(Editor's Note: Privacy is an issue that is rapidly rising to the forefront of information industry concerns. Business credit information is easily available online, and other kinds of public, personal information are not difficult to obtain. DATABASE published an article on the topic, "For the Record: Information on Individuals," by Nora Paul in the April 1991 issue. An editorial in the same issue also addressed privacy concerns. This article discusses privacy issues emanating from the European Community's effort to address the topic, as well as other concerns arising from electronic information media and distribution.--NG)
Draft directives proposed as part of the European Community's 1992 effort have the potential to limit seriously the ability of European and U.S. online database companies to distribute information in Europe, and to collect and process information. In addition to this dramatic action, several other events have focused a spotlight on the issue of privacy in relation to the electronic collection and distribution of information. These events include the: * Much publicized withdrawal of Lotus and Equifax from marketing CD-ROM products providing consumer and business credit information. * Involvement of companies such as Epson America and Nissan Motor in litigation over the confidentiality of electronic mail messages between employees. * Debate, sparked by the caller ID feature that displays the telephone number of the person calling, on the ultimate right to privacy of the caller or the person being called.
These events raise important questions about the nature and control of personal data in the U.S. and other countries, both at home and at work. U.S. laws contain important safeguards regarding personal privacy, with judicial remedies. In some other Western countries, however, concern over centralized government files on individuals has been instrumental in the enactment of more stringent laws impacting both the underlying telecommunications infrastructure, and the services making use of that infrastructure.
Almost eight out of ten (79%) U.S. citizens have concerns about privacy in the computer age. According to an opinion poll conducted by Louis Harris and Associates, Inc. for Equifax in 1990, they believe that privacy ranks with "life, liberty and the pursuit of happiness" as a fundamental right. Just under half (45%) of the 2,254 consumers that were part of the poll agreed with the statement that "technology has almost gotten out of control," while almost three-quarters (71%) feel they have lost all control over how personal information about them is circulated and used by business.
European activism in this area underscores the importance of adopting U.S. standards on privacy protection. Current U.S. federal and state action in this area is best described as a patchwork of legislation and guidelines that address the consumer's right to privacy. It will become increasingly essential for the U.S. to go on record with uniform guidelines given the international activity underway, and the obvious concern by U.S. citizens regarding privacy protection.
Privacy protection might take the form of self-policed industry guidelines or formal national legislation. Representative Robert Wise (Democrat, West Virginia) reintroduced a bill in early 1991 to create a Federal Data Protection Board to act as a "watch dog." Nothing happened to the bill, but the issues it addresses will not disappear. In addition to the activity underway in the U.S. and the EC, the Council of Europe, the OECD, and the United Nations are all addressing the privacy issue.
When asked about the situation, a senior executive at Dun & Bradstreet responded with these comments:
I think that the industry should work
with the government on this matter. In
order to be credible in Europe we can't
allow the Europeans to say, "Go away.
You're abusing the system in America,
you do not even have any guidelines."
You have to show that you are good
citizens before you tell other people
what to do. I think the industry should
take it into their own hands. If not, I
know the government will. An ever-increasing
influx of European data
protection experts are visiting the U.S.
And I imagine they go home and say,
"Aren't we lucky we did this, because
America is the land of abuse."
EUROPEAN PRIVACY INITIATIVES
Current European privacy initiatives are contained in a set of proposed European Community (EC) Council Directives introduced in the second half of 1990. The first of these provides a framework for the protection of personal data . The second deals specifically with personal data protection in the telecommunications industry .
The point of specific concern to U.S. companies in these directives is a provision that EC member states cannot transfer personal data to a third country (e.g., the U.S.) unless that country ensures an adequate level of protection.
While the U.S. federal and state governments have some privacy legislation, an all-encompassing approach like that being proposed in Europe does not exist. The U.S. Privacy Act of 1974 covers records about individuals in the federal sector, including personal information held by federal contractors. In addition, many states have passed privacy laws covering state records.
Additional fair information practice obligations are placed on federal agencies and certain elements of the private sector with regard to personal information, through legislation such as the Fair Credit Reporting Act, the Family Education Rights and Privacy Act of 1974, the Video Protection Act of 1988, and the Computer Matching and Privacy Protection Act of 1988.
Nonetheless, current formal U.S. safeguards do not measure up to the requirements for privacy protection specified in the current draft of the EC data protection/privacy directive.
