Europe's Privacy Cops

The EU wants others to protect electronic data as it does

Germany's data police, the Datenschutz, considers itself a kind of anti-Gestapo. Whereas Hitler's secret police used files on German citizens as tools of terror and control, the Datenschutz protects people's personal data. Inspectors trek from Berlin to Sioux City, S.D., to Citigroup's giant data-processing center, where computers store financial information about millions of German credit-card holders. The Germans, says Stefan Walz, a Datenschutz commissioner, pay regular visits "to make sure that the data are being handled according to [German] law."

Citi accepted the supervision four years ago in return for permission to market a credit card in Germany. But soon, U.S. companies could be dealing with Europe's privacy inspectors whether they've bargained for it or not. On Oct. 25, when the European Union Directive on Data Protection goes into effect, commissioners in Brussels will have the legal tools to prosecute companies and block Web sites that fail to live up to Europe's exacting standards on data privacy.

The directive, which was negotiated among the EU governments over six years, guarantees European citizens absolute control over data concerning them. If a company wants personal information, it must get that person's permission and explain what the information will be used for. It must also promise not to use it for anything else without the citizen's consent. A company selling birdseed, for example, can't use its mailing list to hawk Audubon calendars. Citizens have the right to know where information about them came from, to demand to see it, to correct it if wrong, and to delete it if objectionable. And they have a right to file suits against any person or company they feel is misusing their data.

One piece of the law is particularly stringent. Article 29 demands that foreign governments provide data protections every bit as rigorous as Europe's, under a similar regulatory structure. Those that fail, the EU warns, could find their data flows with Europe, the world's largest economy, outlawed.

EU officials maintain that they would target certain companies or industries, not entire nations. Yet the new directive marks the first concerted initiative of a united Europe to dictate its norms to the rest of the world. It also takes Europe's regulatory reach into the vital organs of the Information Economy--computer databases and the Internet. "A global system requires global regulations," says Walz.

The question is whether governments outside Europe will stand for the law. As the global leader in online business, the U.S. is a particular target of the directive. So Washington finds itself negotiating on behalf of the entire non-European world.

At the root of the battle is a philosophical chasm nearly as wide as the Atlantic. Europeans look to democratic regimes to protect their privacy. Americans, meanwhile, tend at first to leave information flows unregulated. Later, they slap controls on objectionable areas, such as child pornography on the Web. "In Europe, people don't trust companies, they trust government," says Emanuel Kohnstamm, a Time Warner Inc. vice-president in Brussels. "In the U.S., it's the opposite way around: Citizens must be protected from actions of the government."

"BALKANIZATION." Data exchange, already a critical issue for business, is a key to marketers' global ambitions. Their plan is to plumb databases of buying patterns, develop thousands of detailed customer profiles, and then hit buyers with finely tuned pitches--preferably online. This targeting is at the heart of E-commerce, an industry that totals only $32 billion in annual sales now but is expected to reach $425 billion within four years, according to International Data Corp. Execs on both sides of the Atlantic fret that it could be throttled in its cradle by zealous regulators. "This could mean the Balkanization of E-commerce," warns John E. Frank, European legal counsel for Microsoft Corp.

Europeans respond that E-commerce can't grow without consumer confidence. Only a fearless or foolish consumer, they say, would venture into unregulated digital malls. Europeans abhor the American habit of planting "cookies," the data tags that hook into a log-in name, track the Web sites it has explored, and send back consumer profiles. They are outraged that U.S. prosecutors and insurers use the Web to unearth facts that people would rather keep to themselves. Brussels claims it can protect Europeans from such intrusions.

As Oct. 25 approaches, negotiators in Brussels and Washington are working to reach a practical compromise. The Europeans have dropped demands for a new privacy department in Washington. And the U.S. team, led by Commerce Under Secretary David L. Aaron, is proposing a self-regulation scheme that has the backing of blue-chip companies from Procter & Gamble Co. to Microsoft. Companies would certify before a nongovernmental privacy group that they are meeting European standards on data management, much as companies worldwide meet European industrial-quality standards with the ISO 9000 certification.

The betting now is that Americans will offer at least enough to forestall a rash of European legal actions this fall. "We won't shut off the general flow of data," says one European Commission official in Brussels. "We will judge on a case-by-case basis and bring suit if necessary."

But even as EU officials promise restraint, privacy activists in Europe are preparing to go after U.S. companies that violate the new directive. Privacy International, a London-based advocacy group, says it is investigating privacy practices at 25 leading U.S. companies, including Electronic Data Systems, Ford, Hilton International, Microsoft, and United Airlines, and vows to sue alleged offenders in January. That would force EU regulators to take legal action, too. For their part, the target companies say they are hurrying to meet Europe's new privacy requirements.

That has created opportunities for software makers and other high-tech companies. Microsoft, for example, is developing programs to quiz consumers, through a series of pop-up menus and mouse clicks, about what products or services they want and how much data they're willing to share. NCR Corp., a major producer of data-storage software, is marketing a host of new products to meet privacy needs, allowing companies to juggle digital warehouses of consumer data. For example, a user would have access to personal information for benign purposes, such as anonymous market surveys. But the same user could not access that data to launch a direct-mail campaign for a new product--unless consumers had given the O.K. for such pitches.

PRICEY RETOOL. Companies that rely on cross-selling are scrambling to comply with the new rules. Airlines, for example, pitch their first-class passengers everything from limousine rentals to bargains on luxury suites. Now, such cross-marketing is forbidden without the customer's consent. British Airways PLC has been revamping its software to ask questions the right way--explaining to customers why it wants birth dates (to distinguish one John Smith from another) and nationalities (to whisk people through immigration). "We haven't even put a cost on that yet," says BA data-operations executive Tricia Ade.

It may seem ironic that Europe, which is playing catch-up in the entire digital arena, from personal computers to E-commerce, has taken the lead in policing data on the Internet. But privacy is a burning issue of the New Economy and one that cries out for regulation. The question is whether together, Europe's regulators and America's free marketeers can devise a scheme to patrol the Net without dragging it down.

Before it's here, it's on the Bloomberg Terminal.