Gerard De Graaf is the odd man in.
He was perhaps the only speaker at last week's Cyberspace and the American Dream conference to argue that laws protecting adult Internet consumers might not be a bad thing.
And as First Secretary of the European Commission's delegation to the United States, he is pressing that point home in fragile negotiations with Washington.
The talks center around the European Directive on Data Protection, which forbids companies from transferring personal consumer data to countries that don't share the region's privacy regulations. The US fears the rules could wreak havoc with American Internet portals, airlines, and other data-dependent firms.
The parties are locked in a series of stalled negotiations over privacy. If those talks fail, a trade war may result.
The tall blond Netherlander hopes we can avoid that future. In an interview with Wired News, De Graaf addressed the thorny philosophical differences between Europe and the US, and whether or not laws really stymie e-commerce.
Wired News: A recurring theme running through the Aspen Summit was reducing government's regulation of the Internet. As you outlined at Monday's panel, Europe turns to regulation to prevent -- rather than react to -- the dangers of the information age, most notably privacy invasion. Given that viewpoint, did you feel out of place at this conference?
Gerard De Graaf: I was invited to give the European perspective. I think they wanted this different view as a contrast to what's happening and what's being discussed in the United States. Did I feel out of place? Maybe a little bit, but I think if you leave the ideology to one side, objectively many people will actually recognize that the European approach is not that silly. And actually many people came to me during the conference to say that they agreed with many of the policies that we were pursuing.
I think what we're doing is quite relevant to the debate in the United States. It's less ideological. And in terms of policy making I think we're certainly well-advanced in the European Union. And maybe there's some lessons to be learned here in the United States.
WN: What is the EU Data Protection Directive, and what is the regulatory philosophy behind it?
De Graaf: When we started this -- we made the proposal in 1990 and it was adopted in 1995 as a directive, which is a legal measure in the European Union -- the idea was to enhance data privacy protection in the European Union. Also to make free flow of information possible, because we had some data blockages in the European Union --which of course are inconsistent with our single market philosophy.
WN: Thanks to things like the directive, do European consumers trust they'll be adequately protected when it comes to issues like electronic privacy, fraud, and information security? And would Europeans feel equally safe in the United States?
De Graaf: I do think European consumers trust that they are better protected in the European Union than they are in the United States. I do even think that, looking at policy in the United States, Americans feel that they're probably better protected in Europe than they are in the United States at present -- even with self-regulation and industry progress.
WN: You said at the conference that self regulation and government regulation ultimately look very similar in their end form. If the rules they set up look the same, are they equally effective?
De Graaf: One of the issues that is of course still outstanding -- and that we are putting enormous emphasis on -- is enforcement. That's the key difference between legislation and self-regulation, and that's why we're spending a lot of time on it. The difference here is that enforcement will be entirely on the shoulders of the industry, while in Europe the enforcement is done, of course, by data privacy commissioners.
But for regulation and self-regulation to be effective -- it's not a surprise -- it very often looks very similar to what regulation would have said. I don't think we should be fooling ourselves into thinking that they are two different animals. Because at least in privacy they're not.
WN: Do you see over-regulation holding back electronic commerce in Europe? In the United States?
De Graaf: No. Far from it, actually. Legal measures that we have put forward are removing obstacles and generating trust. And I would challenge anybody in the United States industry or otherwise to point to over-regulation in electronic commerce in Europe. I think they won't find any, and if you talk to industry representatives they would actually say that Europe has got many of the right answers.
WN: Some charge that the Data Directive has its ridiculous extremes, making some routine activities illegal. For example, in Sweden, Palm Pilots would be illegal because they contain names and addresses of people who haven't granted permission to store them there. How do you respond to the charge that the directive goes too far?
De Graaf: This was the laptop example -- that there would privacy police at airports intercepting people, stopping them, kind of crossing borders. It's extreme and it's rather ridiculous these examples like PalmPilots. If you think about it -- what kind of data could be on those PalmPilots, or think about data that could be on laptops. I mean it could be data about, say, people from a certain ethnic group that are going to be targeted by hate mail or these kind of things. That changes the situation.
If you talk about a businessman carrying a laptop across a border, of course that's not an issue and nobody will stop that businessman from doing so. But if these data are ultra-sensitive and could be used for serious abuse, then that, I think, changes the whole discussion.
WN: An Italian adult porn site site revealed the names, addresses, emails, and credit card numbers of nearly 1,000 of its members via the Internet. Several databases containing confidential user information could be easily accessed by anyone with a Web browser.
As a member of the European Union, the directive applies to Italy. Article 17 of the directive compels companies to secure the personal data of their customers, though specific enforcement measures are left to the discretion of each member nation.
What does this incident say about the effectiveness of the Data Directive? Is it a sign that such regulation can't really work?
De Graaf: I haven't seen that story, but I find it quite interesting. Of course, what they're doing is wholly illegal, if it's correct. Our directive doesn't allow any data controller, as we call them, to reveal or release information in this particular way. If this has happened, then it's up to the member state to intervene -- the Italian Data Protection Authority should intervene. If the Italian Data Protection Authority fails to intervene, then there's always the possibility for the European Commission to take action against the Italian government for failure to implement the directive.
Looking at it in prima facie, again I think that it's not just our directive that would be infringed. I think there are a number of other legal measures, laws, that would be infringed by the particular behavior of this Italian adult site.
