In October, the European Union’s Directive on Data Protection takes effect. Little known in the United States, the Directive will prohibit electronic transfer of personal information about European citizens to countries with privacy protection laws that are deemed inadequate. As a result, many U.S. companies with European operations could find their activities significantly disrupted.
An across-the-board legislative response that mimics European law is the wrong reaction. A better approach is self-regulation by the industries and firms most likely to be affected. Moreover, the EU Directive itself seems to endorse such sectoral actions.
A more exhaustive examination of the issue will be provided in Swire and Litan’s forthcoming Brookings book, None of Your Business: World Data Flows, Electronic Commerce and the European Privacy Directive. By Peter P. Swire and Robert E. Litan
POLICY BRIEF #29
The United States and the rest of the world are in the midst of a revolution in information processing and communication. Much about this revolution is welcome: personal computers more powerful than mainframes of a generation ago; virtually instantaneous communication of voice and data around the world; and a steadily expanding universe of information available over the Internet.
Nonetheless, at least one aspect of the computer revolution has generated significant concern: the potential threat to individual privacy. With the dramatic reductions in the cost of processing and access to information, it is easier than ever to track down other individuals and find out many things about them—where they are, what they buy, what sites they visit on the Web, and many more. It is not surprising, therefore, that public opinion polls report that a major impediment to further growth of electronic commerce—doing business on the Internet—is the fear on the part of users that the information they communicate will find its way into other, unwelcome hands and be used in ways of which they do not approve.
Mounting concerns about privacy in the information age have sparked a lot of discussion among policy makers here and abroad. In particular, a vigorous debate is under way about whether, and to what extent, privacy issues—not just in the context of the Internet but more broadly—should be handled by market mechanisms, technology, industry self-regulation, or mandatory government regulation.
In 1998, this debate could erupt into an all-out trade war. The spark could be the implementation of the European Union’s Directive on Data Protection, which becomes effective in October. Little known in this country, except among a few industries that are aware of its potential impact, the Directive prohibits (with a few exceptions) transfer of personal information about European citizens to other countries that lack adequate protection of privacy.
Will the EU decide the United States lacks adequate privacy protections? Or, as we believe is more likely, will important sectors of the U.S. economy be singled out as being inadequate? Is there any way to avoid the coming showdown over privacy policy?
Privacy Policy on Both Sides of the Atlantic
While privacy is taken very seriously on both sides of the Atlantic, the United States and Europe take very different approaches to the issue. As Fred Cate explains in his excellent, recent guide to privacy law, Privacy in the Information Age (Brookings Institution Press, 1997), unlike the nations of Western Europe, the United States does not have a single, comprehensive privacy law. Nor does it have an agency charged with administering such a law. The United States approach to date has been more selective, regulating both the public and private sectors strictly in certain areas—the disclosure of personal data by the government, credit reporting bureaus, cable TV suppliers, and video rental shops—but otherwise keeping the government’s hands off the private sector. The absence of generic privacy legislation in the United States is not an indication that privacy lacks importance, but instead reflects the fact that the Constitution and legislatures at both the federal and state levels also value competing policy objectives, including the prevention and prosecution of criminal acts, the First Amendment’s protection of the press, and a general suspicion of government intervention, a suspicion that seems to have grown in recent years.
The European approach to privacy is both more comprehensive and restrictive, reflecting the fact that in Europe, privacy is a clearly established human right deserving of strict protection. Some national privacy laws have existed for over twenty years, but in 1995 the European Union adopted the sweeping Directive. The Directive is intended to upgrade and harmonize privacy protections throughout the EU, and it requires each EU member nation to adopt a strict privacy law that must include certain elements:
It must require all those processing personal data to comply with well-defined, fair information practices, including guarantees that individuals have access to all personal data about them, and the opportunity to correct that data.
The law must allow use of personal data only for the purpose for which it was originally gathered, and require an individual to be informed and to have the right to opt out before data are disclosed for the first time to third parties for purposes of direct marketing.
It must establish in each country a supervisory authority to oversee that nation’s privacy laws. The authority, along with private individuals, must be able to bring enforcement actions for violation of privacy laws.
That the United States and EU differ in their approaches to privacy, as in their approaches to a variety of policy issues, would not matter, except for one thing. Article 25 of the Directive prohibits the transfer of personal data of anyone from the EU to other countries that the EU determines does not provide an adequate level of privacy protection. The Directive contains a number of derogations (exceptions) to its flat prohibition, such as cases in which: the data subject has consented unambiguously to the transfer; the transfer is necessary to complete a transaction (such as the purchase of an airline ticket or the use of a credit card in Europe); the personal information is otherwise public; or the party desiring to send the information has entered into a contract approved by the supervisory authority of the country from which it plans to transfer the data. Judging from the public pronouncements of EU officials so far, however, these exceptions are likely to be narrowly construed. So the prohibition, generally, is likely to have real consequences.
