[ISN] Europe Launches a Crackdown in Cyberspace

From: mea culpa (jerichoat_private)
Date: Mon Nov 23 1998 - 14:29:42 PST

  • Next message: mea culpa: "[ISN] Associates Denounce Website Hacker"

    Forwarded From: Nicholas Charles Brawn <ncb05at_private>
    By Stephen Baker, Report from Business Week, with Marsha Johnston in Paris
    and William Echikson in Brussels.
    The European directive on data privacy may take some time to affect
    Australian businesses, but it's already hitting some US-based corporations
    hard. Stephen Baker explores why. 
    The EU wants others to adhere to its strict rules protecting electronic
    data ... or else. Germany's data police, the Datenschutz, considers itself
    a kind of anti-Gestapo. Where Hitler's secret police used files on German
    citizens as tools of terror and control, the mission of the Datenschutz is
    to protect people's personal data. 
    For this, inspectors trek from Berlin all the way to Sioux City in the US,
    to Citigroup's giant data-processing centre, where computers store
    financial information about millions of German credit-card holders.  The
    Germans, said Mr Stefan Walz, a Datenschutz commissioner, pay regular
    visits "to make sure that the data are being handled according to [German]
    Citi accepted the supervision four years ago in return for permission to
    market a credit card in Germany. But soon, US companies could be dealing
    with Europe's privacy inspectors whether they've bargained for it or not. 
    Europe is launching a crackdown in cyberspace. On October 25, when the
    European Union Directive on Data Protection was adopted, commissioners in
    Brussels received the legal tools to prosecute companies and block web
    sites that fail to live up to Europe's exacting standards on data privacy. 
    The directive was negotiated among the EU governments over six years and,
    while adopted by the EU, has not yet been implemented because it was
    decided to pursue further dialogue with the US on privacy principles. In
    the meantime, data flows will proceed without disruption. There will be a
    three-year phase-in period and the directive will be enforced by October
    The directive guarantees European citizens absolute control over data
    concerning them. If a company wants personal information, it must get that
    person's permission and explain what the information will be used for.  It
    must also promise not to use it for anything else without the citizen's
    consent. A company selling birdseed, for example, can't use its mailing
    list to hawk Audubon calendars. 
    Citizens have the right to know where information about them came from, to
    demand to see it, to correct it if wrong, and to delete it if
    objectionable. And they have a right to file suits against any person or
    company they feel is misusing their data. 
    One piece of the law is particularly stringent. Article 29 demands that
    foreign governments provide data protection every bit as rigorous as
    Europe's, under a similar regulatory structure. Those that fail, the EU
    warns, could find their data flows with Europe, the world's largest
    economy, outlawed. 
    EU officials soft-pedal the strong language and maintain that they would
    target certain companies or industries, not entire nations. Yet the new
    directive marks the first concerted initiative of a united Europe to
    dictate its norms to the rest of the world. It also takes Europe's
    regulatory reach into the crucial organs of the Information Economy -
    computer databases and the internet. "A global system requires global
    regulations," said Mr Walz. 
    The goal is to keep the doctors' bills and credit-card records of Europe's
    350 million citizens beyond the reach of digital scam artists everywhere. 
    But the definition of personal data is so broad, complains a US telecom
    exec in Brussels, that "this would make it hard even to publish a
    telephone book". 
    The question is whether governments outside Europe will stand for the law. 
    As the global leader in online business, the US is a particular target of
    the directive. So Washington finds itself negotiating on behalf of the
    entire non-European world. 
    At the root of the battle is a philosophical chasm nearly as wide as the
    Atlantic. Europeans look to democratic regimes to protect their privacy. 
    Americans, meanwhile, tend at first to leave information flows
    unregulated.  Later, they slap controls on objectionable areas, such as
    child pornography on the web. 
    "In Europe, people don't trust companies, they trust government," said Mr
    Emanuel Kohnstamm, a Time Warner Inc vice-president in Brussels.  "In the
    US, it's the opposite way around: citizens must be protected from actions
    of the Government." 
    The ideological rift could result in an all-out trade war if the EU starts
    hammering US companies for their handling of data or forcing internet
    service providers in Europe to block certain web pages. Executives fear
    that such actions would prompt Congress to retaliate with protectionist
    measures against Europe. 
    Data exchange, already a critical issue for business, is a key to
    marketers' global ambitions. Their plan is to plumb massive databases of
    buying patterns, develop hundreds of thousands of detailed customer
