Pushed by supporters as a model for the U.S., Europe's tough Internet privacy regulations have come under fire--from surprising sources.
The recent European Union-sponsored Data Protection Conference on privacy heard reports from businesses, media outlets, trade unions and four EU nations that demonstrated why the United States should not follow Europe's pro-regulation path in protecting Internet privacy.
Ever since the EU's data protection directive took effect in 1998, pro-regulation privacy advocates have been trying to convince the United States and the rest of the world to adopt the European model. Under the directive, e-mail addresses and other personal data can be disclosed or transferred to third parties only with the individual's explicit consent. Now that the model has been operational for a few years, the excessive costs of strong privacy regulations are apparent, but privacy worries remain high. This has led to criticism from some unexpected places.
Indeed, it came as a surprise when Austria, Finland, Sweden, and the United Kingdom--countries not generally critical of government intervention--told the European Commission (EC) that there needs to be "a better balance" between individual privacy and the free flow of information.
These countries highlighted many problems with the directive, including "complex and burdensome" procedural requirements and "resource-intensive" consumer data access rules that add "little to the protection of individuals' rights." The European Publishers' Council (EPC), a group of media organizations, agreed.
"It is not uncommon for data access requests to involve two-to-five days' work of several people," the EPC said, adding that in some cases the request is "a fishing exercise to establish whether any claim for damages might be assembled."
Conference organizers received numerous submissions detailing the undue costs to consumers and businesses of strict privacy regulations. These include the cost of having to notify someone when their business card information is entered into a database or, as the Information Security Forum intoned, the high fees for the new bureaucratic "empire of advisors" on privacy matters. But perhaps the most significant costs affecting everyone are the barriers to trade that Europe's regulations create.
Strong privacy rules restrict freedom of expression because they restrict the communication of facts--and the EU is learning firsthand what that means.
For instance, the German industry group Bundesverband der Deutschen Industrie explained
that "procedures for the transfer of personal data to both EU and non-EU countries often cause too much effort" and "business transactions occasionally break down because of the high requirements placed on this transfer in both cases."
U.S. firms have long complained of these problems, but now that EU organizations and the governments of Austria, Finland, Sweden and the U.K. are weighing in, perhaps the European Council will listen.
It's important to realize that regulation-induced trade barriers exist even as companies make strong efforts to meet privacy requirements. And as the German group mentions, it's a problem within the EU market too. That's unfortunate because one of the purposes of the directive was to harmonize European privacy laws. Instead, the patchwork of legislation seems to have grown, even upsetting trade unions.
The Statstj?nstemannaf?rbundet (ST), a Swedish union of civil servants, recounted how the directive created difficulties in handling insurance issues for its members. Obtaining "consent" to use member information under the directive is "scarcely feasible," they insisted. The ST also cited serious concerns about freedom of expression.
European consumers are afraid that their personal data will be misused when they buy products or services online.
Strong privacy rules restrict freedom of expression because they restrict the communication of facts--and the EU is learning firsthand what that means. According to the European Newspaper Publishers' Association, "data protection legislation has decreased the flow of information to the public. The police and other public authorities have relied upon the data protection principles as an excuse not to make public information that was previously made publicly available or passed on to the press."
With all these problems and costs, it's becoming clear that mandated privacy protection in Europe isn't satisfying anyone. According to a study last year by the Europe-based Consumers International nonprofit organization, self-regulated U.S. Web sites were better at protecting privacy than their government-regulated European counterparts.
Despite--or maybe because of--EU information rules, many businesses are not complying with the privacy laws. Perhaps that's why a recent EU poll showed that European consumers are afraid that their personal data will be misused when they buy products or services online.
Protecting privacy is important, but information exchange is also a necessary part of a thriving economy and a properly functioning democracy. The lesson that U.S. lawmakers should take from the EU's experience is that overly strict data regulations will waste resources, reduce commerce and suppress freedom of speech while providing few true privacy gains.
Instead, the U.S. should continue to allow consumers to decide their own level of privacy protection by using privacy-protecting technologies and by voting with their wallets. That is the best path to privacy solutions.