Harmonized regulation of cyber-matters could achieve better results for the US and the EU. Current clashes between US and EU rules on cyber privacy and security undermine US success in the EU. It is difficult for internet commerce to simultaneously comply with incompatible sets of rules on consumer privacy and law enforcement.
The disparate regulatory frameworks could force US exporters to create and maintain two distinct business platforms to offer basically the same services. That could hike development and operating costs to non-competitive levels in key areas of the worldwide $8 trillion electronic commerce market. Both the US and EU have much commerce at stake and have a shared goal of serving consumers well. Surely there is a pragmatic way to harmonize our regulations.
The EU recently issued a directive on consumer privacy rights. That privacy directive says that consumers must have control over how Web sites and marketing companies collect and use their personal data. In the US, we continue quibbling over consumer controls on marketers’ use of our personal data, and compliance with our “do not track” requests is voluntary.
What passes for privacy protection in the US often won’t work in the EU. Particularly, France and Spain have fined Google for “privacy violations.” Investigation of similar Google behavior is underway in Germany, Italy, the Netherlands and the U.K. A global business might consider the fines a mere nuisance, but fines can increase until they send a strong message.
EU plans release of a cyber-crime directive setting standards for online security and spelling out coordination among police forces for pursuit of cyber criminals. Standards matter because they can staunch charge card theft. ”Chip and Pin” is an EU standard for charge cards that helps keep EU fraud to just 1.5 billion euros per year, a very small portion of the annual worldwide $750 billion in cyber fraud.
In contrast, loose US charge card security encourages massive thefts such as Adobe’s loss of data for 38 million customers and Target’s loss of data for 70 million. The US lacks an effective standard. Our magnetic strip and signature cards, or swipe and pin cards, offer flimsy security at best. In the US, charge cards with embedded chips still have a magnetic strip for backward compatibility with old card readers. Until card security is improved to at least “chip and pin” level, the US will see massive credit data heists. Meanwhile, US companies doing retail business in the EU use chip and pin, and they suffer far less theft.
The EU’s cyber-crime directive may work extra well because EU police can use metadata from communications to track terrorism, and organized crime, such as card theft gangs. Many EU countries require judicial approval for police to inspect message content. That’s similar to US law, but US distinguishes terrorism from all other crimes and the extra time and high priced legwork needed for court orders hobbles law enforcement. In that regard, EU law enforcement has a surveillance advantage when tracking card theft gangs.
Some EU policies don’t fit the US, but some make good sense. In this case, parts of EU’s privacy and cyber security laws help protect consumers and clamp down on cyber criminals. We could improve US consumer safety and our success in Internet commerce by nudging our cyber privacy and security policy toward harmony with the EU.
Alan Daley is a retired businessman who writes for The American Consumer Institute Center for Citizen Research