REGULATION & SELF-REGULATION IN THE GLOBAL ELECTRONIC MARKET: THE U.S. VIEW

Duncan A. MacDonald

Good morning and thank you for inviting me to speak at your conference in this wonderful city. In particular I want to thank Dr. Hansjürgen Garstka.

Dr. Garstka and I met a little over four years ago under rather auspicious circumstances. I was the General Counsel of Citibank’s card business for Europe and North America at the time. I am sure most of you remember the unfortunate data protection problems Citibank experienced when it launched the Bahn credit card in the summer of 1995. What was supposed to have been a celebration of a new product turned quickly into a summer of discontent:

• Thousands of customers angrily condemning our data protection mistakes;
• Relentless negative media coverage for months in Germany and across Europe;
• A valuable business partner – the Deutsche Bahn – put into shock;
• Consumer protection organizations in a dozen landers threatening legal actions; and
• Data protection regulators demanding answers and compliance.

Without question, a daunting challenge, especially for a person who had never been to Germany before and could not speak a word of German.

I will not burden you with the rest of the story, except to say that Drs. Garstka, Dix and I, with coaching from behind the curtains by my good friend, Dr. Spiros Simitis, resolved the data protection issues in a way that has built a lasting and very productive relationship. Since 1995 we have played a significant role in the trans-Atlantic dialogue on several key data protection issues.

In many respects the Bahn experience should be remembered as a dress rehearsal, perhaps a wake up call, for far greater privacy issues that are emerging in the global electronic market. But that has not yet been the case in the United States.

America’s infatuation with e-commerce often submerges important privacy issues. Americans love e-commerce because it makes shopping easier and significantly less expensive. They delight in the freedom it gives them to transact in a global market. And they share a belief that promoting unrestricted e-commerce will advantage US industries around world.

Indeed, e-commerce has become an overwhelming force in the US economy. The Wall Street Journal reports that in 1999 e-commerce will generate $109 billion in online sales between businesses and $12 billion by consumers. Consumer spending online has been growing at about 60% per year for everything from books and pharmaceutical goods to complex banking, investing and purchasing computer equipment.

The surging demand for e-commerce has forced a reengineering of virtually every company in the US, including the smallest family owned stores, what we call "Mom and Pops." It doesn’t matter whether they run a delicatessen, a barber shop or a pub – all of them feel they must have their own web site, even if it will never increase business, much less ever be found by surfers on the web.

Along with the growth of e-commerce has come a now familiar debate about public policy issues concerning free speech, taxation, intellectual property, trade, antitrust and, of course, consumer protection, especially as it relates to privacy, dispute resolution and fraud.

Interestingly, Americans send mixed signals about how seriously they take privacy. It seems at times that they treat it the way they do the environment: lots of professed concern, but no action, and sometimes complicity with those who despoil it.

Polling in the US regularly shows that 80% of consumers are fearful of online threats to their privacy. They insist that they want to know if a business will collect and share information about them with third parties. And they want the right to stop it. Moreover, they are increasingly saying they resent data collection to create behavioral profiles to influence their purchasing decisions.

In contrast to what consumers say in the polls, they send over one trillion unprotected, unencrypted personal e-mails a year, suggesting they are more trusting of the Internet than they will admit. And despite their professed resentment of undisclosed information gathering – an e-commerce norm they are well aware of – their use of the Internet and e- commerce is doubling almost every 15 months.

In addition, Americans rarely complain to businesses that do not have privacy policies or to regulators about it. Moreover, there is no evidence that they reward companies with more business for doing the right thing – that is, for having strong privacy policies.

While close to 60% of them claim they have asked a company to remove their name from marketing lists, as a general practice they rarely ask for removal. In fact, most companies say removal requests are closer to 2%.

Perhaps most tellingly, few elections in the US turn on promises of privacy legislation. It doesn’t guarantee votes. With the exception of prohibiting spams, there is no democratic groundswell in the US in favor of regulating other aspects e-commerce.

