Congress fears European privacy standards

The European Union is moving forward with strict new protections for personal data on the Internet, but some on Capitol Hill fear the rules may grind e-commerce to a halt.

4 min read
WASHINGTON--Members of Congress on Thursday sharply criticized European privacy laws, saying they will have global effects and will likely harm U.S. companies seeking to do business online.

Eleven of 15 European Union member states have implemented a Data Protection Directive, passed by the EU in 1995, that promises Europeans wide privacy protections, including requiring Web sites to only collect and use a Web surfer's personal information if that surfer explicitly gives the site permission. But at a House Commerce Trade Subcommittee hearing Thursday, many members and witnesses pointed out that the ramifications of such a directive go far beyond Europe.

The directive "certainly is an effort to impose the EU's will on the U.S.," said House Commerce Committee Chairman Billy Tauzin, R-La. "I am very concerned that U.S. companies, which have been the creators and the leaders of e-commerce, will be forced to deal with such a restrictive concept."

He estimated that the cost of the directive "would be in the multibillions, and all are costs that will be passed onto consumers."

Subcommittee Chairman Cliff Stearns, R-Fla., called on President Bush to take up the matter with the EU quickly before its fifteen member states draft and implement laws based on the directive.

EU on the defensive
Stefano Rodota, Italian privacy commissioner and chairman of the EU Data Protection Working Party, told the subcommittee that Europe is merely trying to protect a fundamental right and a concept that the United States invented: privacy.

The directive "aims at protecting fundamental rights and freedoms," Rodota said, noting that the Charter of Fundamental Rights of the European Union contains one article calling for "respect for private and family life" and another stating that "everyone has the right to the protection of personal data concerning him or her."

Louisiana's Tauzin focused on the cultural differences between the United States and Europe, agreeing that "Europeans are instilled with the belief that privacy is a fundamental right," while "in the U.S., we take a different approach toward privacy (that largely relies) heavily on the private sector to protect consumer privacy."

To Rodota, however, "the European and U.S. systems are not mutually opposed or absolutely irreconcilable." He cited, among other things, a safe harbor that was created for U.S. companies wishing to conduct e-commerce in Europe, an arrangement negotiated by the Clinton administration.

Is the safe harbor mined?
Privacy attorney Jonathan Winer noted that the only companies to join the safe harbor so far have been companies such as Hewlett-Packard and Dun & Bradstreet "who have comparatively limited needs for processing personal information."

"The tiny number of companies signing up for the safe harbor indicates that the vast preponderance of all U.S. companies remain subject to being treated by the EU as having inadequate protection of privacy," Winer said. "If the U.S. is not vigilant, (the European privacy laws) potentially place at risk U.S. competitiveness, U.S. trade and fundamental U.S. values, including protected rights under the First Amendment."

Tauzin questioned whether the safe harbor provisions were even legal, calling them "nonsense." Florida's Stearns added, "I am not convinced, nor is Corporate America, that the safe harbor provisions negotiated in the last administration will help mitigate the concern" over the potential cost of the EU directive.

Ambassador David Aaron, the Commerce Department official who negotiated the safe harbor provision last year, said it has prevented a far worse situation, however.

"The essence of that deal was that we accepted high standards (for privacy) and they accepted self-regulation" by U.S. companies, Aaron said. "Any federal standard should rely to the extent possible on self-regulation."

He also noted the advantage to a company of only having to deal with privacy policies for one united Europe rather than 15 separate countries.

What next?
Tauzin said he fears "the EU privacy directive may act as a de facto privacy standard on the world."

"The EU privacy directive," he said, "could be the imposition of one of the largest free trade barriers ever seen."

The easiest way for the Congress to prevent that, said Fordham University law professor Joel Reidenberg, would be to enact privacy legislation of its own.

"The U.S. is rapidly on the path to becoming the world's leading privacy rogue nation," Reidenberg said. "Congress needs to act to establish a basic set of legal protections for privacy" that balance privacy and the commercial world's need for information.

Members of both parties in the House and Senate have vowed to pass privacy legislation this year, but many obstacles have surfaced that will make such an effort difficult.