The European Union Privacy Directive

Good morning. I am pleased to appear before you today to discuss certain issues raised by the European Union’s Directive on Data Protection, which takes effect in October, 1998.

While the EU Directive has thus far attracted relatively little attention in this country, the issue of privacy has become a hot topic here. In just the last several months, for example, the Washington Post has run a series on privacy on the Internet. And you know an issue has become timely and important when Parade Magazine runs a cover story on it, as it did on privacy on April 19, 1998 (in article by Peter Maas). I understand that, at last count, over 80 bills have been introduced in this Congress dealing with consumer privacy on the Net or in other contexts. Meanwhile, over 400 bills have been enacted at the state level over the past several years that deal with privacy.

If anything, privacy has been an even hotter topic in Europe, and for a longer period. Owing to the horrible memories of the Nazi regime, Western European countries have established comprehensive privacy protections, administered by governmental privacy offices or “czars” in each country. Generally speaking, European countries limit to a far greater extent than we do the secondary use of personal information collected from consumers or employees. They do this by requiring all those processing personal data to guarantee data subjects access to their personal data, the opportunity to correct it, to be informed of how the data are to be used and to have the right to opt out before the data are disclosed to someone else. In 1995, the EU adopted its Data Protection Directive to harmonize the laws governing privacy in its member countries.

But it is the provisions of Article 25 of the Directive—which vest the EU with the authority to decide whether other countries provide “adequate” privacy protection—that have raised controversy in the United States and, as I understand it, are the subjects of this hearing. The primary reason is that, beginning October, 1998, the EU is required under the Directive to prohibit the transfer of all personal data about EU citizens to countries that do not satisfy the EU’s adequacy test (subject to several exceptions or “derogations” I note below). In essence, the Directive sets the EU up as judge and jury over the adequacy of privacy protections of other countries, including those of the United States.

The extraterritorial ambitions of the EU understandably rankle many in the United States. But we, too, have engaged in a bit of extraterritorialism of our own by enacting legislation authorizing sanctions against countries that trade with Cuba, Libya and Iraq. We have done so for national security reasons. The EU appears ready to engage in extraterritorialism on a subject it deems important: privacy.

In the balance of this testimony, I will: (1) offer some tentative views as to what the EU is likely to decide by October 1998 in the case of U.S. privacy laws and protections; (2) what the impact of an adverse “adequacy” finding or findings could mean for U.S. companies doing business in Europe; and (3) how the friction between the U.S. and the EU on this issue might be reduced or eliminated.

Likely EU Determinations

In our discussions with EU officials and business representatives in both Europe and the United States, Professor Swire and I have become convinced that the EU will not make an across-the-board finding that our privacy protections are inadequate. The EU wants to avoid both unnecessary conflict with the United States as well as unnecessary disruption to commerce within Europe.

At the same time, however, the EU officials charged with administering the Directive have emphasized repeatedly in speeches in this country and elsewhere around the world that the Directive will be enforced and must be taken seriously. In addition, these same officials have implied that certain sectors or activities in the United States appear to lack adequate privacy protections by European standards.

We believe these statements should be taken at face value and thus believe that policy makers here should be prepared for the distinct possibility that come this October, the EU will find one, two or possibly several areas in which privacy policies in the United States fail the adequacy test. For example, the EU has commissioned a consultants’ study of protections of personal data in the United States, Australia, Canada, China, Japan, New Zealand, relating to medical research, sensitive data in airline reservations systems (such as food preferences), data processing, electronic commerce, and human resource (or personnel) practices. This provides as a good a roadmap as any to the possible industries and activities that could be subject to a data embargo beginning this October. In addition, Professor Swire and I discuss in our book a number of other possible sectors that could be subject to an inadequacy finding, if not in October 1998 then at some later point, including the securities and insurance industries, the accounting profession, the media, and meetings of professional associations in Europe (involving non-profits, academics and industry).

It is important to keep in mind that there are exceptions under Article 26 of the Directive to any such embargo. In particular, even if a sector or activity is found to lack adequate private protection, the Directive still permits the transfer of personal data out of Europe if:

• the party desiring to send the data has entered into a contract approved by the privacy office in the EU member country (committing the party to providing certain protections);
• the individual has consented unambiguously to the transfer;
• the transfer is necessary to complete a transaction (such as the use of a credit card in Europe or the purchase of an airline ticket there, both conceivably involving shipment of data to the United States); and if the data are otherwise public.

Finally, there is at least one sector of the American economy where privacy protections should satisfy the EU: the credit reporting industry. This is because the Federal Credit Reporting Act contains precisely the kind of protections that EU member countries have built into their laws: notice to consumers and opportunity for them to correct misinformation in their files.

Potential Impacts of Adverse EU Findings

Even with the exceptions just listed, any finding of inadequacy could have disruptive effects on commerce and on firms doing business Europe—whether they are owned by U.S. nationals, Europeans, or residents of any other country.

