Forwarded From: Nicholas Charles Brawn <ncb05@uow.edu.au>
24Nov98 BELGIUM: SUPPLEMENT - EUROPE LAUNCHES A CRACKDOWN IN CYBERSPACE.
By Stephen Baker, Report from Business Week, with Marsha Johnston in Paris
and William Echikson in Brussels.
The European directive on data privacy may take some time to affect
Australian businesses, but it's already hitting some US-based corporations
hard. Stephen Baker explores why.
The EU wants others to adhere to its strict rules protecting electronic
data ... or else. Germany's data police, the Datenschutz, considers itself
a kind of anti-Gestapo. Where Hitler's secret police used files on German
citizens as tools of terror and control, the mission of the Datenschutz is
to protect people's personal data.
For this, inspectors trek from Berlin all the way to Sioux City in the US,
to Citigroup's giant data-processing centre, where computers store
financial information about millions of German credit-card holders. The
Germans, said Mr Stefan Walz, a Datenschutz commissioner, pay regular
visits "to make sure that the data are being handled according to [German]
law".
Citi accepted the supervision four years ago in return for permission to
market a credit card in Germany. But soon, US companies could be dealing
with Europe's privacy inspectors whether they've bargained for it or not.
Europe is launching a crackdown in cyberspace. On October 25, when the
European Union Directive on Data Protection was adopted, commissioners in
Brussels received the legal tools to prosecute companies and block web
sites that fail to live up to Europe's exacting standards on data privacy.
The directive was negotiated among the EU governments over six years and,
while adopted by the EU, has not yet been implemented because it was
decided to pursue further dialogue with the US on privacy principles. In
the meantime, data flows will proceed without disruption. There will be a
three-year phase-in period and the directive will be enforced by October
2001.
The directive guarantees European citizens absolute control over data
concerning them. If a company wants personal information, it must get that
person's permission and explain what the information will be used for. It
must also promise not to use it for anything else without the citizen's
consent. A company selling birdseed, for example, can't use its mailing
list to hawk Audubon calendars.
Citizens have the right to know where information about them came from, to
demand to see it, to correct it if wrong, and to delete it if
objectionable. And they have a right to file suits against any person or
company they feel is misusing their data.
One piece of the law is particularly stringent. Article 29 demands that
foreign governments provide data protection every bit as rigorous as
Europe's, under a similar regulatory structure. Those that fail, the EU
warns, could find their data flows with Europe, the world's largest
economy, outlawed.
EU officials soft-pedal the strong language and maintain that they would
target certain companies or industries, not entire nations. Yet the new
directive marks the first concerted initiative of a united Europe to
dictate its norms to the rest of the world. It also takes Europe's
regulatory reach into the crucial organs of the Information Economy -
computer databases and the internet. "A global system requires global
regulations," said Mr Walz.
The goal is to keep the doctors' bills and credit-card records of Europe's
350 million citizens beyond the reach of digital scam artists everywhere.
But the definition of personal data is so broad, complains a US telecom
exec in Brussels, that "this would make it hard even to publish a
telephone book".
The question is whether governments outside Europe will stand for the law.
As the global leader in online business, the US is a particular target of
the directive. So Washington finds itself negotiating on behalf of the
entire non-European world.
At the root of the battle is a philosophical chasm nearly as wide as the
Atlantic. Europeans look to democratic regimes to protect their privacy.
Americans, meanwhile, tend at first to leave information flows
unregulated. Later, they slap controls on objectionable areas, such as
child pornography on the web.
"In Europe, people don't trust companies, they trust government," said Mr
Emanuel Kohnstamm, a Time Warner Inc vice-president in Brussels. "In the
US, it's the opposite way around: citizens must be protected from actions
of the Government."
The ideological rift could result in an all-out trade war if the EU starts
hammering US companies for their handling of data or forcing internet
service providers in Europe to block certain web pages. Executives fear
that such actions would prompt Congress to retaliate with protectionist
measures against Europe.
Data exchange, already a critical issue for business, is a key to
marketers' global ambitions. Their plan is to plumb massive databases of
buying patterns, develop hundreds of thousands of detailed customer
profiles, and then hit buyers with finely tuned pitches - preferably
online.
