With the European data directive in place that looks like shaking up US attitudes to online privacy, the most visible example of what the US internet industry is trying to do in terms of self- regulation – the non-profit group Truste – is still awaiting its first test case to prove that it has some teeth to back up the rhetoric. Truste offers a seal of approval to place on web sites to verify that those sites are sticking to their published privacy policies. It does not advocate privacy policies, beyond some broad principles, rather it ensures that sites are adhering to their policy, whatever that might be. But Truste chairman Esther Dyson acknowledges that Truste could do with a major test case to prove its viability. Truste executive director Susan Scott says there have been about 20 small cases that have been resolved between the user and web site owner. The EU data directive forbids companies in Europe from transferring data from EU countries to any country that does not provide what the EU perceives to be an adequate level of protection of that data. The ruling affects both web site owners that collect data from users all over the world, as well as companies storing data about their employees in Europe. The EU counts the US as one of those countries that does not provide adequate protection and the US government has been negotiating with the EU for months to try and find some sort of accommodation. Dyson told ComputerWire that she feels some sort of understanding will be reached by the end of the year, which is what we have heard from others (10/26/98) and she says the directive is abstract enough to not require any changes for all sides to be accommodated. There has been a fair amount of skepticism recently in the industry that Truste and similar efforts like that of Better Business Bureau Online are all carrot and no stick and lack any real enforcement capabilities (10/08/98). Dyson argues that the first companies to sign up Truste are always likely to be the ones that will comply with their privacy policies and therefore it is not surprising that there have not been any major violations, but we are hoping to get a good test case, she says. Truste currently has just over 300 members, who each pay an annual license fee to display the Truste mark on their web sites. Truste uses a mixture of third party auditors, manual checking by Truste staff and the establishment of test identities at sites to see what those companies do with the test information. But the ultimate sanction as far as US companies is concerned, is the Federal Trade Commission (FTC), which could charge companies with fraud if they violate their privacy policies. Earlier this year web site community provider GeoCities Inc settled with the FTC over allegations that it misled its users about what it did with their personal data. But all the FTC eventually demanded from GeoCities was that it display a clear privacy policy and get consent from parents before information is taken from children below the age of 12 (08/14/98). Many observers consider the likely US solution to be a mixture of self-regulation, legislation and contracts between companies and individual EU governments. Dyson concurs that privacy legislation of some sort is likely, but only in the area of medical records and protecting children. Dyson says Truste is not trying to replace government action but says we have friends at the FTC. She also believes that the EU is being unreasonable about restricting the movement of employee data because she says it is not information that companies want to share with anyone else anyway, so it is not likely to be involved in breaches of privacy. There are moves afoot to create Truste-like organizations in Europe, says Dyson, while emphasizing that they will be separate and not subsidiaries of Truste. She welcomes competition from the likes of the Better Business Bureau Online, pointing that it is aimed more at small-to-medium US businesses, Truste is not a monopoly, she says. BBB Online started later than Truste and is yet to get its web site fully up and running. As far as the question of who pays for the audits, Scott says Truste would foot the bill if the site is found to be in compliance with its privacy policy and of not, the web site owners would be asked to pay. If they refuse, Truste will bear the cost itself, says Scott.
