Rough seas in safe harbors

Rough seas in safe harbors

By Scott Bradner
Network World, 11/30/98

Regular readers of this column know my general level of distrust of
the U.S. government's willingness to protect individual privacy in
the face of some U.S. businesses' desire to know everything about
you and to sell that information to anyone with enough cash.

I've commented on the fundamental differences between the
European and American approaches to privacy protection. The
Europeans feel that the violation of privacy protection regulations
should be made a crime. The U.S. government claims that such laws
offer false comfort, so there should not be any laws to compel
protection. Instead, the U.S. maintains we should trust that the
companies in the data business will agree to protect your private
information when threatened with no penalty other than bad publicity
if they are caught lying.

We have now reached another turning point in the privacy saga. On
Oct. 25, the European Union's Directive on Data Protection became
effective. This directive requires that the member states of the
European Union must pass specific legislation to protect the privacy
of information about individuals and to prohibit the transfer of data
that can identify an individual to other countries that do not provide
an "adequate" level of data protection. If the laws that are being
adopted to comply with the directive were to be strictly enforced, no
U.S.-based business or individual would be able to import data, such
as personnel files or credit card transaction logs, from Europe.

The U.S. government is currently trying to deal with this issue.
Because the government is unwilling to pass laws to protect personal
information, it is trying to get the Europeans to agree to a "safe
harbor" for U.S. companies that want to import European data. The
U.S. proposal is to publish a list of companies that agree to abide by
certain privacy protection principles. Visit
www.ita.doc.gov/ecom/menu.htm to see the proposal.

There are many things wrong with the U.S. government's idea, not
the least of which is that no credible penalty is proposed for
companies that agree to the principles and then proceed to ignore
them. The principles are good ones, but they are expressed in
generalities. It is easy to see many ways that a company could evade
the privacy restrictions.

This proposal reminds me of an internal Boston Globe headline that
was accidentally printed during the Carter administration. This
proposal is "more mush from the wimp," the headline read. The
U.S. government is being a wimp in the whole area of privacy. It is
using excuse after excuse to avoid confronting the fact that for far too
many U.S. businesses, personal information about you is just
another commodity to sell to all, not just the highest bidders.

If there was serious concern about the privacy of individuals, a
proposal of this type would have called for clear, unambiguous laws
that would make the unauthorized disclosure of private data a felony.
Without such laws, this is mush.

Disclaimer: A boathouse on the Charles River is Harvard's closest
approximation to a harbor, so the above is my mush.