There are many explanations for Americans’ bewildering behavior. Let me give you but eight:

1. Americans know the issues, but are not sure which side to take
2. They believe there are valuable tradeoffs for giving up some of their privacy on occasion, like access to better products at lower prices.
3. While they might not trust what businesses will do with their information, they believe they can fend for themselves.
4. Although they profess to resent data compiling, profiling and mining, most would deny that businesses can manipulate them into making purchases they do not want.
5. They have gotten used to junk mail and are learning how to control the flow of telemarketing calls. While they say they want the legal right to opt-out of both, those who already have the right, via a company’s policy or state law, rarely exercise it.
6. They have a long history of rejecting government solutions in favor of market solutions. Consequently, they will trade away their privacy when the alternative is a greater variety of quality products at lower prices.
7. They are used to the market responding to their demands, so in the case of privacy they expect it to produce inventions, tools and new policies to help them defend their privacy. Indeed, that is already happening in impressive ways.
8. And lastly, unlike many Europeans, they often view regulation as an intrusion on their rights.

The politics of privacy protection in the US concerning e-commerce weigh heavily against comprehensive legislation. The Clinton Administration has consistently held to the free market view that the federal government should stay out of e-commerce to let it develop, in good part to advance domestic and global economic interests. Most government leaders and private economists in fact attribute a significant part of the success of the booming US economy to a deregulation policy.

Accordingly, it was not a surprise two months ago when the Federal Trade Commission announced that it would not adopt rules to regulate e-commerce, except to protect children. It went on to recommend that Congress do the same. Relying on its own investigations and a recent Georgetown University study, the FTC opined that self- regulation efforts concerning privacy protection were showing impressive results: an alleged five fold increase in one year in the number of online businesses that disclose privacy policies.

Another reason for the FTC’s reluctance to interfere with e-commerce is because they see it as an information medium that implicates strongly held constitutional freedoms, like free speech. But their reticence is also pragmatic: they do not know where to begin, much less whether they can play a meaningful role if they try. As the Chairman of the FTC recently told Congress, e-commerce is changing so rapidly that the law cannot keep up with it.

An exhaustive treatment of the law of cyberspace in the May issue of the Harvard Law Review suggests patience about how things will turn out in e-commerce. It points out that the Internet has evolved in a very democratic, orderly and egalitarian way, largely at the hands of private individuals and "nonhierarchical communities." The article stresses that in the seeming anomie of the Internet, social norms have "emerge[d] to create order in the absence of official rules."

Whether enforceable privacy norms will soon emerge in e-commerce remains to be seen. The United States Congress is currently debating a bill that shows it wants statutory norms, albeit modest ones when compared to data protection laws in Europe.

The bill, HR 10, will impose for the first time privacy disclosure and marketing opt-out requirements on financial institutions. But instead of prohibiting businesses from sharing information about customers, HR 10 gives the right to prohibit to the customers themselves to exercise when they want via an opt-out on a case-by-case basis. It is a typically American approach: giving citizens tools to govern their own affairs in the economic marketplace.

Accordingly, as long as financial institutions tell consumers what they will do with the information they compile and provide an opt-out, HR 10 will allow them to gather almost any information they want, create individual spending profiles, data mine to solicit new sales, and share lists with third parties. The trading in medical records, however, will be subject to significant restrictions.

Let me use the word "trade" to segue into the negotiations that are in progress between the US Department of Commerce – the DoC – and the European Commission involving the Directive on Data Protection, the so-called "Safe Harbor" discussions. Their origin is a fear that the EC will decide that the US does not meet the "adequacy" standards of the Directive and accordingly might foreclose major channels of trans-Atlantic trade, including e-commerce.

The Safe Harbor negotiations will tell us much about whether governments will be able to tackle more vexing problems like e-commerce on a global scale.

Because the US Congress is unlikely to pass a law to resolve the "adequacy" issue, the goal of the DoC is to negotiate approval of principles that US data importers can agree to for the privilege of processing information covered by the Directive. Keep in mind that the data exporter in the EU is fully bound by the Directive and will incur sanctions for violations, whether they happen in the EU or the US.

The most recent draft of the Safe Harbor principles requires data importers in one of several ways to acknowledge a duty to honor the Directive, either by:

1. joining an industry group that binds members to it,
2. filing a notice with the Department of Commerce promising the same, or
3. including the Directive’s requirements in its contract with the exporter.

Regulated companies like banks would also be covered to the extent their regulator enforces privacy laws that mirror the Directive. Let me briefly discuss each one.

The first option – joining an industry group – probably will not be adopted by many data importers, because US companies generally are reluctant to give private bodies the power to monitor and enforce their compliance with a law. The Better Business Bureau in the US is often cited as an example of an industry group that does this successfully. Not so. The BBB’s role is mostly to mediate disputes, not decide them or enforce the law. And at best, it probably handles less than one one-hundredth of one percent of all business-to- business disputes in the US.

