I worry about a trade war come October, says Bill Burrington, America Online Inc’s director of law and public policy and assistant general counsel. The two sides in this potential war would be the US and the European Union and the battlefield, the seemingly arcane world of data protection and privacy. But the stakes are very high, hence AOL’s high-level anxiety: we have huge concerns about privacy and this issue, Burrington added. The EU issued a directive to its member nations to have a uniform data protection policy in place by October 28 and the Clinton administration issued its framework for electronic commerce on the internet on July 1 last year, giving the industry one year to come up with ideas about developing data protection and privacy policies. We reported two weeks ago on the government’s call for a coherent policy on internet privacy and this is related to that. Privacy is this year’s Communications Decency Act, declared Burrington, who is also the current chair of the Interactive Services Association. The potential for a trade war lies in the fundamental differences between the US and EU’s perspectives on data protection. Both sides have the same goals: to enable the free flow of information while protecting the rights of the individual to have their personal data protected. But they have different ways of going about it, and the EU is not too keen on the way Americans go about it. This is the rub: under the directive, European countries will only be permitted to transfer data to countries that have what it calls an adequate level of protection. Come October, each EU state is required to have laws in place and be prepared to enforce them to deal with any company, individual or organization removing data from the EU to countries that do not meet its requirements for data protection. And in the eyes in the EU, the US does not, at present, meet those requirements. And the explosion of the internet over the last few years has made moving data round the world incredibly easy.

By Nick Patience

If US companies do not come up with a framework that satisfies the requirements that are in grave danger of prosecution. Burrington knows this all too well. With 11 million subscribers spread across the US, Europe, Japan and Australia, AOL is facing some pretty big changes in our business practices. Speaking just 20 minutes down the road from the company’s data center in Stirling, Virginia, where data on all its worldwide subscribers is held, Burrington noted we’ve clearly been exporting data! The US government has recognized a problem on the horizon, but the industry only has until July 1 to report back to the Department of Commerce with a plan to deal with the situation, and if it is not suitable, the government will have to impose one, and nobody wants to happen. In legal terms, the US and European approaches can be dubbed sectoral and omnibus, as Mark Turner, a London lawyer specializing in internet law put it at last week’s Internet Executive Summit just outside Washington DC put it. The US approach is sectoral in that the law deals with cases sector-by- sector. For instance there are laws concerning computer users, laws concerning credit card agencies, and so on and are regarded as an economic issue. However, in Europe, data protection is a human rights issue, regardless of which part of industry it applies to. And governments in Europe tend to be much more interventionist than in the US. Burrington described the differences as the US being concerned with protecting people from government and vice versa in Europe, which may be putting it a tad simplistically. EU countries have a data protection registrar who oversees the issue in each country and there are moves afoot for one EU-wide registrar to be appointed. The regime is based on a few basic principles, among them registration, the individual’s right to inspect data, fair use and consent, among others. Companies must register themselves with the registrar, says what data they are planning to keep and for what purpose and it must be kept up to date. Individuals have the right to inspect the data whenever they want. There is also a set of eight principles, the most salient of which is the principle of informed consent. This means that in order for companies to use personal data for purposes beyond its original use they must ask the individual for his or her consent. More specifically, the individual must ‘opt-in.’ This is a fundamental difference between the EU and the US, where companies can use the data providing the user does not specifically object. Americans are familiar with tick boxes on paper and web forms that ask users to check it if they do not wish to receive any further data about the company. In Europe, by law it must be the other way round. This EU regime applies to all types of data: sound, image, marketing databases, medical records, listserv and other mailing list services, customer and subscriber information, and arguably cookies and web page caches – where it contain data on individuals. So what should the US companies do? There are three main strategies suggested by groups such as the ISA and various legal experts. The first, contractual provisions, involves companies getting users to sign contracts with them that specify what companies will do with the data; secondly, industry could set up a supervisory authority to oversee data protection, much like the British ombudsman system and thirdly industry could establish a code of conduct. Obviously industry could lobby the EU and the individual countries, but that is costly and very time-consuming. Turner thinks US companies would be better pursuing the code of conduct (the OECD provides a checklist for such a code) or supervisory authority options. In the short term, companies should consider reviewing their online data gathering strategies, describe what they intend to use the data for, provide an opt out option, offer contracts to users or even, as a last resort, collect and process their data in Europe. AOL’s Burrington pointed towards the work the industry is already doing regarding privacy, which we reported on two weeks ago. That involves agreeing to audit their data annually and agree on a ‘seal of approval’ to put on web sites that adhere to data gathering policies. We need to put some meat on the bones of self-regulation, urges Burrington. Whatever the industry does it had better do it quick, as Commerce Secretary William Daley and Frank Raines, director of the Office of Management and Budget (OMB), have to present President Clinton with a report by July 1 documenting industry efforts – or lack of – in forming a coherent data protection and privacy policy. After that it’s the government call. For the industry it seems like a case of either hang together, or hang separately.