The Next Big One, Maybe

Article excerpt

The issue of data privacy has arrived on the banks of the Potomac River and American CEOs better put it near the top of their "To Do," lists. That, at least, was the consensus of the 375 Internet activists, international politicians and bureaucrats, political operatives, and representatives from corporate America who convened at a Privacy Summit in Washington, D.C., in mid-September. "No matter what business you're in, you're handling personal information of employees, if not customers," said Evan Hendricks, editor and publisher of Privacy Times. "There's no escaping privacy."

There was certainly no escape from the issue on Capitol Hill. More than 25o bills touching on privacy were introduced in the io6th Congress and hundreds more were introduced in state legislatures across America. Congress has passed targeted privacy legislation, the Children's Online Privacy Act in 1998 and the Gramm-Leach-- Bliley Act in 1999, the financial modernization bill that had a privacy component. Even absent a federal privacy law, the Federal Trade Commission issued general privacy principles and stepped up its enforcement in the area, punishing companies that fail to live up to posted privacy policies.

The issue has even emerged in the presidential race. Governor George W. Bush's campaign says he won't rule out more restrictive privacy laws. Vice President At Gore has promised them. "You have a fundamental right to privacy and no powerful interests should be able to sell it or take it away," Gore told an L.A. audience September 19th.

What to expect

In the early 1990s, privacy issues generally centered on fears of government invasion of (con't p. 57) privacy, notes Washington correspondent Declan McCullagh. There were contentious debates over the clipper chip, online wire tapping, and encryption. Today, the focus has shifted to private use of data, prompted by the European Union's 1998 Data Protection Directive that threatened to deny access to the European Market to companies that didn't comply with strict privacy guidelines. The advent of e-commerce gave rise to further concern, with consumers asked to give information ranging from their credit card numbers to the number of pets they own to the goods they've purchased online. Sometimes business leaders didn't help, uttering statements like Sun Microsystems CEO Scott McNealy's now-infamous, "You already have zero privacy-get over it," said at a product launch in January 1999.

In one sense, the emerging battle is a clash of cultures: Online vs. off-- line. European vs. American. Off-line companies have long been collecting, analyzing, and selling consumer data, from magazine subscription lists to credit reports, without much complaint. The results? Unsolicited mail, catalogs, and telephone sales-but also easy credit, customized marketing, and cheaper products. Such collection and marketing tactics didn't settle well with the hypersensitive Web culture, whose denizens were already highly suspect of the commercialization of their playground.

And then there's the international aspect. Freedom of speech is a fundamental American value, one that our laws and practices reflect. Personal privacy is a fundamental European value. The two views are incompatible. Data are almost always generated in a two-party transaction. The U.S. default is that either party can make use of the information, unless prohibited from doing so by a specific law. The European default-- and increasingly the rest of the Western world's-is that the consumer owns the information and has an enforceable right that it not be used.

The EU directive, and laws in Canada, Hong Kong, New Zealand, and one pending in Australia are all based on a set of Fair Information Practices and OECD privacy principles. In brief, the principles include individual knowledge that data is being collected, the individual right to inspect and correct inaccurate data, that use of data be limited to the purpose for which it was collected, and that it's kept secure. …