If you live in the European Union and use e-mail to communicate with anyone in the United States - or most other parts of the world - you'd better watch out. Absurd as it seems, you may soon be break-ing EU law.
That's one of the unintended consequences of an impending EU law that aims to safeguard the privacy rights of European citizens by setting common rules for the export and use of many kinds of personal data. This is defined as "any information relating to an identified or identifiable natural person." Strictly applied, the law would cover every kind of personal information in electronic or written form.The directive comes into force Oct. 25. As the deadline approaches, coping with its far-reaching but often unclear requirements is creating headaches for companies operating in Europe. It's also threatening a trade conflict with the U.S.
Much more is at issue than EU red tape. The data protection directive has sharp teeth. As well as providing for fines on offenders, it authorizes the severance of information flows to non-EU countries found not to have "adequate" data protection arrangements. If exercised, those powers could play havoc with global trade flows by cutting off companies' international communications networks.
Brussels has not defined "adequacy" precisely, or the criteria for judging it. But it says it has so far identified only about 10 countries likely to qualify. They do not include the United States, where government and businesses have been angered by what they see as an EU attempt to foist its laws on them. White House officials say the United States may challenge the legislation in the World Trade organization. Some members of Congress are talking of passing a "blocking statute," which would prohibit U.S. companies from complying with the EU rules.
Brussels and Washington have launched urgent consultations to avert open confrontation. But while the talks have lowered the political temperature, no settlement is yet in sight.
Ironically, when EU ministers approved the directive in 1995, it was heralded as a trade-liberalizing move. It aimed to underpin the single market by reducing discrepancies between national privacy rules, far stricter in northern EU countries than in southern ones. The result was a flawed compromise. It's not even clear that it will remove all national restrictions on data flows inside the EU. Critics condemn the law as overkill.
When it was first drafted in 1990, data communications were primitive and took place mainly between big mainframe computers. The law failed to anticipate the explosion of global communications caused by the spread of personal computers and the Internet. Critics say that because the law technically covers all such traffic, it is unenforceable.
Just how it will be applied is unclear. Many EU members have yet to implement the directive in national legislation, and their data registrars and the European Commission are still trying to agree on a common approach.
But some observers say their efforts so far have created as much confusion as clarification. Some estimates put the cost of compliance to EU business as high as $3 billion. Companies complain that uncertainty about the directive's impact is at least as big a concern. They are particularly worried about its effect on operations that depend on transatlantic data communications.
"We find the possibility of there being no U.S.-EU agreement by Oct. 25 absolutely terrifying," says Colin Fricker, head of legal affairs at the British Direct Marketing Association. "If the EU insists on applying territorial solutions to cyberspace, it will kill electronic commerce."
Defenders of the law dismiss such complaints as alarmism and insist the new system will be implemented responsibly. They also claim it is less draconian than sometimes painted.
The rules will be waived for three years for existing data exports from the EU, or if individuals concerned have given their consent. There are also exemptions for exports of personal data needed for contracts between companies and employees, to defend legal claims and to protect citizens' vital interests.
But many businesses say the loopholes are too limited, or impractical.
Lawyers say the directive is also open to divergent legal interpretations - all the more so because it will be administered by 15 independent national data regulators.
"The system is unwieldy and unworkably bureaucratic," says Christopher Millard of Clifford Chance, a London law firm, who is advising large companies on the implications of the directive.
Even if national regulators act pragmatically, they face pressure from privacy rights groups to crack the whip. One, Privacy International, says it will monitor large companies' compliance closely and bring test cases against offenders.
Scott Blackmer, of Wilmer, Cutler and Pickering, a Washington law firm, thinks individuals whose data rights have been abused may even be able to use the EU directive to bring class action cases in U.S. courts on behalf of fellow "victims."
Such possibilities increase the pressure on Brussels and Washington to settle their differences quickly. The EU denies that it's bent on confrontation or that it's demanding that the United States copy its own legislation. It says it is ready to accept a system based on voluntary self-regulation, as the United States proposes, provided it is effective.
The United States long remained unmoved by such arguments, insisting its existing data protection arrangements are adequate. But the mood is changing in the United States. A sea change in its political climate has transformed the terms of the debate and forced the United States to re-evaluate its approach to data protection.
A recent Federal Trade Commission report found that many Web site operators had failed to respect the privacy of users, particularly children, in the collection and use of personal data. It said industry self-regulation had "fallen far short of what is needed."
The Clinton administration has told business it must quickly restore public confidence or risk heavy-handed and costly legislative intervention by Congress. Many large companies are scrambling to form industry alliances to strengthen self-regulation and promote better Web-site security.
Some companies accept that better data protection is good business. "In nine months' time, companies which do not have explicit privacy programs and effective verification by third parties will have a hard time in the market," says Bill Archey, head of the American Electronics Association.
These events may have punctured U.S. complacency and enhanced the EU's sense of moral superiority, but they don't seem to have brought any closer practical solutions to the problems threatened by the EU directive.
Many U.S. industry privacy alliances say it will take time to develop stronger data protection. Their members are divided over how to police and enforce voluntary self-regulation. The EU is expected to look very closely at such issues when assessing whether self-regulation satisfies its directive.
Nor would U.S. legislation necessarily make a transatlantic settlement easier. There are about 90 data privacy bills in Congress, mainly intended to protect children and medical records. But Congress isn't expected to act before next year, and there's no guarantee that any of the measures it passes will satisfy the EU.
There is also uncertainty about how any new U.S. laws would be administered. Widespread distaste for cumbersome regulatory bureaucracies has engendered opposition to creating a powerful U.S. data "czar."
Senior U.S. and EU officials insist, nonetheless, that they can broker a mutually acceptable compromise, probably involving a variety of measures. Possible components include a system of voluntary "model contracts" between companies, policing by the Federal Trade Commission and some U.S. leg-is-la-tion.
But EU and U.S. officials say they're still unsure exactly what an eventual package will contain. Less than four months before the directive is due to take effect, both sides must also contend with powerful political pressures at home, which could easily turn their dialogue in to brinkmanship.
Partly to keep pressure on the United States, European Commission officials are refusing to rule out the possibility that some transatlantic data flows could be cut off after Oct. 25. Some observers fear the EU may find such action hard to avoid.
"The Europeans are in a delicate position," says one. "They may feel they have to bring some exemplary cases early on, or U.S. business will just ignore the directive. But if they start seriously disrupting transatlantic data flows, they risk provoking a U.S. reaction that could unleash a trade war."