Consider the possible impacts of a narrow sectoral finding of inadequacy first:

• Airlines and hotel chains doing business in Europe could find themselves unable to transfer data about travelers’ eating, seating and other preferences to reservations systems in the United States. Europeans could also be rendered unable to participate in frequent flyer programs, if the data must be shipped to this country as part of the programs.

• Pharmaceutical companies could find themselves unable to share data from European research trials with researchers in the United States.

• Without having access to personal data about company officials and individuals in Europe, American insurers and reinsurers could find it impossible to assess risks properly and thus offer insurance products in Europe.

• Investment bankers wanting to execute deals in Europe could find themselves unable to collect and transfer data about the personnel of European companies their clients may want to purchase.

• Accounting firms in the United States could be prohibited from conducting audits of transactions involving European residents.

• Processors of large amounts of data using U.S.-based computer facilities could be required to reconfigure their data base operations so that all personal data collected in Europe is processed there.

The Directive could have even more far-reaching consequences if the EU makes an inadequacy finding that is not narrowly confined to a specific sector or activity. For example, suppose the EU decides that privacy protections in this country governing personnel records generally do not meet the adequacy test. In that event, all multinational companies doing business in Europe could find themselves unable to retrieve data about their European employees for any purpose, such as deciding whether and where to move such individuals to other locations, or monitoring their health-care costs.

Even greater disruption could occur if the EU issues an inadequacy finding relating to the potentially burgeoning field of electronic commerce. The Federal Trade Commission in this country is completing a survey of 1200 Web sites to identify what, if any, privacy policies the sponsors of those sites claim to be following. It is widely anticipated that the FTC report, due in June, will conclude that many sites sampled either have no privacy policy at all, or one that does little more than notify visitors that the data they provide to the sponsor may be used for other purposes. Putting aside the reaction that policy makers here would have to such a finding, it would not be at all surprising if the EU used such a report to conclude that, by European standards, the entire field of electronic commerce lacks adequate privacy protection. And if that finding is made, then presumably the EU could somehow attempt to restrict the transfer of personal data over the Internet. Presuming such a restriction or prohibition could be enforced, companies outside Europe could find it difficult doing business with European citizens. Europe itself could become an electronic ghetto—at a time just when usage of the Internet in Europe appears to be taking off (see Business Week, May 11, 1998, pp. 48-49).

An obvious question is how the EU would enforce any data embargo, whether targeted narrowly to customer or employee data in a particular industry, more broadly across many sectors, and especially in the context of electronic commerce (where national borders have become close to irrelevant)? Are officials from the privacy offices of EU countries going to become full-time electronic nannies, monitoring all of the electronic traffic flowing out of Europe? Are they going to heavily regulate and supervise the companies providing Internet service? Are they going to turn their customs officers at airports into privacy police who ask travelers leaving the country to turn their laptop computers on so their data can be scanned?

I suspect that the answer to all of these questions is “no”, but then one can’t be too sure. If the EU wants its inadequacy findings to be taken seriously, EU member countries will have to take some measures to monitor compliance with any data embargo and to punish offenders. At the very least, EU officials now must be wrestling with the challenge of enforcing any data prohibition in an electronic age—a task whose difficulty the EU almost surely didn’t fully comprehend when the Directive was drafted in the early 1990s, when the Internet was then in its relative infancy.

Most likely, any U.S. company doing business in Europe that finds itself subject to a data embargo will seek, under the contracts exception in Article 26 of the Directive, to enter into agreements approved by the privacy offices in each EU country obligating the firm to protect personal data of EU citizens in a manner consistent with EU law. Professor (Emeritus) Alan Westin of Columbia University has formed a team of experts who are preparing such model contracts. Nonetheless, companies may have certain kinds of data that call for special treatment, so that many contracts will have to be customized. Negotiating these contracts with the privacy offices in each EU member country will cost U.S. companies money, and conceivably entail some disruption if the offices are slow to approve the contracts. Where disputes arise, litigation could result. For some or even many companies, the process of gaining contract approvals could be messy indeed if one or more member countries of the EU wants it that way.

Moreover, beyond any “inadequacy” findings that may be issued this October, the existence of the Directive gives the EU the authority at any time to trigger disputes over privacy between the United States and the EU. Other things being equal, it would be in America’s interest if this sword of Damocles were not hanging over the heads of companies headquartered here and doing business in Europe.

Reducing The Friction

Hopefully, steps can be taken on both sides of the Atlantic to ensure that the EU Directive will not lead to frictions between the two largest economic powers in the world, the United States and the EU.

As for the EU, the following would help:

• The EU should recognize that various forms of “self-regulation” that American firms and trade associations have been exploring can, if implemented, provide “adequate” privacy protection. Notwithstanding the clear language of Article 27 of the Directive stating that the EU and its member states should encourage the development of industry codes of conduct within the EU, some EU officials have expressed skepticism about the enforceability of privacy codes that individual firms and groups of firms may adopt in this country. This skepticism, which reflects a preference for the formal administration of legal requirements by government privacy offices that is standard in Europe, overlooks important features of the U.S. legal landscape. When firms in this country hold out to the public that they are abiding by a privacy code and then fail to live up to that promise, they open themselves to legal challenge by the Federal Trade Commission and the states for engaging in an “unfair trade practice,” as well as to class action challenges for fraud and misrepresentation by private plaintiffs. In combination, these legal enforcement measures can provide every bit as much protection against privacy abuses as the formal legal machinery in the EU, which the officials charged with making adequacy determinations within the EU should recognize.

