Europe's Privacy Cops
Germany's data police, the Datenschutz, considers itself a kind of anti-Gestapo. Where Hitler's secret police used files on German citizens as tools of terror and control, the mission of the Datenschutz is to protect people's personal data. For this, inspectors trek from Berlin all the way to Sioux City, S.D., to Citigroup's giant data-processing center, where computers store financial information about millions of German credit-card holders. The Germans, says Stefan Walz, a Datenschutz commissioner, pay regular visits "to make sure that the data are being handled according to [German] law."
Citi accepted the supervision four years ago in return for permission to market a credit card in Germany. But soon, U.S. companies could be dealing with Europe's privacy inspectors whether they've bargained for it or not.
Europe is launching a crackdown in cyberspace. On Oct. 25, when the European Union Directive on Data Protection goes into effect, commissioners in Brussels will have the legal tools to prosecute companies and block Web sites that fail to live up to Europe's exacting standards on data privacy.
The directive, which was negotiated among the EU governments over six years, guarantees European citizens absolute control over data concerning them. If a company wants personal information, it must get that person's permission and explain what the information will be used for. It must also promise not to use it for anything else without the citizen's consent. A company selling birdseed, for example, can't use its mailing list to hawk Audubon calendars. Citizens have the right to know where information about them came from, to demand to see it, to correct it if wrong, and to delete it if objectionable. And they have a right to file suits against any person or company they feel is misusing their data.
One piece of the law is particularly stringent. Article 29 demands that foreign governments provide data protections every bit as rigorous as Europe's, under a similar regulatory structure. Those that fail, the EU warns, could find their data flows with Europe, the world's largest economy, outlawed.
EU officials soft-pedal the strong language and maintain that they would target certain companies or industries, not entire nations. Yet the new directive marks the first concerted initiative of a united Europe to dictate its norms to the rest of the world. It also takes Europe's regulatory reach into the vital organs of the Information Economy--computer databases and the Internet. "A global system requires global regulations," says Walz.
The goal is to keep the doctors' bills and credit-card records of Europe's 350 million citizens beyond the reach of digital scam artists everywhere. But the definition of personal data is so broad, complains a U.S. telecom exec in Brussels, that "this would make it hard even to publish a telephone book."
NO.1 TARGET. The question is whether governments outside Europe will stand for the law. As the global leader in online business, the U.S. is a particular target of the directive. So Washington finds itself negotiating on behalf of the entire non-European world.
At the root of the battle is a philosophical chasm nearly as wide as the Atlantic. Europeans look to democratic regimes to protect their privacy. Americans, meanwhile, tend at first to leave information flows unregulated. Later, they slap controls on objectionable areas, such as child pornography on the Web. "In Europe, people don't trust companies, they trust government," says Emanuel Kohnstamm, a Time Warner Inc. vice-president in Brussels. "In the U.S., it's the opposite way around: Citizens must be protected from actions of the government."
The ideological rift could result in an all-out trade war if the EU starts hammering U.S. companies for their handling of data or forcing Internet service providers in Europe to block certain Web pages. Executives fear that such actions would prompt Congress to retaliate with protectionist measures against Europe.
Data exchange, already a critical issue for business, is a key to marketers' global ambitions. Their plan is to plumb massive databases of buying patterns, develop hundreds of thousands of detailed customer profiles, and then hit buyers with finely tuned pitches--preferably online. This targeting is at the foundation of E-commerce, an industry that totals only $32 billion in annual sales now but is expected to reach $425 billion within four years, according to International Data Corp. Executives on both sides of the Atlantic fret that it could be throttled in its cradle by zealous regulators. "This could mean the Balkanization of E-commerce," warns John E. Frank, European legal counsel for Microsoft Corp.
The Europeans respond that E-commerce can't grow without consumer confidence. Only the most fearless or foolish consumer, they say, would venture into unregulated digital malls. Europeans abhor the American habit of plant-ing "cookies," the data tags that hook into a log-in name, track the Web sites it has explored, and send back consumer profiles. They believe that Americans, from TV talk-show hosts to Congress, are all too ready to exploit citizens' private lives. And they are outraged that U.S. prosecutors and insurers use the Web to unearth facts that people would rather keep to themselves. Brussels claims it can protect Europeans from such intrusions.