What Will the EU Decide?
Guessing exactly how the EU will apply the adequacy test to the United States is a hazardous enterprise, because EU officials have been sending conflicting messages. The mixed signals may be due to the simultaneous desires of the EU to appear strict yet reasonable, strict in order to encourage the United States to change its privacy laws, reasonable in order to avoid disruption of normal trade. Another cause may be the EU’s internal politics. Perhaps understandably, the officials responsible for data protection have staked out the hardest line in public, suggesting in speeches that current privacy protections in the United States are not adequate for European purposes. Other officials, such as those who are pushing Europe to be active in electronic commerce and are thus wary of moves that could inhibit data flow into and out of the EU, have struck a more compromising tone. From our discussions with U.S. and European government officials and knowledgeable individuals in the corporate community on both sides of the Atlantic, we project the following outcomes:
The EU is unlikely to issue an across-the-board finding that U.S. privacy protections are inadequate. Instead, it is likely to make adequacy determinations on a sector and practice-specific basis.
The EU is likely to decide that some U.S. industries that have specific laws governing the use of personal information do meet the adequacy test. The credit reporting industry is an example.
Unless a generic compromise is soon found, the EU is very likely to demonstrate its seriousness about the Directive by initially singling out one or more U.S. companies or sectors as not meeting the adequacy test and thus subject to the data transfer prohibition of the Directive. High on the potential target list, in our view, are firms in the direct marketing industry, the insurance industry, and any company handling personal medical information (if Congress does not promptly enact proposed legislation to protect the privacy of medical records).
Sectors and Practices at Risk
The above list of potential targets could represent only the tip of the iceberg. If the EU decides that the largely self-regulatory approach followed by the United States is not sufficient to justify an adequacy finding, a much broader information embargo is possible. To be sure, EU officials could nonetheless allow some information through under one or more of the derogations. But based on our interviews and our reading of the Directive itself, the transfer of much information about persons in Europe could be restricted, with perhaps surprisingly serious disruptive effects.
Certain of the adverse impacts could be felt by any company doing business in Europe—regardless of the nationality of its owner. All corporations maintain extensive data bases containing personal information about their officers, employees, suppliers, and customers. If the corporation does business in both the United States and Europe, it almost certainly warehouses these data on one or more mainframe computers or servers located on both sides of the Atlantic, moving information back and forth as it is needed.
Now consider what would happen if a European government—consistent with the policy of the European Commission—were to say to multinational firms with offices in Europe that they could not transfer personal data to the United States, whether by telecopy, on a computer disk, or over the Internet. Suddenly, the firm would discover it could not send out any personal information about its European employees, frustrating its ability to match its people with jobs. Employees using company intranets or extranets (information networks with key suppliers and customers) would find their communications with others in the United States subject to prohibition and penalties if they contained any information meeting the broad definition of personal data. Data bases filled with information about European customers could not be shipped to the United States for processing.
Are these potential adverse effects fanciful? Unfortunately not. Moreover, they are not likely to be confined to just a few firms. All multinational firms operating in Europe with a U.S. presence could find it necessary to radically change the way they maintain and transfer data about employees and customers if the EU makes a broad determination that large parts of the U.S. economy lack adequate privacy protection.
Meanwhile, even narrow determinations of inadequacy could be especially harmful to certain industries. Airlines and hotel chains doing business in Europe could find themselves unable to transfer data indicating travelers’ eating, seating, and other preferences to reservations systems in the United States. Pharmaceutical companies could find it impossible to share data from European research trials even with their own employees located in the United States. Investment bankers wanting to execute deals in Europe could find themselves unable to collect data about the officers running the companies their clients may want to purchase. Accounting firms in the United States could be prohibited from conducting audits of transactions that involve European individuals.
Some skeptics have claimed to us that the Europeans would never take steps that would result in these effects. They haven’t been listening to the remarks of various European officials, or they haven’t read the Directive closely. Others may claim that the Europeans could never enforce any data restrictions. That may be true. But the fact that many data transfers simply could be rendered unlawful exposes any company doing business in Europe to the potential threat of legal action, negative publicity, and harassment. Moreover, American companies in particular must remember that their European operations are staffed largely by Europeans, and companies risk the goodwill of their employees and customers if they knowingly violate European law.
