ad info
Time Warner sites
Top Stories

E-business vs. 'none of your business'
The U.S. and E.U. have agreed on "safe harbor" privacy protection. But is it really safe?

By Andy Walton

(, June 9, 2000) -- Should it be illegal to carry a pocket organizer across an international border, because it contains names and numbers of people who didn't give their permission? Or should companies and governments be allowed to collect all manner of information on people without their knowledge or consent, to be sold, swapped and used in any way whatsoever?

The debate over online privacy is prone to such extreme hypothetical visions. As computer networks make it easier to find, store, and process information, it is becoming harder for individuals to keep their data private. A push to bolster online privacy -- users' ability to control who has access to their personal information -- is growing.

"We certainly favor the growth of the Internet and electronic commerce and new technologies," says Marc Rotenberg of the Electronic Privacy Information Center. "But I think it's becoming increasingly clear that without some baseline privacy standards, the concerns the consumers have and the genuine problems that they're running into keeping track of how their personal information is being used will only increase."

As concern has grown, the debate has become more heated. Some nations, including the United States, rely on self-regulation and private organizations like the Better Business Bureau. In Europe, government take a far more active role in privacy protection.

"Unlike the United States, in Europe, each of the European countries has a very comprehensive set of protections for the privacy of its citizens," says Fordham University law professor Joel Reidenberg.

Each EU member state has a government agency to enforce those privacy laws, creating a patchwork of different privacy laws across Europe's planned single market.

The European Union responded with its Directive on Data Privacy, which was adopted in 1995 and took effect in October 1998. The directive was intended to make privacy policy consistent across the EU and allow transfers of information to be as seamless as the flow of people and products.

The directive requires that any organization (called a "data controller") collect only necessary information, inform users what information is collected and how it will be used, keep data accurate and up to date, allow individuals to review the information kept on them, and keep information no longer than necessary. Some types of information -- ethnic origin, political and religious beliefs, and the like -- cannot be collected without the individual's explicit consent.

But in a wired world, it's a simple matter to send data to someone outside the EU, where those restrictions do not apply. So the directive, like many European privacy laws, includes a provision that prohibits sending personal information to countries that do not have "adequate" privacy protection. That provision brought the privacy issue to the global stage and into the ongoing debate over the role of international borders in a wired world.

Fear of inadequacy

If data can only be sent to countries with "adequate" privacy protection, naturally the question of adequacy is crucial and politically charged. Switzerland and Hungary were found to have adequate protection; the U.S. was not. This marked the beginning of nearly two years of negotiations between the U.S. and the EU, amid charges that each side was trying to impose its version of privacy law on the other.

The American answer was "Safe Harbor," a voluntary program that allows companies to commit to a set of principles on handling of personal data. Safe Harbor enshrines some of the same principles found in the EU directive, including notice, choice and access. Companies are free not to join Safe Harbor -- but they then cannot receive information from EU nations. The proposal was met with some skepticism from European privacy authorities and consumer groups, chiefly because of what they saw as inadequate enforcement provisions.

"It's very vague," Reidenberg said of the enforcement portion of Safe Harbor. "That goes to whether or not this is even going to work."

Compliance with the standards is monitored by private organizations like the Better Business Bureau Online, TRUSTe, or the American Arbitration Association, which can then forward complaints to the Federal Trade Commission after their own investigations. But will they? "In all practicality, that is never going to happen," Reidenberg says. That is an extremely unlikely scenario."

Another objection to Safe Harbor is that, at least on paper, it offers preferential treatment to Europeans' privacy concerns. The agreement applies only to transfers of information from the EU, and "American companies that subscribe are promising to give better privacy protection to Europeans than they do to Americans," Reidenberg says.

Safe Harbor, or eye of the storm?

If Safe Harbor concerns some privacy and consumer advocates, it was not an easy sell for the EU either. As negotiations continued and months stretched into years, some analysts feared that Europe would cut off the flow of data across the Atlantic.

If the EU did not accept Safe Harbor, "e-commerce in Europe could sputter, inflicting damage on the continent's economic health," an article on "Wired" magazine's Web site predicted in April. Indeed, Reidenberg believes that such fears helped lead the EU to ultimately adopt Safe Harbor at last month's summit in Lisbon, Portugal.

"The European Union at the political level decided to approve Safe Harbor against the opinions of their national data protection commissions," Reidenberg says. "They had three other trade disputes brewing, and I think they decided they just didn't want to add privacy to the list of trade disputes."

The dispute is not over. Safe Harbor is up for review in 2001. Meanwhile, the world is increasingly following Europe's lead. "The European directive is becoming the model around the world for privacy protection," Reidenberg says. "If you look in Latin America and you look at Eastern Europe and you look at Asia, the American model is being rejected."

Even in the U.S., where Reidenberg says "drug abusers have better privacy protection than Web surfers," pressure is building. In May, the Federal Trade Commission concluded that self-regulation was not working, and called on Congress to pass comprehensive privacy legislation.

Democrats in Congress have pledged to make privacy an issue in this year's elections, but most Republicans oppose any new privacy laws, and none are expected this year.


Key data privacy concepts from the EU directive and Safe Harbor guidelines

Notice: Users must be told what information is being collected, how it will be used, what third parties may gain access to it, and how individuals may limit its use or disclosure.

Choice: Users must have the option to "opt out" of the use or disclosure of information. For some sensitive information, including ethnic origin, political and religious views, and trade union membership, the user must explicitly "opt in" before such data can be gathered and processed.

Onward transfer: Data may be passed on to another party unless it satisfies the notice and choice requirements, and only when the receiving party is also committed to privacy protection.

Security: Organizations in possession of personal data must take reasonable measures to ensure that it cannot be misused, accessed or disclosed by unauthorized parties.

Data Integrity: An organization may store and process only the information necessary for its stated purpose, and must take reasonable steps to ensure that its files are accurate, complete and current.

Access: Users must have the ability to view in a reasonable and affordable manner the information an organization has on them and to correct inaccuracies.

Electronic Privacy Information Center

Trans-Atlantic Consumer Dialogue

EU documents on data protection

Professor Joel R. Reidenberg

International Trade Administration Electronic Commerce Task Force from the U.S. Department of Commerce