As Oct. 25 approaches, negotiators in Brussels and Washington are working long hours to reach a practical compromise. Eager to avoid a digital trade war, both sides are bending. The Europeans have dropped demands for a new privacy department in Washington. And the U.S. team, led by Commerce Under Secretary David L. Aaron, is proposing a self-regulation scheme that has the backing of blue-chip companies from Procter & Gamble Co. to Microsoft. Companies would certify before a nongovernmental privacy group that they are meeting European standards on data management, much as companies worldwide meet European industrial-quality standards with the ISO 9000 certification.
The betting now is that Americans will offer at least enough to forestall a rash of legal actions this fall. "We won't shut off the general flow of data," says one European Commission official in Brussels. "We will judge on a case-by-case basis and bring suit if necessary."
But even as EU officials promise restraint, privacy activists in Europe are preparing to go after U.S. companies that violate the new directive. Privacy International, a London-based advocacy group, says it is investigating privacy practices at 25 leading U.S. companies, including Electronic Data Systems, Ford, Hilton International, Microsoft, and United Airlines, and vows to sue alleged offenders in January. That would force EU regulators to take legal action, too. For their part, the target companies say they are hurrying to meet Europe's new privacy requirements.
In trying to police the Internet, European regulators have set themselves a formidable job. Many national data-protection agencies have not yet passed statutes to comply with the new directive. And some are still adjusting from printed to digital records. In Paris, at the National Association on Data Processing & Liberty (CNIL), a staff of 60 handles 10,000 monthly calls and 4,000 annual complaints--while sifting through databases registered by thousands of companies in France. The staff could be stretched even thinner, says CNIL legal counsel Joel Boyer, as agents carry out field inspections.
One of CNIL's early stops is likely to be the European headquarters of Microsoft, lodged in the gleaming La Defense section of Paris. At Microsoft and hundreds of other high-tech companies, the inspectors find a different approach to data control. "The Europeans want to inspect data," says Microsoft's Frank. "We want to provide technology for people to make their own choices." Microsoft is developing software to quiz consumers, through a series of pop-up menus and mouse clicks, about what products or services they want and how much data they're willing to share.
Software companies aren't the only ones hoping to cash in on the new regulations. NCR Corp., a major producer of data-storage software, is marketing a host of new products to meet privacy needs, allowing companies to juggle digital warehouses of consumer data. For example, a user would have access to personal information for benign purposes, such as anonymous market surveys. But the same user could not access that data to launch a direct-mail campaign for a new product--unless a consumer had given the O.K. for such pitches.
PRICEY RETOOL. Companies that rely on cross-selling are scrambling to comply with the new rules. Airlines, for example, have long regarded their Executive Clubs as marketing databases in themselves. Most airlines pitch their first-class passengers everything from limousine rentals to bargains on luxury suites. Now, such cross-marketing is forbidden without the customer's formal consent.
Of course, airlines can still get the information they need--if they can afford the expense. British Airways PLC has been frantically revamping its software to ask questions the right way. Now, the company explains why it's asking for birth dates (to distinguish one John Smith from another) and nationalities (to whisk people through immigration). The next job is to push these standards to BA partners around the world, which may involve rewriting contracts. "We haven't even put a cost on that yet," says BA data-operations executive Tricia Ade.
It may seem ironic that Europe, which is playing catch-up in the entire digital arena, from PCs to E-commerce, has taken the lead in policing data on the Internet. But privacy is a burning issue of the New Economy and one that cries out for regulation. In the worst cases, Eurocrats fear, banks could tap into customers' medical records and base loan approval on their health. And they tell of a gay army officer whose sexual orientation made its way into an America Online Inc. profile and led to his dismissal.
The question is whether together, Europe's regulators and America's free marketeers can devise a scheme to patrol the Net without dragging it down.