CIO — In 1994, Citibank and the German National Railway agreed to cobrand a credit card. Simple? Hardly. Mindful of the difference in European and U.S. privacy regulations, German data protection commissioners (government officials who ensure privacy regulations are followed) quickly stepped into the situation. They feared that the free-market, self-regulatory approach that U.S. corporations have taken to consumer security could jeopardize the privacy of German consumers whose personal information would be sent to the United States for processing. The commissioners forced Citibank to develop an expensive contractual solution that would allow German customers to access their own records. It also established limitations on the collection and use of customer information, and ensured that the information would be kept within the company and not brokered out for unrelated purposes. All of those conditions, of course, are established rights for Europeans.
Simon Davies, director of London-based Privacy International and visiting fellow in the Department of Information Systems at the London School of Economics, estimates that the nine-month project delay may have cost Citibank anywhere from $10 million to $50 million in lost opportunity and legal costs. He wants the U.S. government to step in and offer American consumers the same legislative protections and redress that European citizens enjoy. Further, Davies warns that U.S. companies that don’t start to align their privacy practices with Europe’s run the risk of losing business from European companies and consumers, and further destabilizing the relationship between American industry and its European counterparts.
CIO recently spoke with Davies about why Europe and the United States have a hard time agreeing on a privacy standard, the effect it is having on free trade, and what CIOs in the United States can do to avoid losing money and business overseas.
CIO: How did the United States and the European Union (EU) develop such different views on how privacy should be handled?
Davies: In Europe, World War II changed the way people viewed the relationship between the citizen and the state. Countries were invaded and occupied. Governments turned on their citizens. People didn’t trust corporate and government power structures. People saw that information was power and that ultimately the freedom of a nation and of the individual depended on a healthy relationship between citizens and organizations.
The underpinning of that belief turned out to be data-protection legislation. European companies have learned to respect fair information practices and to obey a range of protection laws that have existed for more than 20 years. [See "A Safe Harbor," Page 96.] The United States, on the other hand, views those practices with a more flexible outlook, and the lack of U.S. law probably comes down to one or two ingrained perspectives. The first is a suspicion of federal government agencies, and the second is a cultural imperative that supports the idea that self-regulation will and can ultimately work.
What effect is this situation having, short and long term, on trade between the United States and the European Union?
Ultimately, there are likely to be many trade issues, and I suspect legal cases will be brought up that will destabilize trade between the two regions. If, for example, investors looking at trans-Atlantic deals see instability in future arrangements, they’re less likely to invest. Currently there are all sorts of uncertainties in trading between America and Europe because no one’s quite sure at which point a civil action could arise, which would paralyze the exchange of business between the two. Safe Harbor, which was the U.S. Federal Trade Commission and European Union privacy compromise, was proposed as the solution to this paralysis.
What does all this mean to the consumer?
In Europe, a customer’s right to see his company-held records is almost absolute. Any customer can contact a company and expect his file to be forwarded. Therefore the way information systems are established in European countries is markedly different. When systems are developed, one of the design requirements is access to all customer information. It is typical in Europe to be able to pull information on any customer on request from every area of the company and to isolate the flow of that information outside the company. Companies now expect that any incorrect information or information that has been collected without consent must be changed or expunged. The United States has no such requirements and no such expectations.
