10 October 2003

The Wall Street Journal, October 10, 2003

Europe's New High-Tech Role: Playing Privacy Cop to World

U.S. Firms Run Afoul Of EU Laws on Sharing And Collection of Data


BERLIN -- Last year General Motors Corp. set out to update its electronic company phone book, so that with a few keystrokes its engineers in, say, Taiwan could look up colleagues in Germany. But an unanticipated problem came in the way: Europe's strict privacy laws.

Employee office phone numbers were their "personal" information, European authorities said. Bob Rothman, the car maker's chief privacy officer, knew what that meant: sending numbers outside the EU would require months of legal work through GM's global operations -- or the company would be risking a criminal offense in some European countries. Not even GM's U.S. headquarters could know the phone numbers, if the company didn't take some measures first.

"They were very sympathetic," Mr. Rothman said of Europe's privacy watchdogs, but they didn't budge, and GM spent about six months amassing piles of legal documentation and other paperwork before it could finish the project. "We spent a lot of money, and a lot of time, and a lot of effort."

While the U.S. has opposed comprehensive regulations to protect citizens' privacy, Europe has plowed ahead with the world's toughest set of rules governing how companies and governments may deal with personal data, such as one's age, marital status, buying patterns -- even the information on a standard business card. And as GM's experience shows, those rules are increasingly shaping the way businesses operate around the globe.

Since establishing its privacy rules eight years ago, an increasingly self-assured European Union has exported the privacy standards to other countries with similar values. Despite outcries from the U.S., EU-inspired laws are now the norm in Canada, South America, Australia, New Zealand and parts of Asia.


European privacy laws regulate how companies transmit personal information to countries the EU says lack "adequate" privacy laws, including the U.S. Some restrictions include:

Limits on the amount of information companies can collect.

Curbs on a company's ability to share personal data with marketers or even its own affiliates.

Allowances for individuals to see and correct their information.

Requirements for companies to erase personal data after a short time.

The debate over privacy protection is another sign of the EU's growing influence as a trading bloc and its emergence as a regulatory superpower. In recent years, Europe has flexed its muscle in mergers, nixing the proposed marriage of General Electric Co. and Honeywell International Inc. In agriculture, Europe's concerns about the potential risks of genetically modified food have held up crop planning around the world.

Privacy rules attract less attention than these flashpoint issues but their impact can be just as great. JetBlue Airways recently acknowledged that it provided a Pentagon contractor with information on more than a million passengers, causing an outcry in the U.S. In Europe, the action wouldn't have just been bad public relations; it would have been illegal. In Spain, where data-protection laws are particularly stiff, fines for such an action can reach $500,000.

EU laws require retailers to ask permission to collect data, trade it to partners, sell it, or even use it for their own marketing -- all common practices in the U.S. In addition, companies in Europe are obliged to let people see their data and correct it if it is wrong. The law restricts how much information companies can collect on customers and employees and how long they can keep it. The rules cover more than files and statistics: Even video surveillance tapes must be erased after a short time.

The U.S. regulates privacy in only a few sensitive areas, such as medical and financial records. And while European countries established independent government privacy agencies to actively enforce their rules, U.S. laws grant similar authority in only a few industries. Most companies are left to set their own standards, so long as they don't harm their customers. An Iowa State University law professor, Peter Swire, served two years as a privacy czar of sorts for the Clinton administration. President Bush dissolved the post on taking office. The Sept. 11, 2001, terrorist attacks have further weakened Washington's will to protect data. Through new laws and new offices, Washington now has more unfettered access to citizens' data than ever before. The government's top privacy officer is an adviser for the Department of Homeland Security.

American antiterrorism measures increasingly clash with European privacy laws. Those laws, for instance, don't allow airlines flying from Europe to release passenger names and other information that American customs authorities are demanding prior to a flight's arrival on U.S. soil. So far, European authorities are looking the other way as airlines provide the details, such as itineraries, credit-card information and dietary preferences. If airlines refuse to cooperate, they face stiff fines and even the loss of U.S. landing rights.

Fundamental Differences

Fundamental philosophical differences separate the U.S. and European approaches. Europe has defined privacy as a human right, while in the U.S. data-protection laws can quickly run afoul of free-speech protections enshrined in the Constitution. The dichotomy is most apparent in direct marketing. Europe's privacy laws essentially force businesses to get permission before they make telemarketing calls to their customers. In the U.S., a federal court in Denver recently blocked a national do-not-call registry from taking full effect this month, saying it violates a company's First Amendment rights. An appeals court put that ruling on temporary hold Tuesday, letting the registry proceed until the court makes a final ruling.

The U.S. was once in the forefront on data-protection laws. In 1974, Congress passed the Privacy Act, one of the world's first laws limiting the government's ability to collect, keep, use and disseminate personal information on citizens. In the next few decades Congress adopted piecemeal laws in response to crises. During congressional hearings to confirm Judge Robert Bork's nomination to the Supreme Court in 1987, his videotape-rental records became public. Congressional leaders acted swiftly, barring video stores from divulging their records. (The law has not been updated to mention DVDs, though some legal scholars suggest the law would still apply). A law protecting drivers' records came after an obsessed fan killed actress Rebecca Schaeffer, tracking her down with motor-vehicle records.

