I. Introduction
Thank you for inviting me to join you at this important conference. I met with some members of the EU Committee of AMCHAM in August, prior to the implementation of EU Directive on the Protection of Personal Data. At that time, I warned that these issues would get very serious very quickly. I'm not sure if I am pleased about being proven right.
This conference comes as the United States, the European Union, the business community and consumer groups are all grappling for a solution to allow cross-border commerce to continue unimpeded. Today, I will try to give my view of where we stand right now, and to the extent that I speculate about future action, I hope you'll realize that my views are my own and do not necessarily represent an official U.S. Government position. Nor do I necessarily represent the views of the Federal Trade Commission or any individual Commissioners.
II. U.S. Position on Data Protection
In October, the EU Directive on data protection became operational, essentially instructing EU member states to enact horizontal laws to provide citizens with data protection for their personal identifying information.
By contrast, the U.S. has taken a different approach to data protection in cyberspace. It has relied on broad self-regulation and targeted sectoral legislation to provide consumers with data privacy protection. The U.S. approach has been based on a belief that self-regulation can provide (1) greater flexibility to meet new technology, and (2) the ability to target privacy remedies to specific needs. But, to accomplish the goal of achieving effective data privacy protection for consumers, one must recognize that substantial cooperation is required.
Back in August, I predicted that the EU, the U.S., and the business and consumer communities would have to work hard and cooperatively to find some pragmatic means of reconciling these conflicting approaches to online privacy protection. I am happy to say that since then, all of these groups have been and still are working hard to find appropriate and effective solutions.
But, most of you know that the imposition of the EU Directive on Data Protection in October has also caused much uncertainty in the international business community, principally because of the unclear impact of the "adequacy" standard on personal data transfers from the EU countries to the United States. In an effort to find ways to bridge differences in our approaches, the U.S. Government, through the U.S. Department of Commerce, and Directorate General XV of the European Community have been engaged in a dialogue on privacy for several months. In fact, Director General Mogg is in Washington as we speak conferring with our Commerce Department.
Many continue to believe that, notwithstanding differences in approach, there is a great deal of overlap between U.S. and EU views on privacy. Given that, U.S. officials and the European Community have discussed creating a safe harbor for U.S. companies that choose voluntarily to adhere to certain privacy principles.
III. The Safe Harbor Proposal
It is presently envisioned that organizations qualifying for the safe harbor would have a presumption of adequacy and data transfers from the EU countries to them would continue. Organizations could come within the safe harbor by self-certifying that they adhere to these privacy principles. While the specific terms of the safe harbor arrangement are still under discussion with the European Community, the U.S. believes that it provides a framework for compromise because it would be deemed acceptable by all member States and would provide for streamlined and expedited transfer approvals and dispute resolution.
The elements of the proposed safe harbor should be familiar to you all. Many of them were enunciated in the FTC's June Online Privacy Report to Congress, namely: notice, choice, access, security, and enforcement, as elements that the Commission has recommended for adoption in U.S. domestic policy, although the scope of the requirements vary. As I mentioned before, Director General Mogg is in the United States working with our Commerce Department on the proposal, and the U.S. Government is currently vetting the draft safe harbor provisions. I understand many comments have come in from all sides -- consumers, academics, and business -- and that some of the comments have been very substantial. It is difficult to say at this time how the comments will affect a final U.S. position.
I think it is important to note, however, that although the language set forth in the safe harbor is designed to facilitate bilateral understanding between the U.S. and the EU, it is not intended to govern U.S. domestic privacy policy which is being addressed by other efforts. This is where the role of the Federal Trade Commission really comes to the forefront.
In June of this year, the FTC issued a report on Internet privacy which showed that industry's progress toward self-regulation was practically non-existent. The following month, the entire Commission testified before the U.S. House of Representatives and indicated that, if substantial progress were not made soon, additional governmental authority through legislation would be appropriate and necessary.
Since then, some progress has been made on a number of related fronts: First, Congress passed the children's online privacy bill in a form substantially similar to the Commission's recommendation. Second, the IRSG self-regulatory principles that were adopted by look-up services and credit bureaus will go into effect at the end of this month. Third, industry has created self-regulatory bodies like TRUSTe and BBB On-line in efforts to protect consumers' personal information online.
But, it's hard to measure the quality of the progress of TRUSTe, BBB Online, and other self-regulatory initiatives to protect privacy online. I will not pre-judge any of these efforts right now because we soon will be receiving briefings from business leaders and will then start a formal assessment. But, I do want to point out some problem areas that I have previously discussed and continue to hope will be addressed.
Coverage
First, industry is apparently in the process of undertaking several creative initiatives to reach small and medium sized businesses and encourage them to participate in self-regulatory schemes. While I applaud these efforts and industry leaders' acknowledgment of the need for outreach, I have not yet heard what the results of these initiatives have been. In other words, are small and medium sized businesses seeing the same value in the self-regulatory approaches and adopting adequate safeguards voluntarily?
Enforcement
Second, it also is not clear to me what kind of enforcement programs self-regulatory models contemplate. Do they involve an independent auditor or other means that effectively address non-compliance by member organizations? And, do they also provide consumers with meaningful rights and remedies?
Public Records
Finally, it is impossible to ignore that there are real differences in the treatment of publicly available information in America versus Europe -- and we all know that public record information is much more widely available in the U.S. Under these circumstances, it is not clear how public record information will be protected under self-regulatory proposals. While access to this information is sometimes socially beneficial, it may take on a different character when "information brokers" bundle it, combine it with non-public information and make it available for sale on the Web.
At present, it is difficult to say what progress industry has made in addressing these concerns. So, we will have to wait just a bit longer and see whether what is actually delivered lives up to the promise of what we have been told.
IV. U.S. vs. EU: Can We Bridge the Gap?
Based on these questions, you can see that the U.S. really does have more in common with the EU than some might think. If there is a substantial difference, it comes in our method of arriving at many of the same conclusions. While the EU has taken a "top-down" approach through legislation, the U.S. has opted (at least to date) for a "bottom-up" attempt to allow industry to develop its own rules, so long as they provide meaningful, effective protection for consumers.
So, I continue to believe the correct answer is somewhere in the middle, where we develop practical solutions that reflect the legal framework and customs of particular countries but can also accommodate the needs of different industries and ultimately accomplish the goal of protecting consumers' privacy. This effort will require hard work because we have frequently stated that we don't believe in a "one-size-fits-all" privacy policy. So, where data is most sensitive, such as medical or financial data, protections may need to be stronger than cases where data may not be as sensitive.
V. Conclusion
I think it is common knowledge that the biggest potential market for electronic commerce is the United States. In fact, a recent Merchants Association survey shows e-commerce growing 200 percent annually -- $13 billion in 1998. However, 50 percent of total revenue is generated from only ten sites and only five percent of consumers make a purchase. Not surprisingly, privacy and security are still the top reasons for consumers' reluctance.
Privacy for electronic commerce is an exciting and unprecedented opportunity for industry to take the lead in shaping public policy for this important new medium. But, I think it is also important to recognize that there is more at risk here, because failure to succeed will not only have a negative effect on the future of the industry, but also the public's confidence in industry's ability to take the lead in solving important public policy problems. Consumers have a right to expect that industry and government find new and better ways to make the Internet a safe and hospitable place, inspire consumer confidence, and preserve the innovative energy of this exciting medium. While government agencies like ours stand as willing partners to industry in this challenge, we also stand willing to undertake this responsibility directly should public accountability demand it. I remain hopeful that this step will not be necessary.