December 2, 1998 Web posted at: 2:40 PM EST by Scott Bradner, Network World Fusion columnist

From...

(IDG) -- Regular readers of this column know my general level of distrust of the U.S. government's willingness to protect individual privacy in the face of some U.S. businesses' desire to know everything about you and to sell that information to anyone with enough cash.

I've commented on the fundamental differences between the European and American approaches to privacy protection. The Europeans feel that the violation of privacy protection regulations should be made a crime. The U.S. government claims that such laws offer false comfort, so there should not be any laws to compel protection.

Instead, the U.S. maintains we should trust that the companies in the data business will agree to protect your private information when threatened with no penalty other than bad publicity if they are caught lying.

MORE COMPUTING INTELLIGENCE
	IDG.net home page
Network World Fusion home page
Free registration required to access Network World
Free Network World Fusion newsletters
Get Media Grok and The Industry Standard Intelligencer delivered for free
Reviews & in-depth info at IDG.net
		IDG.net's bridges & routers page
		IDG.net's hubs & switches page
		IDG.net's network operating systems page
		IDG.net's network management software page
IDG.net's personal news page
Questions about computers? Let IDG.net's editors help you
Search IDG.net in 12 languages
Subscribe to IDG.net's free daily newsletter for network experts
News Radio
	Fusion audio primers
	Computerworld Minute

We have now reached another turning point in the privacy saga. On Oct. 25, the European Union's Directive on Data Protection became effective. This directive requires that the member states of the European Union must pass specific legislation to protect the privacy of information about individuals and to prohibit the transfer of data that can identify an individual to other countries that do not provide an "adequate" level of data protection.

If the laws that are being adopted to comply with the directive were to be strictly enforced, no U.S.-based business or individual would be able to import data, such as personnel files or credit card transaction logs, from Europe.

The U.S. government is currently trying to deal with this issue. Because the government is unwilling to pass laws to protect personal information, it is trying to get the Europeans to agree to a "safe harbor" for U.S. companies that want to import European data. The U.S. proposal is to publish a list of companies that agree to abide by certain privacy protection principles.

There are many things wrong with the U.S. government's idea, not the least of which is that no credible penalty is proposed for companies that agree to the principles and then proceed to ignore them.

The principles are good ones, but they are expressed in generalities. It is easy to see many ways that a company could evade the privacy restrictions.

This proposal reminds me of an internal Boston Globe headline that was accidentally printed during the Carter administration. This proposal is "more mush from the wimp," the headline read. The U.S. government is being a wimp in the whole area of privacy. It is using excuse after excuse to avoid confronting the fact that for far too many U.S. businesses, personal information about you is just another commodity to sell to all, not just the highest bidders.

If there was serious concern about the privacy of individuals, a proposal of this type would have called for clear, unambiguous laws that would make the unauthorized disclosure of private data a felony. Without such laws, this is mush.

Disclaimer: A boathouse on the Charles River is Harvard's closest approximation to a harbor, so the above is my mush.

Bradner is a consultant with Harvard University's University Information Systems. He can be reached at sob@ harvard.edu