"We were the original leaders on privacy," says Alan F. Westin, a retired professor of public law and government at Columbia University who helped draft the landmark 1974 law and now publishes an industry newsletter, Privacy & American Business. "But Europeans would tell you that, as they see it, we went to sleep and they moved ahead."

The U.S.'s patchwork of laws crippled its chances of setting the pace for the globe, said Mr. Westin. The EU, by contrast, offers an all-encompassing system for data protection. Argentina and Chile copied Spain's laws, some of the stiffest in Europe, and the laws as drafted in Spanish are now sweeping through South America, aided by a common language.

Europe's efforts stem primarily from Germany, where Nazi officials pioneered the use of data-sorting machines in their efforts to identify people with Jewish ancestry. Memories of that horrific past helped spur the state of Hessen to pass the world's first comprehensive data-protection rules in 1970. In the decade that followed, Germany used data profiling to hunt down left-wing terrorists, monitoring people's electricity use, for example, to find safehouses.

Though the efforts were successful, the public's fear of a return to widespread government surveillance resulted in another backlash, and more data protection laws followed. Soon every German state had at least one privacy agency to make sure that governments and companies respected data on citizens. By 1995, Germany and a few other European countries with similar laws persuaded the European Commission to adopt a strict directive, requiring all EU countries to get in line -- a process that is now nearly done. The EU expands next year from 15 to 25 countries, making it the world's largest trading bloc.

The rules are so broad that global companies assign dozens, and in some cases hundreds, of employees to deal with them, enacting far-reaching policies and restructuring entire databases. This has helped spur the creation of a new breed of executive such as GM's Mr. Rothman: the chief privacy officer. Virtually unheard of just five years ago, privacy officers have quickly become a fixture, with hundreds of them in the U.S. About 40% of top 500 global financial services companies have one, according to a survey of 78 companies released this year by Deloitte Touche LLP. A cottage industry has sprung up to help guide companies into compliance with rules. Lawyers are specializing in the field, and consultants in Brussels advertise seminars on data protection.

Global Privacy Center

When GM first encountered the emerging privacy laws, it dealt with them as they arose, with GM offices in each country taking whatever steps they saw fit to adapt to local legislation. But as the laws multiplied, GM last year created a global privacy center, assigning Mr. Rothman to lead it. He now coordinates nearly 100 people with at least part-time privacy duties in GM offices around the world. The car maker also has a variety of special privacy councils focused on specific issues such as human resources and marketing.

Mr. Rothman was already familiar with the EU's rules but doubted they would apply to something as innocuous as a company's internal phone book. One important clause makes it illegal to transfer any personal information to countries with "inadequate" laws -- including the U.S. So to be safe, Mr. Rothman's office contacted a few European countries to make sure it could export GM's office telephone numbers to a U.S. computer server and make them available to staff around the world. It couldn't.

So how does a U.S. company move data outside Europe? One option is to adopt Safe Harbor rules negotiated by the U.S. Department of Commerce. Under the program, U.S. companies essentially promise to handle European data by Europe's standards outside the EU. Some 394 U.S. companies have signed up to handle at least part of their records that way. EU privacy authorities say it's one of several ways aimed at helping foreign companies move data internationally and avoiding harm to commerce.

At GM, exporting the phone numbers via the Safe Harbor program meant spending several months mapping where the phone book might be used and by whom. Mr. Rothman's staff then notified the car maker's European employees that their office numbers would be sent to headquarters, and following European practice, offered them a third-party mediator if they objected (nobody did). Finally, the company pressed 200 of its affiliates around the world to sign contracts, vowing not to misuse the phone numbers -- by, say, selling them to telemarketers. "Can you imagine having to have 200 entities sign one contract?" said Mr. Rothman. His office set up a special Web site to coordinate the project.

Many of the largest U.S. companies are searching for simpler solutions. Some have adopted global, one-size-fits-all approaches, usually based on the EU's model. Procter & Gamble Co. and DuPont Co. have announced such policies in recent years. "That tends to be the gold standard nowadays," said DuPont's corporate counsel, Donald A. Cohn. The company is collecting consent forms from all its employees -- even in countries where it's not required -- and is asking all its affiliates to sign contracts vowing not to abuse the information. When it's done, DuPont says it will be prepared to move data easily in any country that adopts EU-style laws. A P&G spokeswoman says its global policy is based on the European system and already brings its use of phone numbers in compliance with EU laws.

A few years ago, GE launched an effort like GM's so its phone book could pass EU muster. Since then, it has applied EU-like standards for its employee data around the world, says Ivan Fong, GE's CPO.

IMS Health Inc., which collects and then sells information on pharmaceutical usage, gathers data from some 29,000 sources in more than 100 countries. The company employs four chief privacy officers and hundreds of employees helping it keep up with privacy regulations, and it consults with lawmakers to shape bills, says chairman and chief executive David M. Thomas.

Among companies' chief complaints are costs, though numbers remain elusive. It can take a company years to enact major and minor changes in all its operations, say chief privacy officers. "It's not unlike the environmental measures of 30 or 40 years ago," said GE's Mr. Fong. "It's so new that companies don't know how to measure the costs."

Write to David Scheer at david.scheer@dowjones.com

Updated October 10, 2003