Simon Davies: Privacy's New Image

Where privacy is concerned, Americans distrust their government. But they'll gladly hand over their personal information to a corporation to get a deal on their groceries.

Europeans, on the other hand, will give their government extremely broad surveillance powers, but they largely forbid private enterprise from accessing any personal data without their express written consent. In the corporate security world, this has translated into an ideological disconnect: U.S. executives think Europeans are missing the marketing opportunity personal data provides, and the Europeans, by and large, see their American counterparts as fast and loose, callous even, when it comes to their citizens' privacy. Until recently these issues had settled into a quiet détente. However, resentments churned up by recent world events have European privacy experts predicting that U.S. companies are likely to face a new hard-line approach to privacy enforcement in their business dealings on the continent.

But views on privacy have also been changing within the United States. HIPAA and a slew of post-9/11 antiterrorism legislation started the trend, and rapid technological advances that make invading one's privacy shockingly easy have drawn more attention to the privacy issue. The result is that America is looking more and more like the Old Country, at least when it comes to privacy.

The libertarian values of the founding fathers infused American culture with a live-and-let-live attitude. A majority of U.S. citizens still wrinkle their noses at any proposal that smacks of increased government regulation. The issue of privacy has consequently been handled on an industry-by-industry basiswith only high-risk sectors such as health care and financial services bending to the force of legislation. Meanwhile, most businesses have been left to carry on the collection, use and trading of personal data and information at will behind a very thin curtain of "self-regulation."

At the center of this confluence of government legislation, international pressure and the ongoing debate over security versus privacy is the CSO. He is charged withand will ultimately be held responsible fornavigating through the turbulence.

The CSO has a tremendous impact on the development, execution and effectiveness of the corporate privacy policy. Whether responsibility for privacy resides in the security group, with the legal counsel, in human resources or with a specially appointed chief privacy officer, the CSO is a critical partner in giving a privacy program life.

But it isn't an easy partnership. "You can have great security without privacy I suppose," says Peter Cullen, former chief privacy officer of Royal Bank of Canada and newly appointed chief privacy strategist for Microsoft, "but you can't have great privacy without great security."

Why is it so hard for companies, and indeed governments, to reconcile the two?

"Such intuition used to be at the heart of America's Fourth Amendment," says Jeffrey Rosen, associate professor of law at George Washington University, referring to the right of citizens to be safe from unlawful search and seizure. "The most invasive measures should be limited to the most serious crimes, but we lost that principle along the way," adds Rosen, who is also author of The Unwanted Gaze: The Destruction of Privacy in America.

In the United States especially, the relationship between privacy and security has been a particularly contentious onenot only because of the disinclination toward legislation but also because information has always been the lifeblood of our capitalist culture: Privacy protections, it is feared, could put a stranglehold on the flow of commerce.

But the war on terror in particular has brought the clash between privacy and security to the forefront like never before. Recent casessuch as the attention given the Muslim-American woman in Florida who refused to remove her veil for a driver's license picture, and the furor that greeted the announcement of the government's plan for the Total Information Awareness Program, which would link and mine databases to identify security threatshave further muddied the relationship between the two. One always seems to be implemented at the expense of the other.

The problem is exacerbated on the corporate side by the breakdown in communication that often occurs between the privacy and security folks. CPOs such as Cullen feel somewhat misunderstood by the security profession. "CSOs don't understand privacy as well as privacy officers understand security," he says, noting that he believes privacy is more nuanced and less black-and-white. "Security is a fairly rational thingthe antivirus protection is either on or offwhereas there is a high degree of variability in privacy." What feels invasive to one person can be of little matter to the next.

More than a quarter of the 1,010 U.S. citizens responding to the annual Harris Interactive poll in February 2003 identified themselves as being "privacy fundamentalists." They feel strongly about the loss of privacy and will resist any further erosion. Only 10 percent of respondents identified themselves as "privacy unconcerned." They have little or no anxiety about how their information is collected and used. But a majority of people63 percenttake the "privacy pragmatist" approach. They may be concerned and aware of issues surrounding privacy, but they are also willing to trade some of their personal information if the perceived benefit is great enough and the risk of information misuse is low. The Continental ClashIn Europe, however, the issue of privacy goes beyond that of a preference. It is seen as a fundamental human right. For that reason, the Europeans have had a much easier time combining the issues of security and privacy into a single ethic of information handling. "In the U.S., citizens see privacy as a legal minefield," says Simon Davies, director of London-based Privacy International, noting that consequently it often is turned over to the legal counsel or human resources to manage. "In Europe [privacy is] more a human condition than a legal condition. It's more a social issue than a litigation issue. So security people find it easier to take [privacy] on. In the United States, the corporate environment is steeped inand constantly threatened bylitigation." When the prime directive is avoiding litigation, it becomes next to impossible for security and privacy to evolve side by side.

