[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] wsj 10.10.03 (privacy) Europe's New High-Tech Role: Playing Privacy Cop to World
The Wall Street Journal, October 10, 2003
Europe's New High-Tech Role: Playing Privacy Cop to World
U.S. Firms Run Afoul Of EU Laws on Sharing And Collection of Data
By DAVID SCHEER
Staff Reporter of THE WALL STREET JOURNAL
BERLIN -- Last year General Motors Corp. set out to update its
electronic company phone book, so that with a few keystrokes its
engineers in, say, Taiwan could
look up colleagues in Germany. But an unanticipated problem came in the
way: Europe's strict privacy laws.
Employee office phone numbers were their "personal" information,
European authorities said. Bob Rothman, the car maker's chief privacy
officer, knew what that meant: sending numbers outside the EU would
require months of legal work through GM's global operations -- or the
company would be risking a criminal offense in some European countries.
Not even GM's U.S. headquarters could know the phone numbers, if the
company didn't take some measures first.
"They were very sympathetic," Mr. Rothman said of Europe's privacy
watchdogs, but they didn't budge, and GM spent about six months amassing
piles of legal documentation and other paperwork before it could finish
the project. "We spent a lot of money, and a lot of time, and a lot of
While the U.S. has opposed comprehensive regulations to protect
citizens' privacy, Europe has plowed ahead with the world's toughest set
of rules governing how companies and governments may deal with personal
data, such as one's age, marital status, buying patterns -- even the
information on a standard business card. And as GM's experience shows,
those rules are increasingly shaping the way businesses operate around
Since establishing its privacy rules eight years ago, an increasingly
self-assured European Union has exported the privacy standards to other
countries with similar values. Despite outcries from the U.S.,
EU-inspired laws are now the norm in Canada, South America, Australia,
New Zealand and parts of Asia.
The debate over privacy protection is another sign of the EU's growing
influence as a trading bloc and its emergence as a regulatory
superpower. In recent years,
Europe has flexed its muscle in mergers, nixing the proposed marriage of
General Electric Co. and Honeywell International Inc. In agriculture,
Europe's concerns about the potential risks of genetically modified food
have held up crop planning around the world.
Privacy rules attract less attention than these flashpoint issues but
their impact can be just as great. JetBlue Airways recently acknowledged
that it provided a Pentagon contractor with information on more than a
million passengers, causing an outcry in the U.S. In Europe, the action
wouldn't have just been bad public relations; it would have been
illegal. In Spain, where data-protection laws are particularly stiff,
fines for such an action can reach $500,000.
EU laws require retailers to ask permission to collect data, trade it to
partners, sell it, or even use it for their own marketing -- all common
practices in the U.S. In addition, companies in Europe are obliged to
let people see their data and correct it if it is wrong. The law
restricts how much information companies can collect on customers and
employees and how long they can keep it. The rules cover more than files
and statistics: Even video surveillance tapes must be erased after a
The U.S. regulates privacy in only a few sensitive areas, such as
medical and financial records. And while European countries established
independent government privacy agencies to actively enforce their rules,
U.S. laws grant similar authority in only a few industries. Most
companies are left to set their own standards, so long as they don't
harm their customers. An Iowa State University law professor, Peter
Swire, served two years as a privacy czar of sorts for the Clinton
administration. President Bush dissolved the post on taking office. The
Sept. 11, 2001, terrorist attacks have further weakened Washington's
will to protect data. Through new laws and new offices, Washington now
has more unfettered access to citizens' data than ever before. The
government's top privacy officer is an adviser for the Department of
American antiterrorism measures increasingly clash with European privacy
laws. Those laws, for instance, don't allow airlines flying from Europe
to release passenger names and other information that American customs
authorities are demanding prior to a flight's arrival on U.S. soil. So
far, European authorities are looking the other way as airlines provide
the details, such as itineraries, credit-card information and dietary
preferences. If airlines refuse to cooperate, they face stiff fines and
even the loss of U.S. landing rights.
Fundamental philosophical differences separate the U.S. and European
approaches. Europe has defined privacy as a human right, while in the
U.S. data-protection laws can quickly run afoul of free-speech
protections enshrined in the Constitution. The dichotomy is most
apparent in direct marketing. Europe's privacy laws essentially force
businesses to get permission before they make telemarketing calls to
their customers. In the U.S., a federal court in Denver recently blocked
a national do-not-call registry from taking full effect this month,
saying it violates a company's First Amendment rights. An appeals court
put that ruling on temporary hold Tuesday, letting the registry proceed
until the court makes a final ruling.
The U.S. was once in the forefront on data-protection laws. In 1974,
Congress passed the Privacy Act, one of the world's first laws limiting
the government's ability to collect, keep, use and disseminate personal
information on citizens. In the next few decades Congress adopted
piecemeal laws in response to crises. During congressional hearings to
confirm Judge Robert Bork's nomination to the Supreme Court in 1987, his
videotape-rental records became public. Congressional leaders acted
swiftly, barring video stores from divulging their records. (The law has
not been updated to mention DVDs, though some legal scholars suggest the
law would still apply). A law protecting drivers' records came after an
obsessed fan killed actress Rebecca Schaeffer, tracking her down with
"We were the original leaders on privacy," says Alan F. Westin, a
retired professor of public law and government at Columbia University
who helped draft the landmark 1974 law and now publishes an industry
newsletter, Privacy & American Business. "But Europeans would tell you
that, as they see it, we went to sleep and they moved ahead."
