 |
|
|
|
|
||
 |
||||||
 |
||||||
 |
||||||
|
||||||
|
|
|
|
|
|
|
|
 |
|||||||
|
October 7, 2002 Who Is Protected By EU Privacy Rules? By Brian M. Carney The European Union wants you to know that your personal data is safe from prying eyes -- unless those eyes are government's. The EU's rules on data privacy make for one of the stranger ironies of the European Union's quest to make the world a better place. It has some of the world's strictest regulations on the storage, use and transfer of personal data--your name, your addresses, both physical and virtual. In a high-profile test of those rules, they are currently being applied to Microsoft, whose "Passport" sign-in system is under investigation for failing to adhere to the EU's rules on the collection, use and "processing" of such data. At the same time, however, the EU is in the process of implementing some of the world's most far-reaching rules to ensure that law-enforcement agencies can access records about you if you come under investigation. Under rules put into place in 1998, a company to whom you give your "data" -- for example, your mailing address when ordering something online -- cannot use, store or read that information again unless you give your permission every single time. Unless the police ask for it. But according to the rules wending their way through the Brussels bureaucracy, the very same data that companies gather about your buying, eating or Web-surfing habits -- but which they themselves are not supposed to use to send you coupons for diapers (because they noticed you were shopping for baby clothes) -- must be kept on hand in case the government wants it. The EU would like companies from your Internet service provider to your mobile operator or credit-card company to keep information about your habits on file -- but only for government use -- for as long as two years. The information could be subpoenaed should you become a suspect in a crime. Which is to say, it is not the collection or examination of data about you that is suspect; it is the use of that data in pursuit of capitalism that draws the EU's fire. In fairness, the standards should be reversed. A company that bombards you with unwanted solicitations to buy computers cheap, cheap, cheap is, at most, a nuisance. A criminal investigation making use of data that might raise unfounded suspicions could become a lot more than a nuisance. The "Big Brother" implications are obvious. Companies are simply looking for transactions that have a mutual advantage. It does Amazon.com no good to bombard you with offers for things you will never buy. Criminal inquiries are rarely mutually beneficial, whether or not the target is guilty of a crime. The consumer-protection side of the law looks more bureaucracy-protection than an actual aid to citizens. Last week, the EU's irrepressible ombudsman, Jacob Soederman, rapped the European Commission on the knuckles for hiding behind data-privacy rules to deny the public access to information about potential conflicts of interest within the commission. His letter to the commission cited the EU executive body's "anonymization" of gift-receipt records that were provided to this newspaper over the summer. At the time, the commission said that while it could disclose the gifts, it couldn't disclose who received them without violating the recipient's "data privacy" -- never mind that these are public, if unelected, officials for whom such disclosures should be routine. As if to emphasize the uneven playing field between government and the private sector, the commission at the time noted that the European Parliament could, if it desired, view the unanonymized records. Government disclosure to itself is poor disclosure indeed. Meanwhile, big "bad" Microsoft seems in danger of falling afoul of these same rules. The EU hasn't said much publicly about what exactly it is about the Redmond, Washington company's attempt to create an electronic wallet that offends, and Microsoft did not return a phone call in time for publication. But earlier this year, Microsoft settled with the U.S. Federal Trade Commission over a separate complaint about Passport. The FTC alleged that the software giant had not been up front about the nature of the data it was collecting and about how it was being used. Microsoft agreed to clarify both points and submit to regular audits of its data-collection practices. That the EU investigation appears to be continuing implies that Brussels is after something more. The EU member states' data-privacy regulators are due to meet this month to discuss the Microsoft investigation. If they don't like what they've found, Microsoft could face hefty fines. At bottom, what underlies this asymmetry is an assumption that the motives of those acting in the name of the state are, if not beyond question, at least deserving of the benefit of the doubt. Business interests, on the other hand, are viewed with deep suspicion. This might appear at first glance to be justified by the occasional allegation that this or that company has misused or allowed access to sensitive information. But it flies in the face of the fact that commercial transactions are all essentially voluntary. When the commission hired a consultancy to review the state of data protection in the world, the whole report could well have been pared down to two of the sentences it contained: "Consumers should consider the existence and content of a privacy policy before submitting personal data to a [Web] site." And: "If consumers are concerned about privacy of their data, they should not use sites that do not adequately protect their data." As a consumer, you always have the option of anonymity. Pay cash. Don't shop online. Don't sign up for loyalty cards at the supermarket. (Those cards are essentially a trade; the points you accumulate, sometimes refundable for cash, are the store's way of "paying" you for the information it collects about your spending habits. Some feel that's a good trade. If you don't, cut up your card.) The same cannot be said for your interactions with the state, where coercion rules. In most continental countries, you must register your address with the police or local government when you move. You must carry government-issued identification when you go outside. Microsoft's much-feared Passport, by contrast, is merely a convenience and the customer's ID can be whatever he wishes. Try telling the local commune that you want your identity card to read "Tintin" or that you live in Never-Never Land. What's needed is a rethinking of what uses of data are legitimate and which are not. At the very least, we should question the assumption that we should trust the government to use data responsibly while living in fear of private actors' use of that same data. Mr. Carney edits the Business Europe column. Contact him at brian.carney@wsj.com.
|
|||||||
 |
|||||||