The Trans-Atlantic Data Privacy DisputePublished: March 12, 2003 in Knowledge@Wharton
Few issues have fueled more transatlantic distrust than the ongoing dispute between the European Union and the United States about data privacy. Wharton management professor Stephen J. Kobrin probes the often overlooked roots of the controversy in his report, “The Trans-Atlantic Data Privacy Dispute, Territorial Jurisdiction and Global Governance.”
The issue began to heat up in 1998 when the European Commission’s Directive on Data Protection went into effect. The Directive is an attempt to protect the data privacy of Europeans regardless of where their personal data is transferred and processed. But to be effective, Kobrin notes, the Directive needed a “transnational footprint”: It had to apply both inside Europe and beyond Europe’s borders. The result was Article 25, which prohibits the transfer of personally identifiable data from Europe to any third country -- including the United States -- that does not provide “adequate” protection, as defined by the European Commission.
Because the American approach to data protection is so fundamentally different from the European approach, it soon became clear that companies in Europe could be forced by Article 25 to cut off the flow of European personal data to their branches, affiliates or business partners in the United States. (In theory, this would include U.S. companies based in Europe.) However, both sides recognized that cutting off transatlantic data flows would have “catastrophic impacts,” Kobrin notes in his paper, so the U.S. and the European Commission developed a compromise solution, known as the “Safe Harbor” program.
Unfortunately, Safe Harbor, which the European Commission approved in 2000, “does not appear to be a success,” Kobrin writes. As of last October, only 254 companies had enrolled in Safe Harbor, and only a few of them were major multinationals. Why so few? “American companies see no consequences for not signing up,” Kobrin explains. As his report makes clear, “Safe Harbor is neither a treaty nor an international agreement but rather two unilateral actions” -- principles issued by the U.S., and an Article by the European Commission accepting them. That makes Safe Harbor an entirely voluntary program for U.S. companies.
More fundamentally, Safe Harbor is a compromise that satisfies neither Americans nor Europeans. As Kobrin writes, “Both Europeans and Americans find themselves subject to data protection regimes that are not of their making and to which they resist complying." He warns that it is still “not impossible” that data flows between the U.S. and Europe will one day be constrained -- if not entirely cut off. “If this issue festers, you could see a constraint in data flows.”
The Transatlantic Cultural Rift
Why has the data privacy issue resisted Safe Harbor and other efforts at a compromise solution? Finding an answer to that question was a fundamental goal of Kobrin’s research, which looked into a range of documents and reports about data privacy. Even Kobrin, who has done extensive research into issues of privacy and global governance, was surprised to learn that the roots of the rift between Europe and the United States involve profound cultural contrasts. The two sides are divided not by tactical or strategic considerations but by fundamental differences about the role of government and the meaning of privacy. “It is not just a difference in law,” says Kobrin, “It is also a difference in values. For me, two areas of personal interest -- privacy and global governance -- came together in studying this issue.”
If Europe and the United States are to find common ground on data privacy, these deep-seated value differences will “have to be reconciled,” says Kobrin. In his report, he clarifies the origins of these differences by noting that “data privacy is never considered in a vacuum, but rather in a specific social, political, economic, cultural and historical context …There is considerable cross-border variation in data privacy norms, whether information privacy is considered a basic human right or a property right, for example. These norms, in turn, affect what fair information principles actually mean in practice.”
Kobrin’s report spells out the “very different data privacy norms” that exist in the United States and Europe. In the United States, for example, “rights are generally … seen as rights against the government. Thus, the U.S. approach to data privacy reflects a basic distrust of government.” Markets and self-regulation, not law, shape information privacy. Laws are “reactive and issue-specific” and protection tends to be “tort-based” and “market-oriented,” not political. Privacy is “an alienable commodity subject to the market.”
In contrast, the European approach to privacy “puts the burden of protection on society rather than the individual.” Privacy is considered to be inalienable and a “fundamental human right,” as Kobrin’s paper notes. The result of this approach is the creation of “explicit statutes accompanied by regulatory agencies to oversee [their] enforcement.”