    profiles, and then hit buyers with finely tuned pitches - preferably
    This targeting is at the foundation of e-commerce, an industry that totals
    only $32 billion in annual sales now, but is expected to reach $425
    billion within four years, according to International Data Corp. 
    Executives on both sides of the Atlantic fret that it could be throttled
    in its cradle by zealous regulators. "This could mean the Balkanisation of
    e-commerce," warned Mr John E. Frank, European legal counsel for Microsoft
    The Europeans respond that e-commerce can't grow without consumer
    confidence. Only the most fearless or foolish consumer, they say, would
    venture into unregulated digital malls. 
    Europeans abhor the American habit of planting "cookies", the data tags
    that hook into a log-in name, track the web sites it has explored, and
    send back consumer profiles. They believe that Americans, from TV
    talk-show hosts to Congress, are all too ready to exploit citizens'
    private lives.  They are also outraged that US prosecutors and insurers
    use the web to unearth facts that people would rather keep to themselves.
    Brussels claims it can protect Europeans from such intrusions. 
    While EU officials promise restraint concerning the implementation of
    their directive, privacy activists in Europe are preparing to go after US
    companies that violate the new directive. 
    Privacy International, a London-based advocacy group, said it was
    investigating privacy practices at 25 leading US companies, including
    Electronic Data Systems, Ford, Hilton International, Microsoft, and United
    Airlines, and vows to sue alleged offenders in January.  That would force
    EU regulators to take legal action, too. For their part, the target
    companies say they are hurrying to meet Europe's new privacy requirements. 
    In trying to police the internet, European regulators have set themselves
    a formidable job. Many national data-protection agencies have not yet
    passed statutes to comply with the new directive, and some are still
    adjusting from printed to digital records. 
    In Paris, at the National Association on Data Processing & Liberty (CNIL),
    a staff of 60 handles 10,000 monthly calls and 4,000 annual complaints -
    while sifting through databases registered by thousands of companies in
    France. The staff could be stretched even thinner, said CNIL legal counsel
    Mr Joel Boyer, as agents carry out field inspections. 
    One of CNIL's early stops is likely to be the European headquarters of
    Microsoft, lodged in the gleaming La Defense section of Paris. At
    Microsoft, and hundreds of other high-tech companies, the inspectors find
    a different approach to data control. "The Europeans want to inspect
    data,"  said Microsoft's Mr Frank. 
    "We want to provide technology for people to make their own choices." 
    Microsoft is developing software to quiz consumers, through a series of
    pop-up menus and mouse clicks, about what products or services they want
    and how much data they're willing to share. 
    Software companies aren't the only ones hoping to cash in on the new
    regulations. NCR Corp, a major producer of data-storage software, is
    marketing a host of new products to meet privacy needs, allowing companies
    to juggle digital warehouses of consumer data. 
    For example, a user would have access to personal information for benign
    purposes, such as anonymous market surveys. But the same user could not
    access that data to launch a direct-mail campaign for a new product -
    unless a consumer had given the OK for such pitches. 
    Companies that rely on cross-selling are scrambling to comply with the new
    rules. Airlines, for example, have long regarded their executive clubs as
    marketing databases in themselves. Most airlines pitch their first-class
    passengers everything from limousine rentals to bargains on luxury suites. 
    Now, such cross-marketing is forbidden without the customer's formal
    Of course, airlines can still get the information they need - if they can
    afford the expense. British Airways PLC has been frantically revamping its
    software to ask questions the right way. 
    Now, the company explains why it is asking for birth dates (to distinguish
    one John Smith from another) and nationalities (to whisk people through
    immigration). The next job is to push these standards to BA partners
    around the world, which may involve rewriting contracts. "We haven't even
    put a cost on that yet," said BA data-operations executive Ms Tricia Ade. 
    It may seem ironic that Europe, which is playing catch-up in the entire
    digital arena, from PCs to e-commerce, has taken the lead in policing data
    on the internet. However, privacy is a burning issue of the New Economy
    and one that cries out for regulation. 
    In the worst cases, Eurocrats fear, banks could tap into customers'
    medical records and base loan approval on their health. They tell of a gay
    army officer whose sexual orientation made its way into an America Online
    Inc profile and led to his dismissal. 
    The question is whether together, Europe's regulators and America's free
    marketeers can devise a scheme to patrol the net without dragging it down. 
    Encryption's secret world - page 19. 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:12:03 PDT