• In the event the EU decides that one or more U.S. sectors nonetheless lack adequate privacy protections, the EU should be responsive to requests by U.S. firms doing business in Europe to enter into contracts under Article 26 of the Directive. In particular, these contracts should impose no greater burdens on U.S. companies than they (and EU-based firms) are already obligated to undertake under the laws of EU member countries. If such contracts are not approved, the United States could well have grounds to complain to the World Trade Organization that its firms are being unlawfully discriminated against.

For its part, the U.S. government should continue to press both of the above points with the EU. In addition, our government should consider setting up a new non-regulatory Office of Electronic Commerce and Privacy within the Commerce Department to help respond to the growing concerns about privacy in the age of the Internet and to serve as a focal point for continuing state, federal, and international discussions about the issue. Such an office could help educate the public about how to protect privacy, especially on the Internet, while serving as a contact point for the private sector and state government as codes of conduct are developed. And while the creation of such an office by itself cannot be expected to convince the EU not to make any inadequacy findings at all, it would be respond to the concern voiced by some European officials that the U.S. government has not provided a permanent institutional home for ongoing international discussions about privacy.

More substantively, I understand that Congress has been considering legislation that would provide greater protection of personal medical records. Without getting into the details of such legislation, I strongly believe that, in principle, such statutory protections are needed (a bill in this area also would have the side benefit of almost surely preventing the EU from targeting medical records in this country as lacking adequate privacy protection).

The issue of privacy on the Internet is much more complicated, however. In principle, the privacy problem on the Net is a classic “collective action” problem: that is, because all actual and potential Net users would be better off if they were comfortable that the information they provided over the Net was absolutely safe and private, no single firm can capture all of the benefits of guaranteeing that its particular Web site has these characteristics. If somehow all firms, or at least most firms, were able to make such guarantees, then all would benefit from greater Net usage than if any single one or set of firms did so.

This problem is fundamentally similar to the situation general purpose credit cards faced in the 1970s before the law limited liability for lost cards or fraud to $50 per person. Once that assurance was provided, credit cards really began to take off.

It may be tempting to use the credit card liability example to justify broad statutory privacy protections for all individuals surfing the Net. But there are major differences between the two situations:

• First, even if policy makers could somehow require and effectively enforce privacy related notices, they still cannot guarantee absolutely safety on the Net. The latter depends on powerful encryption, another subject that is itself highly controversial and presumably outside the scope of this hearing.

• Second, whereas there are only a few major credit card organizations—such as Visa, MasterCard, American Express and Discover—there are countless and rapidly growing numbers of Web sites, making enforcement of any government-mandated privacy rules much more difficult. Indeed, given the continuing proliferation of sites on the Web, it is hard to believe that any government agency charged with enforcing a broad privacy law could ever stay ahead of the game, let alone discipline operators of sites who move their servers off-shore.

• Third, whereas placing a liability cap is relatively simple, one-size-fits-all privacy requirements may not be suited for all sites and firms.

• Unlike the credit card industry that has been characterized by relatively stable technology, the Net provides the best example of “Future Shock” one can think of—rapid technological change that seems virtually impossible to keep up with. Accordingly, legislation mandating privacy policies on the Net runs the risk of unintentionally thwarting technological advances.

For all these reasons, the Administration has been correct to urge the private sector to take the lead in addressing privacy concerns on the Net. The Department of Commerce is supposed to issue a report in July on the progress that the private sector has made so far in achieving this objective. In addition, as I have already indicated, the FTC is supposed to report next month on the privacy policies of sites on the Web.

These reports should focus greater public attention on privacy protections, just as this hearing will help do. If policy makers are not satisfied with the progress being made, they can call attention to that fact and help stimulate the demand for solutions by firms, groups of firms and trade associations.

Technology may be helpful in this regard. One such technology that has been widely touted is “TRUSTe”—a seal given to firms that disclose what they do with customer data, whether consumers can opt out of having their data provided to third parties, and whether they can correct information held about them in data bases. Thus far, however, TRUSTe has been slow in gaining acceptance, having signed up only about 100 firms or sites (although these include many of the top Web sites, including Excite, CNET, Disney, and Hotwired). In the future, I look for other seals, perhaps with better name recognition in the non-virtual world, to be developed and to gain wider acceptance, such as the proposal by the Better Business Bureau to provide on-line privacy assurances. In addition, the press can be a powerful tool for alerting the public to potential privacy abuses, as it did in one well known case when it exposed the plan of a major company to sell its customer data and thereby triggered such strong public disapproval that the company was forced to abandon the plan shortly thereafter.

The bottom line is that we have a dynamic and innovative private sector that responds to public demands. Policy makers here and abroad should take this feature of our economy and society into account in setting policy, especially in such a dynamic setting as the Internet.