News

USIS Washington 
File

04 December 1998

TEXT: FTC COMMISSIONER THOMPSON ON DATA PROTECTION DEC. 3

(Remarks before EU Committee of AMCHAM in Brussels) (2040)



Brussels -- "Consumers have a right to expect that industry and
government find new and better ways to make the Internet a safe and
hospitable place, inspire consumer confidence, and preserve the
innovative energy of this exciting medium," said Commissioner Mozelle
W. Thompson of the Federal Trade Commission (FTC) in an address
December 3 to the European Union Committee of the American Chamber of
Commerce (AMCHAM).


Thompson described how the United States and the European Union have
taken different approaches to the issue of protecting private data in
cyberspace. The United States, he said, has relied mainly on
self-regulation by the industry and "targeted sectoral legislation,"
while the EU has relied mainly on legislative controls.


Despite this variation in approach, Thompson said, the U.S. and the EU
still have much in common on the issue. "If there is a substantial
difference, it comes in our method of arriving at many of the same
conclusions. While the EU has taken a 'top-down' approach through
legislation, the U.S. has opted (at least to date) for a 'bottom-up'
attempt to allow industry to develop its own rules, so long as they
provide meaningful, effective protection for consumers."


The correct answer, he said, "is somewhere in the middle, where we
develop practical solutions that reflect the legal framework and
customs of particular countries, but can also accommodate the needs of
different industries and ultimately accomplish the goal of protecting
consumers' privacy."


Finally, Thompson stated, "While government agencies like ours stand
as willing partners to industry in this challenge, we also stand
willing to undertake this responsibility directly should public
accountability demand it."


But he added, "I remain hopeful that this step will not be necessary."


Following is the text of Thompson's remarks:



(Note: In the following text, "billion" equals 1,000 million.)



(Begin text)



Remarks of FTC Commissioner Mozelle W. Thompson

Before the EU Committee of AMCHAM



"Solutions for Data Protection and Global Trade"

Brussels

December 3, 1998



I. Introduction



Thank you for inviting me to join you at this important conference. I
met with some members of the EU Committee of AMCHAM in August, prior
to the implementation of (the) EU Directive on the Protection of
Personal Data. At that time, I warned that these issues would get very
serious very quickly. I'm not sure if I am pleased about being proven
right.


This conference comes as the United States, the European Union, the
business community, and consumer groups are all grappling for a
solution to allow cross-border commerce to continue unimpeded. Today I
will try to give my view of where we stand right now, and to the
extent that I speculate about future action, I hope you'll realize
that my views are my own and do not necessarily represent an official
U.S. Government position. Nor do I necessarily represent the views of
the Federal Trade Commission or any individual Commissioners.


II.  U.S. Position on Data Protection



In October, the EU Directive on data protection became operational,
essentially instructing EU member states to enact horizontal laws to
provide citizens with data protection for their personal identifying
information.


By contrast, the U.S. has taken a different approach to data
protection in cyberspace. It has relied on broad self-regulation and
targeted sectoral legislation to provide consumers with data privacy
protection. The U.S. approach has been based on a belief that
self-regulation can provide (1) greater flexibility to meet new
technology, and (2) the ability to target privacy remedies to specific
needs. But, to accomplish the goal of achieving effective data privacy
protection for consumers, one must recognize that substantial
cooperation is required.


Back in August, I predicted that the EU, the U.S., and the business
and consumer communities would have to work hard and cooperatively to
find some pragmatic means of reconciling these conflicting approaches
to online privacy protection. I am happy to say that since then, all
of these groups have been and still are working hard to find
appropriate and effective solutions.


But, most of you know that the imposition of the EU Directive on Data
Protection in October has also caused much uncertainty in the
international business community, principally because of the unclear
impact of the "adequacy" standard on personal data transfers from the
EU countries to the United States. In an effort to find ways to bridge
differences in our approaches, the U.S. Government, through the U.S.
Department of Commerce, and Directorate General XV of the European
Community have been engaged in a dialogue on privacy for several
months. In fact, Director General Mogg is in Washington as we speak,
conferring with our Commerce Department.


Many continue to believe that, notwithstanding differences in
approach, there is a great deal of overlap between U.S. and EU views
on privacy. Given that, U.S. officials and the European Community have
discussed creating a safe harbor for U.S. companies that choose
voluntarily to adhere to certain privacy principles.


III. The Safe Harbor Proposal



It is presently envisioned that organizations qualifying for the safe
harbor would have a presumption of adequacy, and data transfers from
the EU countries to them would continue. Organizations could come
within the safe harbor by self-certifying that they adhere to these
privacy principles. While the specific terms of the safe harbor
arrangement are still under discussion with the European Community,
the U.S. believes that it provides a framework for compromise because
it would be deemed acceptable by all member States and would provide
for streamlined and expedited transfer approvals and dispute
resolution.


