Europe's `Privacy Cops': The U.S. Isn't Our Beat

As data protection commissioner for the state of Berlin, I am one of the European "privacy cops" to whom you dedicated an article ("Europe's privacy cops," European Business, Nov. 2). You wrote that inspectors trek from Berlin to Sioux Falls, S.D., to Citigroup's data-processing center, and that the Germans pay regular visits to make sure data are being handled according to German law. These allegations are wrong. It is true that a contractual agreement has been reached between German Railway (Deutsche Bahn) and German and U.S. branches of the former Citibank. This is intended to secure the privacy interests of millions of customers of Deutsche Bahn who purchased BahnCards, which grant a 50% discount for railway tickets and include a credit-card function.

The cards are produced by Citigroup in the U.S.; for this reason, huge amounts of sensitive data are transmitted to and processed in the U.S. The contracts are regarded worldwide as a yardstick for guaranteeing the protection of customers' privacy.

These contracts enable the Berlin Data Protection Commissioner (to whose jurisdiction Deutsche Bahn is subject) to monitor Citibank's compliance with its contractual duties. But up to now, we have not exercised this power. Indeed, there have been many complaints against the BahnCard procedure. But none has given us reason to investigate activities in the U.S.

What took place was an informational visit to the Citibank processing center in Las Vegas, where the cards are printed and where I could satisfy myself of a high data-security standard. A result of Citibank's cooperation with our agency is a high level of acceptance by BahnCard customers, whereas previously there had been a heated discussion in the German public on the risks of Citibank data processing in the U.S.

Other parts of the article throw a false light on the situation. For example, the Brussels commissioners don't have any power to prosecute a European company. This is up to national data protection authorities and governments.

The objective of the European rules is not to "dictate its norms to the rest of the world." Our rules are intended to grant that European companies guarantee European citizens' constitutional rights even if the companies export data about them. Our hope is only that the country from which we inherited the idea of data privacy in the 1960s will itself complete the step it started.

Hansjurgen Garstka

Data Protection Commissioner