The differing views on privacy between the United States and Europeand even among the European Union countriesare based on the intrinsic values of cultures that are centuries old. For example, British citizens are protected by the EU Data Privacy Directive (see "EU Data Privacy Directive," Page 53), which gives them the rights of notice, choice and access to their personal information that Americans don't have. But they also live in a culture where camera surveillance is ubiquitous. From traffic lights to street corners, British citizens are under almost constant observation...and they don't seem to mind. "Britain continues to confound and surprise me," says Rosen. "They have embraced cameras, showing great deference to authority, and yet this same culture that is wired with cameras is far more respectful of people's privacy in public. They don't stare at celebrities or yell loudly on their cell phones on the train. They maintain boundaries the more democratic Americans don't respect."

The German experience with Nazism had a profound effect on that country's cultural views about privacy and the rest of Europe's as well. During World War II, people saw the destructive power that information could have in the hands of an evil government. The postwar lesson of maintaining a healthy relationship between citizens and organizations also fostered a belief in a right to privacy. Today's German Secret Service, for example, is given broad surveillance authoritybut only to investigate terrorism. Any evidence of a low-level crime that is discovered in the process of that surveillance cannot be legally pursued, preventing authorities from going on fishing expeditions for information.

The French are tremendous proponents of government regulation for just about everything. Unlike Americans, they feel no need to constrain their government's involvement in instituting privacy controls and have some of the most extensive regulations of dignitary offenses in Europe.

When Europeans embraced omnibus privacy legislation in 1995 with passage of the EU Data Privacy Directive, Americans were forced to respond. In order to preserve the continuity of trans-Atlantic commerce, the Federal Trade Commission brokered an agreement with the EU called Safe Harbor, which would require U.S. companies that sign on to it to abide by the EU's basic privacy principles.

However, relatively few U.S. companies have signed ononly 353 at press timeand the vast majority of those are small companies rather than the Fortune 1000 behemoths whose information practices could cause the greatest harm to the privacy of European citizens. "Safe Harbor was and is a well-intentioned effort and works for many companies," says Ivan Fong, chief privacy leader and senior counsel of IT at General Electric. "But it is only a partial solution for other companies, in that it only covers data flows between Europe and the U.S., and many multinationals have data flows that go beyond that route." He adds that Safe Harbor, as currently negotiated, doesn't cover financial services companies because the United States and the EU cannot agree on whether the U.S. data protection laws that govern financial institutions meet the EU's "adequate protection" standard.

The FTC, by the way, is actually one of the central reasons behind Safe Harbor's poor showing. It has enforcement authority over the program, and the majority of U.S. companies don't want to come under its jurisdiction and open themselves up to litigation. Instead, most companies seeking to transact business in Europe have chosen to negotiate individual contracts with the EU member states, stating that they will abide by the basic precepts of EU privacy practices.

But terrorism and technology have changed the standards and the stakes of compliance. Since Sept. 11, the U.S. government has made new information demands on its European allies in the name of security, which forces them in many cases to break their own privacy policies. For example, U.S. authorities are requiring that all foreign airlines that land in the United States present complete passenger lists, a move that directly violates European privacy laws. But airlines such as Lufthansa and Air France that want to be able to land in the United States have been quietly surrendering that information anyway.

Davies notes that security measures such as those contained in the Enhanced Border Security and Visa Reform Act of 2002 (H.R. 3525) are causing a great deal of resentment in Europe. "There is a sense of betrayal in Europe that we will now have to be fingerprinted as we enter the United States. It's a betrayal of comradeship and of trust," he says. "We've been partners throughout the century, and to find ourselves now cast aside and treated as alienswell, it's done incalculable damage." Davies also points to further irritants: the war of words that erupted between France and the United States, and the fallout from Europe's disfavor of the invasion of Iraq.

And Davies is not alone in feeling that way. Alan Westin, president of the Washington, D.C.-based Center for Social and Legal Research, and cofounder and publisher of the Privacy and American Business Journal, notes that Stephano Rodota, president of the Italian Data Protection Authority, recently spoke out strongly against the European airlines for surrendering their passenger information to the United States.

The result could be serious for U.S. companies that want to do business in Europe. Davies predicts that European privacy authorities are going to get much tougher on Americans who flout their privacy regulations. "There is going to be far more attention to detail in contracts and on the information flow, and a more rigorous interpretation of data rules," he says. "It may be occurring for all the wrong or all the right reasons, but this is the state of the world today. And because of the bad blood in Europe, data protection is one of the areas where rules will be more rigorously applied."