Second-Rate Privacy Protection

American companies have agreed to provide their European customers with a measure of personal privacy under a deal negotiated by Washington and the European Union. It’s not all that European consumers wanted--nor all that they get from European businesses--but it’s more than American companies offer customers at home.

The EU did not give the American companies much choice: Either they protect customers from online snooping and indiscriminate peddling of personal data or they don’t do business in Europe. The new agreement is working, and the same formula should be followed by U.S. regulators.

If cyberspace is the world we increasingly inhabit, data is the currency we use. And a valuable currency it is. Banks, once discreet guardians of depositors, earn millions selling every scrap of personal information about their customers. Data can be quickly assembled to provide a starkly detailed portrait of almost any individual. For example, Acxiom, an online marketing company, keeps personal and lifestyle data on 95% of U.S. households and can arrange it according to ethnicity, race or other criteria. Profiles of all sorts are being used to make sales of products and services to some and deny them to others, a form of technology-driven redlining that excludes potential customers deemed unable to make the payments.

The issue is privacy in the Information Age, and Californians are particularly concerned about it, as witnessed by the state’s high rate of unlisted phone numbers. Public concern about privacy is rising everywhere, and for good reason. “The state of Americans’ data privacy is appalling,” Joel R. Reidenberg of Fordham University Law School told a congressional committee recently. In lieu of privacy protection, Internet companies offer little more than notices to their customers that they are being electronically tracked and information about them is being used, sold or both. There is little that consumers can do to prevent this.

By contrast, under the “safe harbor” agreement with the 15-nation EU, Net companies have to meet more than half a dozen principles of privacy protection developed by Western governments over the years. In addition to being told that information about them is being collected, consumers must be given a chance to say no to sharing the data with others and must be given access to the data collected.

The least the companies can do is offer Americans the same level of protection.

So far, industry self-regulation of privacy is a signal failure, and government agencies, Congress and even presidential candidates are taking notice. Republican George W. Bush recently described himself as a “privacy guy” who believes companies should ask customers’ permission before disclosure. U.S. companies, both online and offline, have vigorously resisted exactly this.

Whether companies like it or not, the privacy issue has staying power and will grow more urgent as reports of abuses multiply. Denying minimum protection to U.S. customers while extending it to customers elsewhere only adds to the growing doubt that privacy protection can be voluntary.