PERSONAL DATA PROTECTION DIRECTIVE
Currently there is considerable variation in the levels of personal data protection in Europe because each country has its own laws, regulations and administrative provisions. The proposed EC directive was developed "to remove the obstacles to flows of personal data, since the level of protection of privacy in relation to the processing of such data must be equivalent in all the member states. . . and ensure a high level of protection in the Community."
The proposed directives define an obligation to inform the data subject according to these guidelines:
...at the time of first communication,
or of the affording of an opportunity
for on-line consultation, the controller
of the file shall inform the data subject
accordingly, indicating also the
purpose of the file, the types of data
stored there in and his name and
address. In addition, the controller of
the file is also required to notify the
supervisory authority of the member
state in which file is located. If the
data subject objects to communication
or any other processing, the controller
the file shall cease the processing
objected to unless he is authorized by
law to carry it out.
Another provision of the proposed directive requires that:
The member states shall grant a data
subject the following rights...not to be
subject to an administrative or private
decision involving on assessment of
his conduct which has as its sole basis
the automatic processing of personal
data defining his profile or personality.
This provision is open to a broad range of interpretations. It could be interpreted as limiting all forms of demographic profiling, or at a minimum, as restricting direct marketing list preparation.
IMPACT ON THE ONLINE INDUSTRY
The provision requiring notification of data subjects could have far reaching implications for the online database industry from a number of points of view, impinging on the: * preparation of print or electronic databases containing personal names, including bibliographies, abstracts, and full text articles * marketing files containing personal details, such as title, address, and demographic information * personnel records on employees
The only case in which the obligation to inform the data subject is not mandatory is "if the data come from sources generally accessible to the public and their processing is intended solely for correspondence purposes."
Some European companies in the online industry do not think they will be affected. Peter Jenkins of Data-Star commented that:
[The directive] won't make much
difference. What has been proposed is
quite impractical. We are a long way
from that, none of the databases will be
impacted. In any event, since we act as
the vendor of the databases it is a non-event.
The producers are responsible
for staying within the law.
The limitations to transferring personal data to third countries have potentially catastrophic ramifications for the U.S. online database, direct mail, and demographic industries. The proposed directive states that if the third country (e.g., the U.S.) does not have an adequate level of protection as defined by existing international communities or domestic law, it may obtain the required information only by entering into negotiations with an advisory committee of the Commission. These negotiations require that the third-country petitioner provide sufficient proof that an adequate level of protection will be provided when the data are exported.
If current disregard for legal requirements in this area are any indication, many companies may be planning to ignore the stringent requirements if they come into effect. The May 1991 issue of The Economist states:
For the past five years British law has
required that anybody who wants to
hold personal data on a computer
should register those data with a small
and overworked body called the Data
Registrar. Not surprisingly, many--if
not most--small businessmen have
chosen to ignore data registration.
STATUS OF THE DATA PROTECTION DIRECTIVE
The proposed Data Protection directive hit the public by storm, since it was released without debate or prepublication of a Green Paper discussing the objectives and options under consideration.
The directive is scheduled for introduction by January 1993, but a number of hurdles must first be overcome. An EC spokesperson stated, "We are at an early state, and it is not a public stage."
The European Parliament is now reviewing the document, and will come out with a first opinion. Then the EC Commission must evaluate it, and the Council formally conduct a first reading. The document must then be reviewed a second time in turn by the Parliament, the Commission and the Council.
Since the directive was first released, several companies and trade associations have come out against the proposed language, from industries such as direct marketing and credit.
TELECOMMUNICATIONS PRIVACY DIRECTIVE
The EC's telecommunications privacy
directive proposal was prepared in parallel with the proposal put forward by the Commission to establish a general framework for data protection. It was specifically prepared to address the concerns arising from the impact of digital networks on personal data and privacy.
The content of the proposed directive addresses in particular: the collection, storage, and processing of personal data in subscriber files; the storage and processing of traffic and billing data, in particular for the purpose of itemized call statements; the problem of calling line identification; access by third parties; unsolicited calls; and procedures for establishing specific technical standards.
The proposal attempts to protect the subscriber using two basic principles: * minimizing the risk of abuse by limiting the data processed and stored * ensuring the subscribers' rights to access and edit the personal information contained in their files
U.S. CALLER ID SAFEGUARDS
Activity is underway in the U.S. along the lines of the European Community telecommunications privacy directive. New York is the first state to establish guidelines for telephone companies in evaluating the impact of a new service on consumer privacy.