What’s at stake in Europe are the “rights of citizens” or “data subjects,” not the rights of consumers or business customers. Another way to view the contrast: In the U.S., privacy is “a right that inheres in the individual” -- and can be traded for some benefit, Kobrin writes. For example, many customers gladly give away personal data in return for product discounts, customized services, etc. In Europe, however, privacy protection “is an obligation of the state towards its citizens,” to quote the words of David L. Aaron, the Under Secretary of Commerce for International Trade who negotiated the Safe Harbor agreement on behalf of the United States. Because of the European mindset outlined in Kobrin’s report, Europeans resist the American notion that privacy can be bargained away in return for a benefit.
Understanding the divergence in cultural values makes it easier to comprehend the failure of Safe Harbor, which was supposed to accommodate both sides without addressing the gap in cultural norms. As Kobrin says, “Safe Harbor is a poor compromise; an attempt to meet the European Union’s requirement of “adequate” data protection without shifting away form American reliance on the market and self-regulation.”
While headlines about data privacy often focus on the individually identifiable electronic data that marketers collect online from Internet users, Kobrin takes a much broader approach to the issue. “It’s not just about e-commerce, it’s about [an] age when everything we do is recorded digitally.” It is an issue that affects every integrated multinational company as well as every individual who crosses borders to buy and/or sell -- leaving data to be transferred in his or her wake.
As Kobrin emphasizes, every company that does business abroad must transfer vast amounts of name-linked data across borders; not only data about its customers but data such as personnel records, medical histories, credit-card payments, etc. “Every time you use an ATM in Europe,” he says, “you access a database” that extends across borders, and challenges traditional notions of territoriality.
Privacy and Security: A New Convergence
Although the data privacy issue was placed on most back burners after the September 11, 2001 terrorist attacks, the gulf that separates the issue of data privacy from the security issue seems to be narrowing, as investigators in the global war against terrorism collect more and more personal data across national borders. In mid-February, for example, the privacy of personal data that European airlines collect about their passengers became an issue in the American campaign against terrorism. Until a last-minute agreement was hammered out in late February, European airlines faced the prospect of heavy fines from the U.S. government if they failed to comply with data collection requirements of Washington’s anti-terrorist efforts. The United States was demanding access to personal information on the reservation records of all transatlantic carriers, including European carriers whose data privacy rules reflect a very different set of values. Predictably, the European Commission contended that divulging personal data about airline passengers to the United States would be a violation of European Union data privacy rules.
Under the terms of the compromise agreement, the EU agreed that data about passengers could be provided. However, Kobrin calls this an “expedient agreement” that is “not really cooperative.” He notes that passengers on European airlines will still have to agree to have their data provided to U.S. authorities, and “they can still be subject to lengthy delays” if the data is not provided. More fundamentally, Kobrin argues, “you can’t deal with this issue on a case-by-case basis.”
The psychological impact of 9-11 may have hardened the U.S. approach, says Kobrin. “There is [always] a trade off between the right to privacy versus the need to fight terror. [However,] after 9-11, many Americans seem willing to give up more of their privacy in return for greater security.”
Towards a Cultural Accommodation
How can executives prepare for the possibility that data flows will one day be constrained, if not cut off? According to Kobrin, executives at integrated multinational companies should realize that “there is some risk that the flow of personal data can be interrupted, unless we reach an agreement.” As a result, “I would want someone in my company to study this issue. And I would want to put pressure on the European Union and the U.S. government and the OECD to work out a cooperative agreement.”
Kobrin argues that “we need a multilateral, collective approach to deal with the data privacy problem. Governments must sit down with the private sector and civil society groups, and work out a system that includes some minimal set of rules and principles acceptable to both sides. We have to arrive at some common ground.” Building awareness of the fundamental differences in values that separate the two sides, he adds, is a critical part of the process.