by / January 31, 1997
Dean Rusk, President Kennedy's Secretary of State, was quoted as saying during the last stages of the Cuban missile crisis, "We were eyeball to eyeball and the other side blinked first." This kind of international game of "chicken" is played out in various contexts as countries or international organizations use their leverage to get what they want from other countries. The possibility that the transfer of data across international borders -- particularly the flow of such data from member countries of the European Union to the United States -- is currently caught up in a policy impasse that threatens to turn into an episode where the winner will be determined by who can remain steely-eyed as the stakes are raised, or who will bail out with a figurative blink of the eyes.
The European Union has finalized its directive on data protection, which will go into effect within the next few years. Data protection is serious business in Europe and Europeans think of the protection of personal information as a basic human right. Most member countries have data protection laws already, and all members must have them in place shortly.

In Europe data protection means the protection of personally identifying information from unauthorized disclosure. It is frequently tied to electronic records and is generally based on a scheme of registering personal information databases with a central authority. The laws apply to both public and private databases. Data transfers can be made only for sanctioned purposes, such as uses that are consistent with the purpose for which the information was collected.

Data protection commissioners or registrars are authorized to take action against database holders who use personal information improperly. Under the EU data protection directive, transfers of personal information may occur only if the recipient of the information has adequate measures in place to protect the confidentiality of the information while in the recipient's hands.

And there is the rub. No place in North America, with the exception of the province of Quebec, has a law that adequately protects personal information held by the private sector. While the United States and Canada have federal Privacy Acts, both statutes only protect personal information in the hands of the federal government. Several Canadian provinces -- Ontario, British Columbia and Alberta -- have privacy protections at the provincial and municipal level, while Quebec has provincial, municipal and private sector protections. There are some privacy laws in the states, but none offer any particular protections outside the realm of government records.

Over the years the United States has taken a sectoral approach, providing privacy protections for particular industries. As a result, the United States has a Fair Credit Reporting Act, which was amended substantially in the last Congress; a Right to Financial Privacy Act; the Electronic Communications Privacy Act; and the somewhat insubstantial Video Privacy Protection Act.

The United States has yet to legislate privacy protections for medical records, although the Medical Records Confidentiality Act was considered by the last Congress and prospects seem good that some form of medical privacy will be passed in the next few years. As a first step, the Kennedy-Kassebaum Act, concerning portability of medical insurance coverage, contained language directing the Department of Health and Human Services to come up with a medical privacy scheme that Congress could then consider.

European privacy commissioners are skeptical that either the United States or Canada have the needed adequate protections addressing the transfer of personal data to private-sector recipients. But while the United States still seems to treat this problem as some minor economic irritant, Canada is aggressively moving forward with an initiative that would create a federal legislative framework for enforcement of a model privacy code that has been drafted by the Canadian Standards Association (CSA). Although all the details have not been worked out, the CSA code would provide the floor by which private sector privacy codes would be measured. In other words, the CSA code, which is a good solid piece of privacy policy already, would be the minimum standard to measure the performance of private industry.

Industry groups could adopt tougher protections, but could not offer less than the CSA code. Probably the federal privacy commissioner and the various provincial commissioners would be charged with monitoring performance and helping to hold industry accountable to the code. Judicial remedies are also likely to be available.

The United States is moving much more cautiously, but there are some developments that could help it pull itself up. While Canadian Justice Minister Allan Rock was telling the International Conference of Data Commissioners at their meeting last September in Ottawa that Canada would have legislation in place by the year 2000, Sally Katzen, head of the Office of Information and Regulatory Affairs at the U.S. Office of Management and Budget told the same group that the sectoral approach was the position of choice for the United States. One American attendee at the conference said Katzen's speech sounded like one he had heard four years earlier during the Bush administration.

However, there is an American initiative coming out of the Federal Trade Commission. Commissioner Christine Varney, something of a protege of President Clinton, has supported the idea that the FTC could use its statutory authority to police unfair business practices as both a carrot and a club in convincing business to provide adequate privacy protections. While this is a much lower level response than Canada's, it holds some promise for accomplishing some of the same goals. However, such privacy initiatives in the United States are very personality-driven and the FTC's interest might evaporate if Varney were to leave.

On the negative side of U.S. developments, the continuing suggestion that the United States create some kind of independent privacy commission that might act as an ombudsman and honest broker in dealing with privacy protection in both the public and private sector, has yet to garner any enthusiasm, although it is an idea that is favorably received by European data commissioners as the first sign that the United State is really serious about this issue.

Several months ago Michie published what is certainly the current bible for Americans trying to understand these issues. Data Privacy Law, by law professors Paul Schwartz and Joel Reidenberg is the most thorough and comprehensive examination of all aspects of data protection. Schwartz and Reidenberg were commissioned to write a study of American privacy protections so that the European Union would have a better idea of the state of affairs in the United States. What they have produced, however, is perhaps more relevant to Americans who need to understand this issue. Another recommended source for Americans in search of European developments and perspectives is the excellent British newsletter Privacy Laws & Business, published and edited by Stewart Dresner.

As the Internet continues to break down any distinctions about the flow of information across international borders, the economic, intellectual, and public policy lifelines will depend on the continuation of such international data flows. For the United States to ignore or underestimate the importance of a meeting of the minds on the subject of international data protection could have catastrophic results down the road. But as with many international imbroglios, the results will depend in part on which side blinks first.

Harry Hammitt is editor/publisher of Access Reports, a newsletter published in Lynchburg, Va., covering open government laws and information policy issues. E-mail: <>.


Harry Hammitt Contributing Writer