The State of Data Privacy in the US

In 1994, Citibank and the German National Railway agreed to cobrand a credit card. Simple? Hardly. Mindful of the difference in European and U.S. privacy regulations, German data protection commissioners (government officials who ensure privacy regulations are followed) quickly stepped into the situation. They feared that the free-market, self-regulatory approach that U.S. corporations have taken to consumer security could jeopardize the privacy of German consumers whose personal information would be sent to the United States for processing. The commissioners forced Citibank to develop an expensive contractual solution that would allow German customers to access their own records. It also established limitations on the collection and use of customer information, and ensured that the information would be kept within the company and not brokered out for unrelated purposes. All of those conditions, of course, are established rights for Europeans.

Simon Davies, director of London-based Privacy International and visiting fellow in the Department of Information Systems at the London School of Economics, estimates that the nine-month project delay may have cost Citibank anywhere from $10 million to $50 million in lost opportunity and legal costs. He wants the U.S. government to step in and offer American consumers the same legislative protections and redress that European citizens enjoy. Further, Davies warns that U.S. companies that don’t start to align their privacy practices with Europe’s run the risk of losing business from European companies and consumers, and further destabilizing the relationship between American industry and its European counterparts.

CIO recently spoke with Davies about why Europe and the United States have a hard time agreeing on a privacy standard, the effect it is having on free trade, and what CIOs in the United States can do to avoid losing money and business overseas.

CIO: How did the United States and the European Union (EU) develop such different views on how privacy should be handled?

Davies: In Europe, World War II changed the way people viewed the relationship between the citizen and the state. Countries were invaded and occupied. Governments turned on their citizens. People didn’t trust corporate and government power structures. People saw that information was power and that ultimately the freedom of a nation and of the individual depended on a healthy relationship between citizens and organizations. The underpinning of that belief turned out to be data-protection legislation. European companies have learned to respect fair information practices and to obey a range of protection laws that have existed for more than 20 years. [See “A Safe Harbor,” Page 96.] The United States, on the other hand, views those practices with a more flexible outlook, and the lack of U.S. law probably comes down to one or two ingrained perspectives. The first is a suspicion of federal government agencies, and the second is a cultural imperative that supports the idea that self-regulation will and can ultimately work.

What effect is this situation having, short and long term, on trade between the United States and the European Union?

Ultimately, there are likely to be many trade issues, and I suspect legal cases will be brought up that will destabilize trade between the two regions. If, for example, investors looking at trans-Atlantic deals see instability in future arrangements, they’re less likely to invest. Currently there are all sorts of uncertainties in trading between America and Europe because no one’s quite sure at which point a civil action could arise, which would paralyze the exchange of business between the two. Safe Harbor, which was the U.S. Federal Trade Commission and European Union privacy compromise, was proposed as the solution to this paralysis.

What does all this mean to the consumer?

In Europe, a customer’s right to see his company-held records is almost absolute. Any customer can contact a company and expect his file to be forwarded. Therefore the way information systems are established in European countries is markedly different. When systems are developed, one of the design requirements is access to all customer information. It is typical in Europe to be able to pull information on any customer on request from every area of the company and to isolate the flow of that information outside the company. Companies now expect that any incorrect information or information that has been collected without consent must be changed or expunged. The United States has no such requirements and no such expectations.

In fact, you argue that many U.S. business practices actually foster the leakage of personal information outside companies.

The leakage of personal information is an industry unto itself in the United States. Take, for example, the information brokerage industry?the intermediaries who purchase personal customer data from websites and create specialized lists, which they then sell to other companies. That industry could not survive in its current form in Europe. It would simply be illegal. Other areas of great concern are the outsourcing of personal data to developing countries or to prisoners for processing, and the selling of customer data to third parties in the event of a takeover or sale of the company.

What is the current status of a global privacy standard? Is that idea dead in the water?

We had always hoped that the European directive would become the default global standard. It would only have required U.S. agreement. Canada has moved in that direction. Other countries, such as Australia, are slowly moving in that direction. The United States stands alone in fighting the idea of specific legal privacy protections. My position, and Privacy International’s position, has always been that companies should have seen the light by now and should resent the current situation. Companies now engaged in trade with European states have to go through a long and expensive contractual process. They should see that it would be far more sensible to support the idea of federal laws so that these contractual solutions wouldn’t be necessary.

What do these contractual solutions mean for a U.S. company that is trying to do business in Europe?

Essentially, U.S. companies have to create an environment that replicates the European conditions. The contracts vary from situation to situation, but by and large they establish the European fair information practices and data protection principles within the borders of the United States to cover the data exchanged in a specific business arrangement. We have had many occasions where contractual deals have been necessary and deals that have been suspended or information flow paralyzed because the U.S.-based organization could not offer those protections.

How do you make the case to U.S. companies that they should do something about privacy in the current climate where neither the government nor consumers are forcing their hand?

I’m not suggesting that companies should reengineer themselves overnight. Even within Europe there have been transitional periods. But my guess is that if U.S. businesses were to engage in designing privacy into their emerging systems, they would discover that the cost is marginal. What a tremendous way to engage in best practices in customer relations.

What should the CIO’s role be with respect to privacy?

A CIO can become a champion of better privacy. The CIO can advocate that the company pursue best practices at every level and then take those best practices and sell them to other companies and to the government. He can make sure that people both within the industry and among consumers know that the company has taken positive steps to become a good corporate citizen. A CIO should aim to be ahead of the trend, ahead of the demands of customers. Best privacy practices fit squarely within those objectives.

What best practices would you suggest that CIOs focus on?

One of the important areas a CIO can concentrate on is providing specific rights to the company’s customers, and one that comes to mind immediately is the right to view and correct personal information held by the company. That would be a giant step forward. It would go beyond the Safe Harbor conditions and would establish to customers that the company respects their rights and understands that the relationship between company and consumer is a two-way affair.

What do you consider the likely outcome of the tug-of-war between the United States and the European Union with respect to privacy?

I suspect that there are two possible avenues that would lead to the same result. The first is a slow process of corporate evolution. As companies become more global, maybe there will be a change in U.S. corporate practice. The second and more likely avenue is a high-profile legal action or series of legal actions against key data flows between Europe and America. I’m thinking, for example, of the banking system, health-care research, credit cards, and travel and transport industry. The whole edifice could be punctured with the appropriate civil action from Europe. And it is quite likely that if the United States fails to show good faith and if Safe Harbor collapses under its own weight, then the only course left for Europeans is to engage in a systematic paralysis of business dealings between the two regions. I consider that to be quite likely.