The Internet may be creating new vectors of communication on a global scale, but regulating it is a far more parochial affair, particularly when it comes to privacy. This week Britain's House of Commons will consider a controversial government proposal to allow official access to virtually all electronic communications for law-enforcement purposes — a measure that would give U.K. officials far more power than their counterparts in Washington dare ask for. And for years, a debate has raged between the European Union and the United States on how best to safeguard personal privacy from commercial abuse.
As the population of online consumers accustomed to providing personal data to e-tailers and Web-based services has grown, so too have concerns about the potential uses — and abuses — of this valuable raw data. Privacy groups in the U.S. and Europe have lobbied for legislation that would limit the ability of companies to share, use or sell the consumer information they collect. Until now Americans, with their characteristic faith in the power of self-regulation, have shied away from enacting sweeping new legislation. In sharp contrast, Europeans have adopted a more interventionist approach. In 1995, well before the e-commerce revolution was fully under way, the European Commission drafted the Data Protection Directive, a measure designed to "protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data." The directive took effect in October 1998, but only recently did the E.U. and the U.S. reach a hard-won compromise on how it applies to U.S. companies. Under the agreement, the U.S. Commerce Department will establish a list of companies that meet stringent European guidelines for the collection and use of personal data. These companies will then be granted "safe harbor" status, securing them against data blockages.
The safe harbor pact combines elements of the American self-regulatory approach with Europe's preference for explicit safeguards. It means that American companies doing business — online or otherwise — in Europe will be subjected to far more rigorous controls on what information they can collect from customers than they face in the U.S. Under the safe harbor rules, American companies would be prevented from compiling detailed user profiles of European-based customers for commercial use. Personal data could be collected only if "the data subject has unambiguously given his consent." Complying with even this basic requirement could mean a significant adjustment in how many American e-commerce companies operate. Additional safe harbor restrictions would allow companies to collect only the data they need to secure a contract.
An essential component of the safe harbor accord is the use of private sector controls to ensure American conformity. Under this system, companies are allowed to cede responsibility for their privacy standards to a separate organization which monitors its members' compliance with privacy guidelines; such organizations will form what Ulf Breuhann of the European Commission calls "the first layer of compliance bodies." One is TRUSTe, whose network of participating companies includes AOL, Ernst & Young, Microsoft and Novell.
But the rapid technological changes that have given rise to these widespread concerns could ultimately spawn solutions as well. Last month, the World Wide Web Consortium, a U.S-based industry group that promotes Web privacy standards, test-ran its new Platform for Privacy Preferences, a program that would allow users to configure their own privacy requirements.
If programs like this prove successful, the question of whether it is up to the government or the private sector to determine the right level of Internet privacy will be moot. Individuals will be able to take the matter into their own hands and decide just how much of their private lives they are willing to share with others.