This targeting is at the foundation of e-commerce, an industry that totals
only $32 billion in annual sales now, but is expected to reach $425
billion within four years, according to International Data Corp.
Executives on both sides of the Atlantic fret that it could be throttled
in its cradle by zealous regulators. "This could mean the Balkanisation of
e-commerce," warned Mr John E. Frank, European legal counsel for Microsoft
Corp.
The Europeans respond that e-commerce can't grow without consumer
confidence. Only the most fearless or foolish consumer, they say, would
venture into unregulated digital malls.
Europeans abhor the American habit of planting "cookies", the data tags
that hook into a log-in name, track the web sites it has explored, and
send back consumer profiles. They believe that Americans, from TV
talk-show hosts to Congress, are all too ready to exploit citizens'
private lives. They are also outraged that US prosecutors and insurers
use the web to unearth facts that people would rather keep to themselves.
Brussels claims it can protect Europeans from such intrusions.
While EU officials promise restraint concerning the implementation of
their directive, privacy activists in Europe are preparing to go after US
companies that violate the new directive.
Privacy International, a London-based advocacy group, said it was
investigating privacy practices at 25 leading US companies, including
Electronic Data Systems, Ford, Hilton International, Microsoft, and United
Airlines, and vows to sue alleged offenders in January. That would force
EU regulators to take legal action, too. For their part, the target
companies say they are hurrying to meet Europe's new privacy requirements.
In trying to police the internet, European regulators have set themselves
a formidable job. Many national data-protection agencies have not yet
passed statutes to comply with the new directive, and some are still
adjusting from printed to digital records.
In Paris, at the National Association on Data Processing & Liberty (CNIL),
a staff of 60 handles 10,000 monthly calls and 4,000 annual complaints -
while sifting through databases registered by thousands of companies in
France. The staff could be stretched even thinner, said CNIL legal counsel
Mr Joel Boyer, as agents carry out field inspections.
One of CNIL's early stops is likely to be the European headquarters of
Microsoft, lodged in the gleaming La Defense section of Paris. At
Microsoft, and hundreds of other high-tech companies, the inspectors find
a different approach to data control. "The Europeans want to inspect
data," said Microsoft's Mr Frank.
"We want to provide technology for people to make their own choices."
Microsoft is developing software to quiz consumers, through a series of
pop-up menus and mouse clicks, about what products or services they want
and how much data they're willing to share.
Software companies aren't the only ones hoping to cash in on the new
regulations. NCR Corp, a major producer of data-storage software, is
marketing a host of new products to meet privacy needs, allowing companies
to juggle digital warehouses of consumer data.
For example, a user would have access to personal information for benign
purposes, such as anonymous market surveys. But the same user could not
access that data to launch a direct-mail campaign for a new product -
unless a consumer had given the OK for such pitches.
Companies that rely on cross-selling are scrambling to comply with the new
rules. Airlines, for example, have long regarded their executive clubs as
marketing databases in themselves. Most airlines pitch their first-class
passengers everything from limousine rentals to bargains on luxury suites.
Now, such cross-marketing is forbidden without the customer's formal
consent.
Of course, airlines can still get the information they need - if they can
afford the expense. British Airways PLC has been frantically revamping its
software to ask questions the right way.
Now, the company explains why it is asking for birth dates (to distinguish
one John Smith from another) and nationalities (to whisk people through
immigration). The next job is to push these standards to BA partners
around the world, which may involve rewriting contracts. "We haven't even
put a cost on that yet," said BA data-operations executive Ms Tricia Ade.
It may seem ironic that Europe, which is playing catch-up in the entire
digital arena, from PCs to e-commerce, has taken the lead in policing data
on the internet. However, privacy is a burning issue of the New Economy
and one that cries out for regulation.
In the worst cases, Eurocrats fear, banks could tap into customers'
medical records and base loan approval on their health. They tell of a gay
army officer whose sexual orientation made its way into an America Online
Inc profile and led to his dismissal.
The question is whether together, Europe's regulators and America's free
marketeers can devise a scheme to patrol the net without dragging it down.
Encryption's secret world - page 19.
AUSTRALIAN FINANCIAL REVIEW 24/11/1998 P16
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Tue Dec 8 08:57:57 1998