Privacy War: The Europe-U.S.Struggle Over Consumer Data

To understand what's at stake in the European Union's critical and tangled dispute with the United States over privacy, look no further than Daimler-Chrysler AG.

The giant automaker — the model of the modern multicultural multinational, with one foot planted in Stuttgart and the other in Detroit — deals with an ongoing absurdity. Although the 1998 Daimler-Benz purchase of Chrysler for $37 billion was aimed in no small part at driving international recognition and sales for the combined company's portfolio of brands, information collected about E.U. customers by the Daimler division (e.g., the demographics of specific Mercedes-Benz car buyers) is generally kept from the Chrysler wing, which might be on the prowl for, say, wealthy German families of four who might be in the market for a Jeep Cherokee. Untold millions of dollars in annual revenue are lost at the iron wall that halts the data flow between the two parts of the company. 

Under a 1998 E.U. directive, organizations in countries that don't match the Union's privacy standards are in most cases prohibited from receiving almost all identification and behavioral data about E.U. constituents. With virtually no data protection regulations, the U.S. is one such offender. While the E.U. and the U.S. seek an agreement, DaimlerChrysler is cautiously sticking close to the letter of the law.

Other U.S. companies echo DaimlerChrysler's approach. Levi Strauss & Co.'s European headquarters in Brussels deletes consumer-identifying information from e-mail before passing it to the marketing unit in the same building. E-commerce pioneers Amazon.com and eBay have set up Web sites in some European countries that are completely distinct from their American businesses, in part to keep data in the two continents separate. And to sidestep potential prosecution, online advertising company DoubleClick Inc., buffeted by privacy concerns in the U.S., doesn't use information-tracking software — so-called cookies — in Europe.

"Merging two distinct work cultures is difficult enough," says a German DaimlerChrysler executive involved in the company's privacy initiatives. "But what is perhaps most surprising is the different effort and attitude among the Germans and the Americans in this company when it comes to the importance of protecting customer information from being misused or customer privacy from being invaded."

Disdain for the American view of confidentiality sums up the position of much of the E.U., whose 15 countries, by and large, have had stringent privacy laws since the end of World War II, with especially rigorous rules in Germany, France, and the United Kingdom. This has led to an intractable distance between the E.U. and the U.S. on privacy-protection issues, punctuated by marathon, ongoing negotiations over the 1998 directive that have shown how pronounced the attitudinal and policy differences are between the two regions.

Despite the deep rift, no one on either side of the Atlantic wants this dispute to drag on. There's too much at risk. Even before the rise of the Internet, U.S. companies, especially in consumer-oriented service and retail sectors, viewed data mining and database marketing as an essential part of their business models and revenue streams. With the Net, such strategies are even more vital.

An Information Trade War?

As necessary as the free flow of information is in today's e-commerce environment, a fair and sensible settlement of the E.U.-U.S. privacy rift will have a huge effect on the ability of U.S. multinationals not only to do business in the E.U., but also to compete against local companies. Equally important, it could determine the strategies of startups and established companies for cross-border e-commerce ventures. And without a resolution, e-commerce could be rendered less global than expected.

Europeans also have a lot to lose from a protracted privacy skirmish with the U.S. Vulnerable to the criticism that overregulation hinders the growth of European companies and markets, the E.U. could unintentionally build a wall around itself with unyielding data-protection rules that impede its own companies from doing business in critical markets like North America. Conversely, with reasonable standards in place, E.U. companies would be well positioned to expand into new markets without violating laws — potentially an advantage.

During the privacy-pact negotiations, the E.U. has agreed to hold off on fully enforcing its directive against the U.S., although many companies are nevertheless abiding by its stipulations. But without a final accord soon, U.S. Department of Commerce (DOC) officials expect European data authorities will begin to check randomly on U.S. companies doing business in Europe, arbitrarily sifting through their databases and network logs to ensure that information isn't being imported into the U.S.

