Europe May Block Flow of Internet Data With US
New EU rules take effect today. US firms warn restrictions could hamper growth.
Radically different American and European notions of privacy and how to protect it are threatening to curb the worldwide boom in electronic commerce.
New European Union rules governing international transfers of personal data over the Internet go into effect today. They commit EU governments to strict new privacy standards in electronic databases storing citizens' personal details. And they oblige governments to block data transfers to countries that fail to uphold "adequate" privacy provisions.
That, in the European Commission's view, includes the United States.
Year-long efforts by senior US negotiators to convince the EU otherwise have shown how "in Europe, privacy is seen as a human right ... while the Americans are saying that the market should look after it," says Christiaan van der Valk, an expert in electronic privacy issues with the Paris-based International Chamber of Commerce.
Unless European and US negotiators reach agreement, the EU directive "could have pretty severe long-term effects, hindering the extension of e-commerce and the globalization of industry generally," warns IBM spokeswoman Armgard von Reden.
The new rules give European citizens the right to access personal data held on them by private corporations and to correct it if it is false. Individuals must give consent to the processing of sensitive data such as medical records or details of ethnicity.
Web-site operators routinely capture personal information about users who visit their sites and sell it to direct marketing companies and other clients. "Privacy safeguards in the United States have not kept up to date," argued Marc Rotenberg, a teacher of privacy law at Georgetown University in Washington, in testimony to the US House of Representatives earlier this year.
If data protection officials in European countries were to start forbidding the transfer of personal data to the US this week, or demanding individual notification of such transfers from data processors, "everything would grind to a halt," says Philip Jones, assistant registrar at Britain's Data Protection Registry, a government body.
Every day companies such as airlines, banks, and insurance firms transfer millions of bits of information - like names, addresses, and phone numbers - on clients or potential customers.
But "nobody is going to go down to some basement in European Union headquarters to throw a switch that will shut off all data flows on Monday morning," adds Professor Rotenberg.
Only a handful of the 15 EU countries have passed the legislation to implement the Commission's directive. The Commission is still negotiating with the US on how the rules will be enforced.
Washington, reluctant to legislate, is seeking EU approval for a voluntary system. US companies wishing to process Europeans' personal information would adhere to a set of principles laid down by the Department of Commerce. How they would be enforced, however, and how European citizens could seek redress for any grievances, is not yet clear.
Alternatively, US negotiators are suggesting companies could join systems such as the Online Privacy Alliance, set up by IBM and Time-Warner, among others. Members commit themselves to respect the alliance's privacy standards and to submit to checks by Trust-e, an independent verification organization.
Data-importing companies in the US could also sign contracts with the exporter, pledging to treat information with the same degree of confidentiality it would enjoy in Europe. "Most global companies are heading in this direction," says Ms. von Reden.
EC officials were to meet European representatives today to discuss the American proposals and Washington's request for a 90-day extension of the application of the new rules. Nobody expects dramatic changes this week, but privacy activists are expected to test the directive as soon as it comes into force by laying a complaint against a high-profile company such as Visa International or Citigroup.
At the moment, says one executive with an international financial services group, "I am not sure that anyone can say how this is all supposed to work in real life."