Avoiding the Showdown
It is a safe assumption that between now and October, 1998, the United States will not adopt in legislative form the kind of comprehensive regulatory system for protecting personal privacy that is now prevalent in Europe. This is true notwithstanding the fact that in the 104th Congress alone (1995-96), nearly 1,000 bills were introduced containing some provisions dealing with privacy. Neither the Republican-controlled Congress nor the Clinton Administration has the appetite for the kind of across-the-board regulatory approach now found in Europe.
Does this mean that the United States and the EU are on a collision course over the privacy issue? Not necessarily. If officials on both sides of the Atlantic show some creativity and flexibility over the coming months, there is at least a chance that a privacy war can be averted.
In particular, the United States should take two important steps in its own interest and that of its citizens that, at the same time, might provide sufficient cover for the Europeans to refrain from implementing even a partial embargo on personal information otherwise destined for this country. European officials could claim for domestic consumption that it was their Directive that induced us to take the issue of privacy more seriously.
First, because there is no institutional home within the federal government for matters relating to privacy in the private sector, the Administration should establish a permanent office dealing not just with privacy, but with other issues affecting electronic commerce more generally, such as encryption, special Internet taxes (which should be avoided), and intellectual property protection on the Net. Our preference would be to locate that office within the Department of Commerce, which should have an updated mission in this digital age to include facilitating electronic commerce.
Second, rather than establish a new federal agency to issue detailed regulations governing privacy, different industries should establish their own privacy codes of conduct and firms within them should agree to abide by such codes in a way that can be verified. At a minimum, such codes should include privacy principles that: (1) afford notice to consumers of what data is collected about them and how it is intended to be used, and (2) provide a meaningful opportunity for consumers to limit the use and re-use of their personal data, as well as to correct errors that may exist in company files. The key advantage of individual company- and industry-developed codes is that, by definition, they avoid the one-size-fits-all mentality of government regulators and result in practices that are tailored to specific circumstances in different sectors of the economy.
Critics on both sides of the Atlantic may object that self-regulation is inadequate because it cannot be enforced. This is not true. Firms that advise consumers of their privacy policy and do not adhere to it will be open to lawsuits for misrepresentation and to prosecution by the Federal Trade Commission or the states for engaging in an unfair or deceptive practice. Moreover, individuals who feel they have been aggrieved can always inform the media, which have proven to be perhaps the most effective enforcement tools of all. Last year, Lexis-Nexis, AOL and Experian all found themselves subjects of media stories about their data practices and, once exposed, each company quickly abandoned the practice.
The self-regulatory approach stands little chance of convincing the EU that the United States maintains adequate privacy protections, however, unless American businesses in various sectors move aggressively to adopt and to adhere to clear privacy principles. One of us (Peter Swire) is currently involved in an effort headed by Alan Westin—formerly professor of law at Columbia University and widely regarded as the nation’s preeminent legal expert on privacy—to develop such codes. The Administration, for its part, has served notice on the private sector that it expects major progress in the direction of self-regulation by this summer, when a report on this subject is due on President Clinton’s desk, or else it will urge the adoption of legislation.
By that time, offering to sponsor legislation—unknown at this point in its content and breadth—may be too little, too late to assuage the Europeans. More fundamentally, however, we believe that legislation in this area is premature, especially with regard to information on the Internet. Given the strong public fears about the lack of privacy on the Net, firms interested in electronic commerce have strong market-based incentives to address privacy concerns. Indeed, various technological approaches are now being developed that would build privacy protections into the structure of Internet transactions. One such mechanism would allow consumers to specify a default option in their browser relating to how much personal information about them is to be transmitted unless specifically overridden. Given the tendency of Congress to be highly prescriptive in any legislation that it enacts, it is difficult to be confident that even a minimalist privacy bill—one that simply codified some simple privacy principles—would emerge without many other potentially onerous and ill-advised restrictions attached.
A more practical approach would be for the White House and/or the new Commerce Department office to encourage the rapid development of privacy codes by firms with privacy practices likely to be of concern, not only to the Europeans, but to Americans as well. Indeed, the Administration plans to conduct a series of meetings with firms in key sectors to urge them to develop or update their privacy policies, not only to avoid a potential conflict with Europe, but also to prevent imposition of potentially burdensome new legislation by Congress and the states. The private sector needs to move fast—and step up its development and implementation of privacy policies, principles, or codes of conduct—or else the vacuum will be filled by government action. Moreover, the EU would be hard pressed to resist a major self-regulatory push by the private sector here. After all, Article 27 of the Privacy Directive itself instructs “Member States and the Commission” to encourage the development of codes of conduct. If the EU recognizes the progress toward self-regulation in this country, then the coming showdown over privacy can be averted.
