The New York Times Week in Review
Next Article in Week in Review (2 of 13) >
Skip to article Welcome, vsauter2 - Member Center - Log Out - Help

Europe Zips Lips; U.S. Sells ZIPs

Published: August 7, 2005

IF the information is not already missing, 2005 might be recorded in the databanks of history as the year of the consumer privacy breach.

So far, American companies including financial services giants like Bank of America, Citigroup and MasterCard, and national retailers like DSW shoes and Ralph Lauren Polo, have announced data compromises. All told, the personal information of more than 50 million consumers has been lost, stolen and even sold to thieves.

Skip to next paragraph

Forum: Technology and the Internet

Why do you think Europe and the U.S. treat the issue of privacy differently?

Why is this happening here, and not, say, in Britain, Germany or France? One reason may be that every other Western country has a comprehensive set of national privacy laws and an office of data protection, led by a privacy commissioner.

The United States, by contrast, has a patchwork of state and federal laws and agencies responsible for data protection.

"In Europe, the question has been settled: citizens have strong legal rights," said Joel R. Reidenberg, a Fordham University law professor who is an expert on international data privacy rules. "In the United States, we basically have a mess, and we are still trying to sort it out."

More fundamentally, these two systems for dealing with data arise from a cultural divide over privacy itself. In broad terms, the United States looks at privacy largely as a consumer and an economic issue; in the rest of the developed world, it is regarded as a fundamental right.

In the United States, said Trevor Hughes, executive director of the International Association of Privacy Professionals, debates over the privacy of personal data generally occurs piecemeal, when a particular abuse causes harm. "In Europe, " Mr. Hughes said. "data is just protected because it is data - information about you."

The telecommunications industry offers a case study in these two perspectives. In the mid-1990's, an unusual alliance here between privacy advocates and national phone companies, which did not want regional carriers to gain an informational advantage, led to restrictions on the commercial use of phone and billing information in the United States. In France, a similar debate in the 1980's caused phone numbers to be kept private in billing documents out of respect for individual rights.

In general, Americans are far more comfortable than Europeans with business handling their information, and far more skeptical of putting it in government hands. The tradition of making government records - like tax records, mortgage information and census data - easily accessible to the public is uniquely American.

This has helped create the world's largest data collection industry by far, with companies like ChoicePoint and AxiCom to collect and analyze those records. The flourishing consumer data industry spends millions of dollars each year lobbying against more restrictive data policies.

Not surprising, the United States has "many more laws restricting the government collection and use of information than laws restricting corporate use of collection and information," said Bruce Schneier, an expert on computer security issues. "Europe is the reverse," he added. Oversight is the United States is decentralized. Data protection is not a core mission of any government agency. Each of them, from the Health and Human Services Department to the Department of Homeland Security, deals with it as a secondary issue. In addition, each agency has its own internal privacy czars, who protect his agency's data as he thinks best. "What we don't have is a general framework that says these rules apply to everybody," said Peter Swire, an Ohio State University law professor who served as the Clinton administration's chief counselor for privacy.

Most European nations, on the other hand, begin with the idea that data protection is a human right, regulated by a comprehensive set of principles that apply to both business and government. And where American businesses are given relatively free rein to collect and sell information, European companies are severely restricted from those activities without individual consent.

"In Europe, there is much less use data warehousing and data mining because the culture has not been friendly to it," said Alan F. Westin, the director of Privacy Exchange, an advocacy group sponsored by the consumer data industry. "No company in France, Germany or the U.K. has that kind of data-mining capability because they don't have the public record and census data" that American companies have.

Restrictions on the commercial use of private data has also meant that data-mining interest groups never became entrenched in Europe.

This, too, has philosophical and historical roots. European data protection policies emerged in the early 1970's, when the German state of Hesse enacted the first set of data privacy laws.

"This was still a generation with memory of World War II that knew how Nazis and fascists would use personal information against their enemies," said Evan Hendricks, the editor of Privacy Times, an advocacy newsletter. "If you were going to protect liberty, you had to ensure there was fairness in the protection of information."

Privacy protection was also strengthened by the push for European integration. The European Data Protection Directive of 1995 established a framework for national privacy laws in all E.U. countries, and encouraged nearby trading partners to adopt similar measures.

The effect on daily life in the United States and Europe can be seen at the checkout counter. Germany, like most other European countries, restricts retailers to collecting only the personal data directly linked to a sale: ZIP codes and phone numbers cannot be requested during a cash sale, and billing information can be kept only as long as there is a purpose.

Other countries have even more stringent laws. Switzerland, for example, requires every employee who handles sensitive data like credit information to "sign a very draconian document," Ted Crooks, vice president of global fraud solutions for Fair Isaac, a data analytics company, said of data protection laws in that country. "You don't mess with Swiss data," he said.

Most American companies, in contrast, store all sorts of customer information, and often make money selling some of it to others. "American businesses have learned by experience to hang on to the data," Mr. Crooks said. "It's cheap to keep, and maybe you will get some benefit out of it."

Then, too, most Americans are more willing than Europeans to give up personal information.

"If you ask someone from another country, they will resist," said Chris Hoofnagle, a director at Electronic Privacy Information Center, a data protection advocacy group. "Ask a French person their phone number, and they will ask you why. Americans don't ask why at all."

Of course, in Europe, though the laws and the public sentiment against collecting sensitive consumer data may be more rigorous than in the United States, there is less ability to enforce those laws, or to punish corporate wrongdoers through public exposure. Regulators will sometimes quietly discipline a company for being too free with private data, but in general European corporations need not disclose nearly so much about their activities as American ones, and class-action lawsuits and corporate fines are rare.

"We don't know how often or how serious any breach of the E.U. directive actually has been because there is no need to disclose," said John Holland, an executive in charge of Europe and the Middle East regions for Cybertrust, a global security firm.

One thing that both privacy cultures have in common is that it is becoming harder for either to control what is and isn't kept private. Information is increasingly the lifeblood of the global economy, not to mention the global fight against terrorism and the quarry of hackers.

As this year's data breaches and compromises have shown, no one really knows how safe the world's vast pool of confidential data is, and therefore how protected anyone is against an invasion of data privacy.

Mr. Reidenberg, the law professor, compares the current situation to the stock market meltdown after the 1929 crash. America responded then by creating the Securities and Exchange Commission and a host of financial disclosure and accounting reforms. The need to safeguard sensitive data, Mr. Reidenberg said, "will necessitate the United States focusing on the legal way we structure information processing, just like we needed to do in the 1930's to put the economy back on stable footing."


The New York Times Store
Photo: An early computer, the "mechanical mind" developed at MIT, 1927.
Photo: An early computer, the "mechanical mind" developed at MIT, 1927.