Whether the second option, filing a compliance promise with the DoC, will suit data importers better is an open question. While filing might enable trans-Atlantic data processing to begin, it almost certainly will not help the data exporter in Europe if and when accusations of non-compliance with the Directive erupt in the media. It almost doesn’t matter who makes the accusations – regulators or private parties – because the damage can be immediate once the media gets involved, as Citibank learned to its regret in 1995.

A more recent example of this took place three months ago in Minnesota, when its Attorney General sued a large US bank for illegal use of customer information. Within days, the lawsuit was widely reported throughout the US. Media coverage became so intense that the bank quickly caved in, conceding virtually every remedy the Attorney General requested, including paying of millions of dollars in damages. Interestingly, had the bank fought the case, it probably would have won. But the pressure from the media proved too risky to its brand and goodwill.

Coca Cola’s recent troubles in Europe also illustrate the point. Once the media gets involved, it makes no difference if the company under attack has a government advocate in the US. The only practical way for the company to deal with its problem is to fix it with the resources it has where it is occurring -- and immediately.

When US companies run into similar experiences in Europe involving data protection accusations – and undoubtedly they will – the Data Exporter is not going to be able to wait until the Data Importer visits the DoC or a bank regulator in Washington to ask for assistance, whatever that might be. As such, it would be naïve for a besieged data exporter to expect the DoC to act quickly enough to make a difference.

The same will also prove true in the case of private legal actions by consumer protection organizations of the type that are active in Germany and the UK. Reportedly, many of them are anxious to test the Directive once the Safe Harbor negotiations conclude. Their right to enforce the Directive suggests that the harbor the DoC is trying to construct will only nominally be safe.

My experience with various EU data protection officials convinces me that the most prudent route for a US company facing "adequacy" risks is to follow the third option I mentioned, the contract option set forth in the Directive. As it is, smart global companies never transfer a valuable asset like customer information to a third party, especially in distant lands, without a contract. So why not draft it to spell out exactly how the parties also will honor the Directive?

Fortunately, there are several models to guide companies that wish to do so. I have been involved since 1996 in an EU-US cooperative effort moderated by the American Institute for Contemporary German Studies at Johns Hopkins University to refashion the Citibank agreement into a generic model for companies that plan to export large amounts of consumer information to the US. Our most recent draft has received favorable comments from data protection leaders in the EU and the US. I believe it will prove to be the safest harbor of all.

Unfortunately, no company so far has adopted it. I am told that many business organizations want to hold off a commitment on the contract approach to see if the Safe Harbor negotiations will lead to a better way. I suspect that some of them hope the DoC will be able to persuade the EC to dilute parts of the Directive. Others perhaps would like to see a stalemate – in effect, continuing negotiations and suspension of enforcement of the Directive for years.

My best guess is that if the Safe Harbor negotiations produce anything, they will pretty much reflect the Directive. There will be no dilution of it. The only tangible change might come from the role the final agreement allocates to the DoC. Ironically, it is a change that could haunt the companies that lobbied the DoC to get involved in the first place. It is entirely possible that the agreement over time will turn the DoC into the primary regulator of privacy in the US.

Some players on both sides of the Atlantic, including those with input to the Safe Harbor negotiations, envision that role going to the Federal Trade Commission, but I think they are mistaken. I believe it is highly unlikely that the FTC will ever spend its scarce budget dollars to protect Europeans, especially because it spends almost nothing to protect Americans’ privacy.

Well, I think I have covered a bit of ground presenting various US perspectives on the regulation or non-regulation of privacy in e-commerce. If I have confused you, it is probably because I am very confused myself about America’s view on privacy. Just when I think it is going to go in one direction, it moves elsewhere.

But one thing is certain: the Directive on Data Protection has had an enormous influence on the privacy debate in the US. In my memory, I do not recall any law from outside the US on any topic that ever had such an astonishing impact. Most Americans have read about the Directive and are curious about how it can set the way for us in the future. They know the Directive represents the deeply considered judgment of great democracies about one of the most important issues of our time: the right of responsible governments to prevent the misuse of information about their citizens. In time I believe America will follow your lead.

So let me end by saluting Europe for astutely reminding the world that privacy must never be relegated to an inferior status in this great information age.

Thank you.