Forwarded From: Nicholas Charles Brawn <ncb05at_private> 24Nov98 BELGIUM: SUPPLEMENT - EUROPE LAUNCHES A CRACKDOWN IN CYBERSPACE. By Stephen Baker, Report from Business Week, with Marsha Johnston in Paris and William Echikson in Brussels. The European directive on data privacy may take some time to affect Australian businesses, but it's already hitting some US-based corporations hard. Stephen Baker explores why. The EU wants others to adhere to its strict rules protecting electronic data ... or else. Germany's data police, the Datenschutz, considers itself a kind of anti-Gestapo. Where Hitler's secret police used files on German citizens as tools of terror and control, the mission of the Datenschutz is to protect people's personal data. For this, inspectors trek from Berlin all the way to Sioux City in the US, to Citigroup's giant data-processing centre, where computers store financial information about millions of German credit-card holders. The Germans, said Mr Stefan Walz, a Datenschutz commissioner, pay regular visits "to make sure that the data are being handled according to [German] law". Citi accepted the supervision four years ago in return for permission to market a credit card in Germany. But soon, US companies could be dealing with Europe's privacy inspectors whether they've bargained for it or not. Europe is launching a crackdown in cyberspace. On October 25, when the European Union Directive on Data Protection was adopted, commissioners in Brussels received the legal tools to prosecute companies and block web sites that fail to live up to Europe's exacting standards on data privacy. The directive was negotiated among the EU governments over six years and, while adopted by the EU, has not yet been implemented because it was decided to pursue further dialogue with the US on privacy principles. In the meantime, data flows will proceed without disruption. There will be a three-year phase-in period and the directive will be enforced by October 2001. The directive guarantees European citizens absolute control over data concerning them. If a company wants personal information, it must get that person's permission and explain what the information will be used for. It must also promise not to use it for anything else without the citizen's consent. A company selling birdseed, for example, can't use its mailing list to hawk Audubon calendars. Citizens have the right to know where information about them came from, to demand to see it, to correct it if wrong, and to delete it if objectionable. And they have a right to file suits against any person or company they feel is misusing their data. One piece of the law is particularly stringent. Article 29 demands that foreign governments provide data protection every bit as rigorous as Europe's, under a similar regulatory structure. Those that fail, the EU warns, could find their data flows with Europe, the world's largest economy, outlawed. EU officials soft-pedal the strong language and maintain that they would target certain companies or industries, not entire nations. Yet the new directive marks the first concerted initiative of a united Europe to dictate its norms to the rest of the world. It also takes Europe's regulatory reach into the crucial organs of the Information Economy - computer databases and the internet. "A global system requires global regulations," said Mr Walz. The goal is to keep the doctors' bills and credit-card records of Europe's 350 million citizens beyond the reach of digital scam artists everywhere. But the definition of personal data is so broad, complains a US telecom exec in Brussels, that "this would make it hard even to publish a telephone book". The question is whether governments outside Europe will stand for the law. As the global leader in online business, the US is a particular target of the directive. So Washington finds itself negotiating on behalf of the entire non-European world. At the root of the battle is a philosophical chasm nearly as wide as the Atlantic. Europeans look to democratic regimes to protect their privacy. Americans, meanwhile, tend at first to leave information flows unregulated. Later, they slap controls on objectionable areas, such as child pornography on the web. "In Europe, people don't trust companies, they trust government," said Mr Emanuel Kohnstamm, a Time Warner Inc vice-president in Brussels. "In the US, it's the opposite way around: citizens must be protected from actions of the Government." The ideological rift could result in an all-out trade war if the EU starts hammering US companies for their handling of data or forcing internet service providers in Europe to block certain web pages. Executives fear that such actions would prompt Congress to retaliate with protectionist measures against Europe. Data exchange, already a critical issue for business, is a key to marketers' global ambitions. Their plan is to plumb massive databases of buying patterns, develop hundreds of thousands of detailed customer profiles, and then hit buyers with finely tuned pitches - preferably online. This targeting is at the foundation