early all Western European nations have data protection laws, which are backed by commissioners who ensure neither government nor private companies are overstepping their bounds when handling personal information.
Many businesses go further, with their own rules about respecting the privacy of customers and employees. These rules are implemented by data protection officers on the corporate payroll.
But in this country, major corporations and some lawmakers have worked for more than 20 years to prevent the passage of general privacy legislation.
With so much personal information unprotected, it's only natural for us to experience a ''privacy Pearl Harbor'' every couple years. For example, in 1988 a Washington newspaper obtained the videocassette rental records of Judge Robert Bork. Worried about their own privacy, lawmakers passed the Video Privacy Protection Act, which made it illegal for video stores to distribute this information.
As a result of that and other incidents, we now have a patchwork of state and federal privacy statutes. But most personal information remains unprotected.
In the United States today there is nothing to stop a big pharmacy chain from taking information it has on prescription medications and contracting with a direct marketer to remind customers to buy medications - a practice CVS ceased last month after it was revealed in news reports.
You can't legally prohibit newspapers or magazines from selling your name to people who want to send you junk mail. And nothing prevents your supermarket from selling a list of the groceries you rolled through the checkout line.
In this era of increasing globalization, the European and US privacy protection regimes are fundamentally in conflict. And while a battle has been brewing for years, the first shots in an all-out war between the continents on personal privacy might be just about seven months away.
On Oct. 25, the European Commission's privacy directive governing ''Transborder Flows of Personal Data'' will become law for European Union member countries. Adopted in 1995 by the EU Parliament, this directive prohibits companies in the EU from transmitting personal data to other countries that do not abide by a specified list of data protection standards. Surprisingly, the privacy directive has received little attention in the United States, but that could change soon.
The directive's scope is breathtaking. ''Personal data would include medical data, credit card records, employee records, airline reservations,'' and even invoices for mail-order products, says Deborah Hurley, director of Harvard's Information Infrastructure Project, who has studied the directive for years.
Furthermore, the directive has a number of extraterritorial provisions that apply to American businesses when their customers are in Europe. Companies that collect information on European citizens over their World Wide Web sites might be found in violation of European law, just as European companies doing business in Cuba can be found in violation of certain US laws.
Many American businesses and lawmakers throw up their hands before questions of privacy, asking, ''How can privacy coexist with free speech?'' Europeans have been thinking about these issues for more than 20 years. For the most part, they shake their heads at our ill-informed debates. Of course privacy laws restrict free speech. So do laws that govern copyright, defamation, libel, and national security. In a civilized society, both privacy and free speech are important values.
Europeans see little reason to rehash these debates. Many feel that Americans, after inventing the idea of data protection in the 1970s, have given up their right to privacy in the computer age. Europeans do not wish to follow in our footprints.
Will the Europeans actually make good on their threat and cut the flow of data or levy fines against US companies? ''This is the international privacy question at the moment,'' says Hurley.
In recent months Hurley has been asked this question again and again by the Clinton administration, regulators, and US executives. After spending years in Paris working for the Organization for Economic Cooperation and Development on issues of privacy, cryptography, and intellectual property, she is regarded as one of this country's leading authorities on how European governments view these issues.
But even Hurley doesn't know the answer. In part, that's because the Europeans haven't decided themselves.
''The Europeans are serious about it,'' says Hurley. They could start by levying fines against US firms that violate the privacy of European citizens.
''On one side of the balance is the fact that this would be to the economic disadvantage of the Europeans,'' says Hurley. ''It would clog or stop transactions that are beneficial to their economy as well. On the other side is the strongly held belief that a citizen of an EU country enjoys protection of his or her data and privacy, by law.''
One reason the Europeans shouldn't trust us is that we have no federal commission or official charged with protecting personal privacy. ''There is an international meeting of Data Protection Commissioners... every year,'' says Hurley. The group just had its 19th meeting. ''The US does not have a seat at the table.''
Many US firms might argue it's too difficult or expensive to honor individual privacy. But Hurley says these arguments ring hollow. ''IBM operates in Europe. American Express operates in Europe. American Airlines operates in Europe. In order to do that, they are already complying with European data protection laws. They know how to do it. And they are doing it.''
They just aren't doing it on this side of the Atlantic.
The complete text of the EU's privacy directive is at http://www2.echo.lu/legal/en/
dataprot/directiv/directiv.html.
Technology writer Simson L. Garfinkel can be reached at plugged-in@simson.net.
Dow:
