Dean Rusk, President Kennedy's Secretary of State, was quoted as saying during the last stages of the Cuban missile crisis, "We were eyeball to eyeball and the other side blinked first." This kind of international game of "chicken" is played out in various contexts as countries or international organizations use their leverage to get what they want from other countries. The possibility that the transfer of data across international borders -- particularly the flow of such data from member countries of the European Union to the United States -- is currently caught up in a policy impasse that threatens to turn into an episode where the winner will be determined by who can remain steely-eyed as the stakes are raised, or who will bail out with a figurative blink of the eyes.
The European Union has finalized its directive on data protection, which will go into effect within the next few years. Data protection is serious business in Europe and Europeans think of the protection of personal information as a basic human right. Most member countries have data protection laws already, and all members must have them in place shortly.
In Europe data protection means the protection of personally identifying information from unauthorized disclosure. It is frequently tied to electronic records and is generally based on a scheme of registering personal information databases with a central authority. The laws apply to both public and private databases. Data transfers can be made only for sanctioned purposes, such as uses that are consistent with the purpose for which the information was collected.
Data protection commissioners or registrars are authorized to take action against database holders who use personal information improperly. Under the EU data protection directive, transfers of personal information may occur only if the recipient of the information has adequate measures in place to protect the confidentiality of the information while in the recipient's hands.
And there is the rub. No place in North America, with the exception of the province of Quebec, has a law that adequately protects personal information held by the private sector. While the United States and Canada have federal Privacy Acts, both statutes only protect personal information in the hands of the federal government. Several Canadian provinces -- Ontario, British Columbia and Alberta -- have privacy protections at the provincial and municipal level, while Quebec has provincial, municipal and private sector protections. There are some privacy laws in the states, but none offer any particular protections outside the realm of government records.
THE U.S. APPROACH
Over the years the United States has taken a sectoral approach, providing privacy protections for particular industries. As a result, the United States has a Fair Credit Reporting Act, which was amended substantially in the last Congress; a Right to Financial Privacy Act; the Electronic Communications Privacy Act; and the somewhat insubstantial Video Privacy Protection Act.
The United States has yet to legislate privacy protections for medical records, although the Medical Records Confidentiality Act was considered by the last Congress and prospects seem good that some form of medical privacy will be passed in the next few years. As a first step, the Kennedy-Kassebaum Act, concerning portability of medical insurance coverage, contained language directing the Department of Health and Human Services to come up with a medical privacy scheme that Congress could then consider.
European privacy commissioners are skeptical that either the United States or Canada have the needed adequate protections addressing the transfer of personal data to private-sector recipients. But while the United States still seems to treat this problem as some minor economic irritant, Canada is aggressively moving forward with an initiative that would create a federal legislative framework for enforcement of a model privacy code that has been drafted by the Canadian Standards Association (CSA). Although all the details have not been worked