of e-commerce, an industry that totals only $32 billion in annual sales now, but is expected to reach $425 billion within four years, according to International Data Corp. Executives on both sides of the Atlantic fret that it could be throttled in its cradle by zealous regulators. "This could mean the Balkanisation of e-commerce," warned Mr John E. Frank, European legal counsel for Microsoft Corp. The Europeans respond that e-commerce can't grow without consumer confidence. Only the most fearless or foolish consumer, they say, would venture into unregulated digital malls. Europeans abhor the American habit of planting "cookies", the data tags that hook into a log-in name, track the web sites it has explored, and send back consumer profiles. They believe that Americans, from TV talk-show hosts to Congress, are all too ready to exploit citizens' private lives. They are also outraged that US prosecutors and insurers use the web to unearth facts that people would rather keep to themselves. Brussels claims it can protect Europeans from such intrusions. While EU officials promise restraint concerning the implementation of their directive, privacy activists in Europe are preparing to go after US companies that violate the new directive. Privacy International, a London-based advocacy group, said it was investigating privacy practices at 25 leading US companies, including Electronic Data Systems, Ford, Hilton International, Microsoft, and United Airlines, and vows to sue alleged offenders in January. That would force EU regulators to take legal action, too. For their part, the target companies say they are hurrying to meet Europe's new privacy requirements. In trying to police the internet, European regulators have set themselves a formidable job. Many national data-protection agencies have not yet passed statutes to comply with the new directive, and some are still adjusting from printed to digital records. In Paris, at the National Association on Data Processing & Liberty (CNIL), a staff of 60 handles 10,000 monthly calls and 4,000 annual complaints - while sifting through databases registered by thousands of companies in France. The staff could be stretched even thinner, said CNIL legal counsel Mr Joel Boyer, as agents carry out field inspections. One of CNIL's early stops is likely to be the European headquarters of Microsoft, lodged in the gleaming La Defense section of Paris. At Microsoft, and hundreds of other high-tech companies, the inspectors find a different approach to data control. "The Europeans want to inspect data," said Microsoft's Mr Frank. "We want to provide technology for people to make their own choices." Microsoft is developing software to quiz consumers, through a series of pop-up menus and mouse clicks, about what products or services they want and how much data they're willing to share. Software companies aren't the only ones hoping to cash in on the new regulations. NCR Corp, a major producer of data-storage software, is marketing a host of new products to meet privacy needs, allowing companies to juggle digital warehouses of consumer data. For example, a user would have access to personal information for benign purposes, such as anonymous market surveys. But the same user could not access that data to launch a direct-mail campaign for a new product - unless a consumer had given the OK for such pitches. Companies that rely on cross-selling are scrambling to comply with the new rules. Airlines, for example, have long regarded their executive clubs as marketing databases in themselves. Most airlines pitch their first-class passengers everything from limousine rentals to bargains on luxury suites. Now, such cross-marketing is forbidden without the customer's formal consent. Of course, airlines can still get the information they need - if they can afford the expense. British Airways PLC has been frantically revamping its software to ask questions the right way. Now, the company explains why it is asking for birth dates (to distinguish one John Smith from another) and nationalities (to whisk people through immigration). The next job is to push these standards to BA partners around the world, which may involve rewriting contracts. "We haven't even put a cost on that yet," said BA data-operations executive Ms Tricia Ade. It may seem ironic that Europe, which is playing catch-up in the entire digital arena, from PCs to e-commerce, has taken the lead in policing data on the internet. However, privacy is a burning issue of the New Economy and one that cries out for regulation. In the worst cases, Eurocrats fear, banks could tap into customers' medical records and base loan approval on their health. They tell of a gay army officer whose sexual orientation made its way into an America Online Inc profile and led to his dismissal. The question is whether together, Europe's regulators and America's free marketeers can devise a scheme to patrol the net without dragging it down. Encryption's secret world - page 19. AUSTRALIAN FINANCIAL REVIEW 24/11/1998 P16 -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:12:03 PDT