314. "Protecting Privacy: Personal View of Amitai Etzioni," The Financial Times, (April 9, 1999), page 18.
Sweden is suing a US airline for collecting lists of passengers who ordered Kosher meals or wheelchairs. The American company is selling such information to various marketers. The lawsuit reflects the fundamentally different perspectives Europe and the United States have on privacy. This gulf is highlighted by recent demands that American companies must abide by the new EU Data Privacy Directive as of October 1998, or--the EU will block the flow of information about personal transactions (credit cards, employment records) of European citizens to the USA. Such a boycott would make work and commerce damn near impossible for numerous corporations that work on both sides of the Atlantic.
Since October 1998, the US Commerce Department has been negotiating with the EU, seeking a formula to fudge the issue. Fudging is sought because there is no way on earth--given the differences in law, culture, and politics--that the USA can truly abide by the EU Directive. In effect, in my judgement, neither can Europe.
The whole issue has arisen because given powerful computers and new software, more and more corporations keep detailed accounts of their customer's tastes, and sell and buy such information, in order to fine tune their marketing and tailor advertising to the specific preferences of specific customers. The new EU Directive imposes a very heavy burden on such usages of personal information, including which cereal we like, our taste in towels, our shoe size, not to mention bra circumferences. The Directive demands that each use of personal information be preceded by an explicit consent of the person involved; that the use will be limited to the purpose for which this consent has been given; and that any repeat use or resale will be preceded by a repeat permission. Moreover, the EU considers privacy an inalienable right, meaning that a person cannot 'contract' to give permanent or encompassing access to information about him or her self, in exchange for a fee. Agree, each time, you must. (Professor Viktor Mayer-Schoenberger, of the Harvard John F. Kennedy School of Government, refers to this dictate as a form of "EU paternalism").
Given that there are many hundred of pieces of information about each person, and given that the average piece of information is employed several dozen times--a person would have to spend great amounts of their time at their computer agreeing to or rejecting requests to utilize information about them, if the EU Directive were to be taken seriously. (The many who have no personal computers had better buy much larger mail boxes to accommodate all the written requests for consent).
One may suggest that people who have computers could program them to respond to consent requests by using categories, for instance refusing all requests on medical and financial information but granting all requests about consumption preferences. Indeed, Michael Dertouzos, the Director of the MIT Laboratory for Computer Science, reported to the World Economic Forum in Davos this year, that MIT is about to release such a program called P3P. However, the EU directive explicitly prohibits such automated responses; consent must be given in person. And Nadine Strossen, the head of the American Civil Liberties Union, expressed horrified opposition to any such programs--because they would "disclose one's privacy preferences", that is they would show if we are shy about the kind of journals to which we subscribe (left or right wing?) or undergarments we order.
When several citizens of Germany, Spain, Austria, and France were queried last week, they all indicated that they received very few request for permission to use information about them. It seems that this EU directive is one of those laws that are enacted to keep one camp happy (privacy advocates and followers) and, as a rule, are not enforced so that commerce and life can continue.
What realistic measures could be undertaken to shore up privacy? Before this matter can be addressed a rather general "philosophical" question must be answered: which principles should guide our policy? Some argue that privacy too is a matter best left to the free market. People who hold their privacy dear are free to shop only with companies that promise to well guard their privacy. Such shopping would either drive out of the market those companies that wantonly violate privacy, or it would limit their sales to those who care little about privacy. The whole issue is vastly overblown, according to the libertarian Cato Institute in Washington: So what if we receive a few more pieces of junk mail? asks Solveig Singleton its Director of Information Studies.
If one holds that some new privacy protection is needed, especially given recent unauthorized disclosure of private medical information, it need not be a whole new set of government regulations or Directives. Cyber-age privacy protection can be eclectic. It can be pieced together from several sources but not make individual consent or government regulations its mainstay. Specifically, cyber privacy would be best achieved if cobbled together from four sources.
First, while many of the new technologies weaken privacy (email is less private than snail mail; cell phones than the old kind), there are new technologies that can serve to enhance privacy. These include software that ensures anonymity on the Internet, encryption of messages and transactions, and audit trails (which determine who accessed a file and thus deter unauthorized queries).
Second, one may expand the scope of self regulation already introduced by several large corporations. For instance, a number of American corporations announced that they will refrain from collecting information about children who are 12 years old or younger without consent of their parents. Thirdly, some limited new government regulations might be called for medical privacy. So far, in the USA, no federal legislation exists that bans disclosure of information about one's abortion, cancer, or depression.
Fourthly, individual consent could have some role in such an enhanced privacy mix, but it could not be based on case by case a priori explicit personalized consent. As much as consent appeals to our conception of individual liberty--if we are not to spend our days responding to privacy queries--the delegation of such consent to some computerized or warm blooded agents is unavoidable.
There might well be still other ways to proceed but we shall not be able to find these until the illusions fostered by the new EU directive are swept away.
Amitai Etzioni's book The Limits of Privacy has just been published by Basic Books. He can be reached at firstname.lastname@example.org.