The elements of the proposed safe harbor should be familiar to you
all. Many of them were enunciated in the FTC's June Online Privacy
Report to Congress, namely: notice, choice, access, security and
enforcement, as elements that the Commission has recommended for
adoption in U.S. domestic policy, although the scope of the
requirements vary. As I mentioned before, Director General Mogg is in
the United States working with our Commerce Department on the
proposal, and the U.S. Government is currently vetting the draft safe
harbor provisions. I understand many comments have come in from all
sides -- consumers, academics, and business -- and that some of the
comments have been very substantial. It is difficult to say at this
time how the comments will affect a final U.S. position.


I think it is important to note, however, that although the language
set forth in the safe harbor is designed to facilitate bilateral
understanding between the U.S. and the EU, it is not intended to
govern U.S. domestic privacy policy, which is being addressed by other
efforts. This is where the role of the Federal Trade Commission really
comes to the forefront.


In June of this year, the FTC issued a report on Internet privacy
which showed that industry's progress toward self-regulation was
practically non-existent. The following month, the entire Commission
testified before the U.S. House of Representatives and indicated that
if substantial progress were not made soon, additional governmental
authority through legislation would be appropriate and necessary.


Since then, some progress has been made on a number of related fronts:
First, Congress passed the children's online privacy bill in a form
substantially similar to the Commission's recommendation. Second, the
IRSG self-regulatory principles that were adopted by look-up services
and credit bureaus will go into effect at the end of this month.
Third, industry has created self-regulatory bodies like TRUSTe and BBB
Online in efforts to protect consumers' personal information online.


But it's hard to measure the quality of the progress of TRUSTe, BBB
Online, and other self-regulatory initiatives to protect privacy
online. I will not pre-judge any of these efforts right now because we
soon will be receiving briefings from business leaders and will then
start a formal assessment. But, I do want to point out some problem
areas that I have previously discussed and continue to hope will be
addressed.


Coverage



First, industry is apparently in the process of undertaking several
creative initiatives to reach small- and medium-sized businesses and
encourage them to participate in self-regulatory schemes. While I
applaud these efforts and industry leaders' acknowledgment of the need
for outreach, I have not yet heard what the results of these
initiatives have been. In other words, are small- and medium-sized
businesses seeing the same value in the self-regulatory approaches and
adopting adequate safeguards voluntarily?


Enforcement



Second, it also is not clear to me what kind of enforcement programs
self- regulatory models contemplate. Do they involve an independent
auditor or other means that effectively address non-compliance by
member organizations? And, do they also provide consumers with
meaningful rights and remedies?


Public Records



Finally, it is impossible to ignore that there are real differences in
the treatment of publicly available information in America versus
Europe -- and we all know that public record information is much more
widely available in the U.S. Under these circumstances, it is not
clear how public record information will be protected under
self-regulatory proposals. While access to this information is
sometimes socially beneficial, it may take on a different character
when "information brokers" bundle it, combine it with non-public
information, and make it available for sale on the Web.


At present, it is difficult to say what progress industry has made in
addressing these concerns. So, we will have to wait just a bit longer
and see whether what is actually delivered lives up to the promise of
what we have been told.


IV.  U.S. vs. EU: Can We Bridge the Gap?



Based on these questions, you can see that the U.S. really does have
more in common with the EU than some might think. If there is a
substantial difference, it comes in our method of arriving at many of
the same conclusions. While the EU has taken a "top-down" approach
through legislation, the U.S. has opted (at least to date) for a
"bottom-up" attempt to allow industry to develop its own rules, so
long as they provide meaningful, effective protection for consumers.


So, I continue to believe the correct answer is somewhere in the
middle, where we develop practical solutions that reflect the legal
framework and customs of particular countries, but can also
accommodate the needs of different industries and ultimately
accomplish the goal of protecting consumers' privacy. This effort will
require hard work because we have frequently stated that we don't
believe in a "one-size-fits-all" privacy policy. So, where data is
most sensitive, such as medical or financial data, protections may
need to be stronger than cases where data may not be as sensitive.


V. Conclusion



I think it is common knowledge that the biggest potential market for
electronic commerce is the United States. In fact, a recent Merchants
Association survey shows e-commerce growing 200 percent annually --
$13 billion in 1998. However, 50 percent of total revenue is generated
from only ten sites, and only five percent of consumers make a
purchase. Not surprisingly, privacy and security are still the top
reasons for consumers' reluctance.


Privacy for electronic commerce is an exciting and unprecedented
opportunity for industry to take the lead in shaping public policy for
this important new medium. But, I think it is also important to
recognize that there is more at risk here, because failure to succeed
will not only have a negative effect on the future of the industry,
but also the public's confidence in industry's ability to take the
lead in solving important public policy problems.


Consumers have a right to expect that industry and government find new
and better ways to make the Internet a safe and hospitable place,
inspire consumer confidence, and preserve the innovative energy of
this exciting medium. While government agencies like ours stand as
willing partners to industry in this challenge, we also stand willing
to undertake this responsibility directly should public accountability
demand it. I remain hopeful that this step will not be necessary.


(End text)