The result could be a trade war over information. "It would have a chilling effect on the ability of U.S. companies to either set up operations in Europe or get involved in ventures with European companies," says a DOC international specialist who has been involved in the talks between the E.U. and the U.S. "No one would want to do business with a company that may be being watched by the government or whose database could end up being paraded in court."

The outcome of the struggle over electronic privacy between the E.U. and the U.S. will hinge on which side blinks first on a range of entrenched political, cultural, and technological issues that have never before had to be addressed. But even beyond the immediate argument over data protection, there's a much more important signal emerging from this imbroglio: The American technology model is being forced for the first time to give way to a less U.S.-centric system, one that's sensitive to other regions' values and ideals.

In other words, the World Wide Web, which matured in the U.S., appears to be about to outgrow its provincialism and live up to its name.

The U.S. Safe Harbor Approach

Alone among Western nations, the U.S. has no federal agency focused on protecting privacy. Unlike much of the rest of the world, the U.S. provides no federal protection for bank account and asset records, medical and personnel files, credit card bills, and telephone records. While the Fair Credit Reporting Act gives consumers the right to access and fix inaccurate financial records, marketers, retailers, airlines, automakers, and consumer products corporations are given virtually free rein to dice and dissect all manner of information, obtained from any number of sources, including credit bureaus and demographic data-bankers, and to reuse and resell it as many times as they want, without ever notifying individuals. Virtually the only privacy laws that exist in the U.S. for the commercial sector involve cable TV and video-store records.

By the time the E.U. directive was issued in 1998, the U.S. was already the dominant marketplace for e-commerce. Pure Web-plays and bricks-and-clicks firms saw a prime revenue opportunity in selling consumer information gathered on the Web. More established multinationals, especially financial services firms, viewed their reams of customer data, and their proprietary ways to analyze it, as central to marketing campaigns and competitive strategies.

The "privacy gap" between Europe and the U.S. — and the E.U. directive that turned a spotlight on it — threatens to stymie the success of U.S. companies across the Atlantic. It also endangers Europe's participation in e-commerce. So as soon as the directive passed, meetings were arranged between the E.U.'s internal market and financial services committee and the U.S. DOC.

"Europe was in a tough spot from the start of the negotiations with the U.S.," says a lobbyist with an American industry trade group that was involved in the talks. "The U.S. side knew that the E.U. wasn't in an isolationist mood and really couldn't swear off involvement with America either through multinationals or the Web. Essentially, the E.U. as a body, although maybe not the member nations as individuals, wanted an agreement with the U.S., and quickly."

By March of this year, an accord had been hammered out that was heavy on self-regulation, the U.S.'s preferred approach. Its key component is a so-called Safe Harbor principle. This exempts U.S. companies, if they certify to the Commerce Department or to a European data-protection authority that they will follow the regulations of the E.U. directive, from being sued by E.U. citizens for privacy infringement. Companies that break their word would be guilty of deceptive business practices and subject to prosecution by the Federal Trade Commission and other U.S. authorities.

The two sides trumpeted the arrangement as a well-wrought compromise, but the enthusiasm immediately waned. On March 30 the E.U. body responsible for the implementation of the directive rejected the accord, saying there were too many unanswered questions. Even if the agreement is approved this summer in the next round of discussions, it will probably be reopened again before the end of next year, people close to the negotiations say, making it likely that the accord itself will be short-lived.

"I question whether member states will let the E.U. decide on anything but the highest standards for privacy," says Lilliana Biukovic, adjunct professor of European Union law at the University of British Columbia, Vancouver. "They have not been flexible on this."

In fact, member states' resistance to the compromise goes even deeper. As a simmering undercurrent to the privacy discussions, the U.S.'s stubborn stance against exporting strong encryption software unless American security agencies are allowed access to the keys has added to worries in Europe that some U.S. companies are using data surveillance technology for industrial espionage, giving them an unfair advantage in bidding for lucrative industrial and defense contracts. That possibility — and some Europeans believe there is evidence to support it — has made E.U. member governments even more antagonistic to giving in to the U.S. on any data protection issue.

Reprint No. 00305