efforts to highlight the importance of data protection and to press industry groups to come up with a self-regulation framework to ensure privacy on the Internet. "It's [in] nobody's interest, least of all ours, that we have a trade dispute," said John F. Mogg, a director general of the European Commission, who has been involved in talks with the Commerce Department's Aaron about the matter. Mogg described the talks as "wholly constructive." Both Mogg and Aaron acknowledge, however, that significant differences remain. Among the sticking points are provisions that give every citizen of member countries the right to find out what information about them is in a database and the power to correct mistakes. Few U.S. companies are prepared to offer such access because of the costs involved. The directive also requires each outside country to have an independent arbitrator to decide whether a company is being forthcoming about its data. Mogg said that is "fundamental to us." But a system for such accountability still does not exist in the U.S. Some countries also want remedies to be available to citizens for violations. But officials say there are reasons for optimism. Many companies may be able to meet the new guidelines by writing contracts that promise to uphold key provisions, and by giving customers, employees and others detailed disclosure statements about how their information will be used. A group called Privacy & American Business has worked with experts in the United States and Europe to draft model contracts that would be helpful, particularly for small and medium-size businesses that can't afford to enter into lengthy negotiations. Companies also may be able to collect information from individuals who give explicit consent, officials said. "The mood now is cautiously optimistic," said Harriet Pearson, director of public affairs for IBM. Pearson said IBM has been working for more than a year to prepare for the regulations and is in good shape to comply. But she added that many questions remain unanswered for large and small companies alike. "It's a very uncertain equation at this point," she said. © Copyright 1998 The Washington Post Company ----------------------- NOTE: In accordance with Title 17 U.S.C. section 107, this material is distributed without profit or payment to those who have expressed a prior interest in receiving this information for non-profit research and educational purposes only. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml ----------------------- **************************************************** To subscribe or unsubscribe, email: majordomo@majordomo.pobox.com with the message: (un)subscribe ignition-point email@address or (un)subscribe ignition-point-digest email@address **************************************************** www.telepath.com/believer ****************************************************