The New York Public Service Commission (PSC) adopted eight telecommunications privacy principles that provide a framework for protecting the privacy of consumers when new services are offered over the public telephone network.
In line with these guidelines, the New York PSC rejected proposals by Rochester Telephone Company and New York Telephone Company to offer caller ID service, a feature that automatically displays the calling party's telephone number on a small display screen to the person or business being called. The proposals were rejected because they only included per call blocking.
The Commission stipulated that both per call and per line blocking should be offered to consumers. This will allow customers to have the caller's telephone number withheld on all calls, unless the customer dials a code, versus per call blocking, which enables callers to withhold their telephone number by adding a special code when dialing each call.
One of eight principles articulated by the New York PSC, states that "People should be permitted to choose among various degrees of privacy protection, with respect to both the outflow of information about themselves and the receipt of incoming intrusions."
Other states that require both per call and per line blocking are Indiana, Alabama and Nevada. California requires free per call blocking and has introduced legislation that would require per line blocking as well.
ELECTRONIC MAIL PRIVACY CONCERNS
Electronic mail raises a number of security and privacy concerns for individual and business users. Most of the attention has focused on cases where employers have monitored employee messages. In August 1990, a class action suit was filed by a former electronic mail system administrator who had been fired by Epson America Inc. The administrator alleged that the company intercepted messages that violated the privacy of employees. The case was appealed, after it was dismissed in January 1991 by the California courts on the grounds that e-mail is not covered under California's wiretapping law.
Another pending case has been brought against Nissan Motor Corp. by two former employees. They stated that their electronic mail messages, which they believed to be confidential, were seized and used against them.
In another highly publicized case, Prodigy terminated subscribers who sent electronic mail messages throughout Prodigy's network decrying cost increases in the service. This raises questions about the system operator's right to monitor the content of e-mail messages, and to cancel subscribers' access to the service.
While there are no federal laws defining the rights of electronic mail users, the topic has been discussed. The Senate subcommittee on technology headed by Sen. Patrick Leahy (D-VT) has a task force investigating electronic mail and other technology issues such as caller ID. Revisions to the Electronic Communications Privacy Act are being considered.
LOTUS MARKETPLACE WITHDRAWAL
Lotus Marketplace: Households, a CD-ROM software package designed for small business users was scrapped because of privacy concerns. The household product, which allowed customers to order 5,000 consumer names at once from Lotus for use with targeting software, was criticized by a large number of consumers. Lotus reported that 30,000 consumers asked Lotus to take their names off the lists being used with the Households product after hearing about it in the media.
Although privacy safeguards had been introduced, consumer advocates were not comfortable with the product offering. The various privacy safeguards included: * purchase restrictions and verification: disks were not to be sold in stores and were to be made available only to a business or nonprofit -group with a verifiable address * individual names would be concealed using encryption techniques, and personal information on credit history, age, telephone number, and exact income would be kept out of the database * consumers had the option of having their names taken off the list when future editions of the CD-ROM were issued
Despite these safeguards, privacy advocates were concerned about the wide distribution and large audience for this information. Lotus stated that "the decision to cancel came after assessment of public concerns and substantial, unexpected additional costs required to fully address consumer privacy issues."
SELF-REGULATION VERSUS LEGISLATION
As the Lotus example illustrates, educating the general public about privacy protection safeguards and correctly estimating the privacy overhead" of information products will be increasingly important in the years ahead.
With the extraordinary strides being made in digitizing the telecommunication infrastructure and the increased accessibility of personal information through online databases and CD-ROM, it is time for the U.S. information providers and online database compilers, including the direct mail and financial services industries, to take action. The development of corporate and industry guidelines on privacy must be developed to preempt the need for U.S. legislation or the introduction of foreign embargoes.
 European Community, Proposal for a Council Directive Concerning the Protection of Individuals in Relation to the Processing of Personal Data. COM  314 September 13, 1990.  European Community, Draft Proposal for a Council Directive Concerning the Protection of Personal Data and Privacy in the Context of Public Digital Telecommunications Networks, in particular the Integrated Services Digital Network (ISDN) and Public Digital Mobile Networks.
Communications to the author should be addressed to Paige Amidon, Partner, Amidon/Litman, 1462 Stephanie Drive, North Caldwell, NJ 07006; 201/812-3888.…