The U.S.'s patchwork of laws crippled its chances of setting the pace
for the globe, said Mr. Westin. The EU, by contrast, offers an
all-encompassing system for data protection. Argentina and Chile copied
Spain's laws, some of the stiffest in Europe, and the laws as drafted in
Spanish are now sweeping through South America, aided by a common
Europe's efforts stem primarily from Germany, where Nazi officials
pioneered the use of data-sorting machines in their efforts to identify
people with Jewish ancestry. Memories of that horrific past helped spur
the state of Hessen to pass the world's first comprehensive
data-protection rules in 1970. In the decade that followed, Germany used
data profiling to hunt down left-wing terrorists, monitoring people's
electricity use, for example, to find safehouses.
Though the efforts were successful, the public's fear of a return to
widespread government surveillance resulted in another backlash, and
more data protection laws followed. Soon every German state had at least
one privacy agency to make sure that governments and companies respected
data on citizens. By 1995, Germany and a few other European countries
with similar laws persuaded the European Commission to adopt a strict
directive, requiring all EU countries to get in line -- a process that
is now nearly done. The EU expands next year from 15 to 25 countries,
making it the world's largest trading bloc.
The rules are so broad that global companies assign dozens, and in some
cases hundreds, of employees to deal with them, enacting far-reaching
policies and restructuring entire databases. This has helped spur the
creation of a new breed of executive such as GM's Mr. Rothman: the chief
privacy officer. Virtually unheard of just five years ago, privacy
officers have quickly become a fixture, with hundreds of them in the
U.S. About 40% of top 500 global financial services companies have one,
according to a survey of 78 companies released this year by Deloitte
Touche LLP. A cottage industry has sprung up to help guide companies
into compliance with rules. Lawyers are specializing in the field, and
consultants in Brussels advertise seminars on data protection.
Global Privacy Center
When GM first encountered the emerging privacy laws, it dealt with them
as they arose, with GM offices in each country taking whatever steps
they saw fit to adapt to local legislation. But as the laws multiplied,
GM last year created a global privacy center, assigning Mr. Rothman to
lead it. He now coordinates nearly 100 people with at least part-time
privacy duties in GM offices around the world. The car maker also has a
variety of special privacy councils focused on specific issues such as
human resources and marketing.
Mr. Rothman was already familiar with the EU's rules but doubted they
would apply to something as innocuous as a company's internal phone
book. One important clause makes it illegal to transfer any personal
information to countries with "inadequate" laws -- including the U.S. So
to be safe, Mr. Rothman's office contacted a few European countries to
make sure it could export GM's office telephone numbers to a U.S.
computer server and make them available to staff around the world. It
So how does a U.S. company move data outside Europe? One option is to
adopt Safe Harbor rules negotiated by the U.S. Department of Commerce.
Under the program, U.S. companies essentially promise to handle European
data by Europe's standards outside the EU. Some 394 U.S. companies have
signed up to handle at least part of their records that way. EU privacy
authorities say it's one of several ways aimed at helping foreign
companies move data internationally and avoiding harm to commerce.
At GM, exporting the phone numbers via the Safe Harbor program meant
spending several months mapping where the phone book might be used and
by whom. Mr. Rothman's staff then notified the car maker's European
employees that their office numbers would be sent to headquarters, and
following European practice, offered them a third-party mediator if they
objected (nobody did). Finally, the company pressed 200 of its
affiliates around the world to sign contracts, vowing not to misuse the
phone numbers -- by, say, selling them to telemarketers. "Can you
imagine having to have 200 entities sign one contract?" said Mr.
Rothman. His office set up a special Web site to coordinate the project.
Many of the largest U.S. companies are searching for simpler solutions.
Some have adopted global, one-size-fits-all approaches, usually based on
the EU's model. Procter & Gamble Co. and DuPont Co. have announced such
policies in recent years. "That tends to be the gold standard nowadays,"
said DuPont's corporate counsel, Donald A. Cohn. The company is
collecting consent forms from all its employees -- even in countries
where it's not required -- and is asking all its affiliates to sign
contracts vowing not to abuse the information. When it's done, DuPont
says it will be prepared to move data easily in any country that adopts
EU-style laws. A P&G spokeswoman says its global policy is based on the
European system and already brings its use of phone numbers in
compliance with EU laws.
A few years ago, GE launched an effort like GM's so its phone book could
pass EU muster. Since then, it has applied EU-like standards for its
employee data around the world, says Ivan Fong, GE's CPO.
IMS Health Inc., which collects and then sells information on
pharmaceutical usage, gathers data from some 29,000 sources in more than
100 countries. The company employs four chief privacy officers and
hundreds of employees helping it keep up with privacy regulations, and
it consults with lawmakers to shape bills, says chairman and chief
executive David M. Thomas.
Among companies' chief complaints are costs, though numbers remain
elusive. It can take a company years to enact major and minor changes in
all its operations, say chief privacy officers. "It's not unlike the
environmental measures of 30 or 40 years ago," said GE's Mr. Fong. "It's
so new that companies don't know how to measure the costs."
Write to David Scheer at david -
- dowjones -
Updated October 10, 2003
HSFK Hessische Stiftung für Friedens- und Konfliktforschung
PRIF Peace Research Institute Frankfurt
Leimenrode 29 60322 Frankfurt a/M Germany
Tel +49 (0)69 9591 0422 Fax +49 (0)69 5584 81
- hsfk -
Mail an infowar -
- infopeace -
de mit "unsubscribe" im Text.