STU FELDMAN

Well, welcome back to the symposium ladies and gentleman. I'm Stu Feldman. I'm director of IBM's Institute for Advanced Commerce which is sponsoring this meeting and I'm also hosting this afternoon and tomorrow morning's proceedings. I certainly hope you found the morning exciting and informative. I certainly did and I'm looking forward to, just as high a density of information and tantalizing thought for the rest of the time.

A few, quick comments. We're going to have a speaker, Professor Reidenberg first. Then there will be two panels. With dinner, we will have David Medine of the Federal Trade Commission and I hope that all of you are planning to stay for dinner and for the FTC view of the issues of privacy.

I should mention that in addition to the meeting, there are some interesting things to look for out in the lobby. In particular, as we already mentioned, you can get a diskette which will point to a number of privacy statements and you can see it being demoed. There are a number of publications to pick up that I mentioned Esther Dyson left -- a recent copy of Release 1.0 which has a long column on privacy issues. Very interesting and very relevant of course to both this conference and to the remarks that she made at lunch.

Now let me introduce the next speaker, Professor Joel Reidenberg of Fordham Law School. He has an enormous breadth of both background and experience and he will be addressing a number of topics for us. At Fordham, he teaches courses not only on international trade and comparative law and contracts, but also on information technology law. His background is remarkably diverse, including degrees at the Sorbonne, in addition to Dartmouth and Columbia. He writes extensively on the information practices and legal issues thereof. He has published studies on United States data protection. And coming a little later this year, one on online services and privacy issues in Europe. He has also practiced law in Washington DC, in addition to being an academic. And he'll be talking today about worldwide legal implications of sending personal information and what that means for all of us. And also, what some of the technology responses are for both the consumer and society. So let me welcome Professor Reidenberg, who will be covering as I said, both technology and legal and policy issues all in one talk.

JOEL REIDENBERG

Thank you. I'm delighted to be here this afternoon. I think this is a particularly important event to the business sector, to begin to examine ways in which privacy practices can be put in place both to satisfy legal obligations and public sentiment, and consumer desires.

I was wondering at first when I was invited to come this afternoon, what would a lawyer like me be doing amongst all the technologists like you? And Bill Whitehurst said in the invitation he thought I would be a useful transition speaker. And it dawned on me, listening to the talks to this morning and at lunch as to what that meant. I think as transition speaker, I have the opportunity to disagree with everyone that came before me and hopefully provoke everyone who comes after me. So, with that I will try.

What I'd like to talk about are really three different points. The first is to look at the corporate challenge -- a little bit about what the policy reality is. This touches on many of the points that we heard this morning from Ira Magaziner and several of the other speakers. The second is to look at corporate solutions, technical protections. Specifically, what some of them are, how some of them function, how they may respond to the policy issues. And then the third part of the challenge, the corporate imperative -- looking at privacy architectures and developing privacy architectures.

In looking at the corporate challenge, the first aspect that I want to focus on are privacy pressures. We heard a bit this morning about the necessity of confidence. This has, I think, two dimensions. The one side we heard most about was the consumer side, the citizen side, that citizens have to be confident in the fair treatment of their personal information.

The other side is the business side. Privacy as a business to business matter will become increasingly important. It's a competitiveness issue how personal information is treated in the decentralized environment. Many actors will have access to personal information. Secondary use of personal information becomes a threat to business competitiveness. If I am the business with the primary relationship with the consumer and I'm outsourcing, other actors have access to some of that information. They have a means of knowing who my clients are, what my business is. And the contours of what they can do with that information becomes a business to business issue that has as its core fair information concerns, the same thing that citizens are going to be worried about.

There's a significant risk of complacency. On the legal side we heard this morning, I don't think we're going to see comprehensive privacy rights adopted in the United States any time soon. I think we will -- and I think we'll get into this a little later -- there are lots of reasons why the pressures are moving in that direction. But in the short run, in the United States, we're not going to see it. Elsewhere in the world, however, we will. If companies don't step up to the plate, as we heard this morning, we will be more likely to see regulation within the US.

The flip side of this risk of complacency is the scandal potential. Because there is very limited legal regulation in the United States doesn't mean that companies don't have to focus on this very carefully. Because the last thing we want is for your practices to be the front page of the New York Times or the Washington Post. And to the extent that legal standards are not there for you to rely on, you're in murkier waters for what may or may not become a scandal. And it means that there must be -- the environment is telling us there has to be -- significant vigilance.

The third privacy pressure, is what I'll call global embarrassment, something that has not yet been focused on but is coming down the pike very soon. In operating globally, companies will be subject to privacy standards in the countries in which they're operating. Since the Internet is this international environment, I think it will be increasingly difficult for US companies to justify double standards. Meaning they protect the information overseas better than they protect information about Americans within the United States. So it can be somewhat embarrassing to find if a company either has a subsidiary abroad -- that subsidiary abroad is affording foreigners better protection that what they're doing in the United States. Every one can see it on the web.

The next key element are the international legal obligations -- and here, I get to differ a little bit with some of the statements you heard this morning from Ira Magaziner. We have to keep in mind that there are existing legal obligations on the treatment of personal information in each of the 15 European Union member states, as well as many other countries around the world.

One of the comments, for example, this morning about the Japanese buying into the US self regulatory framework. We can't read that too simplistically. The Japanese have in fact regulated privacy, regulated current information practices particularly in the public sector. But they've also done a number of quasi-governmental regulatory activities in the private sector, particularly in the financial services field.

Elsewhere, however and again, in particular in Europe, in Canada, in Quebec, we have comprehensive data processing laws. The laws are characterized by having a basic set of standards for fair information practice that include, you must notify individuals when you collect personal information about them. You must inform them of what the uses are. You may only use information for the intended primary use unless you obtain consent. The secondary uses will require consent.

Individuals are granted rights of access, rights of correction. Storage limitations are imposed, so you may only keep the data as long as it is necessary to accomplish the task for which it was collected. Each of these regimes typically creates a data protection administration, a DPA as I called it. This is mostly what Ira Magaziner was talking about this morning. We're not going to see anything like that in the United States, nor would many find it even appropriate to consider having a DPA in the sense of a European data protection administration within the United States.

But, that's not really an issue. It's never really been on the table in that fashion here. In Europe, they exist. It's a reality. We have to face that. These are independent government authorities, meaning that they are separate independent agencies with powers akin to our SEC in a lot of ways over the information sector.

The European national laws require that the processing of personal information be publicly declared. You have to file a notice with the government agency that's publicly available much like SEC 10K's or 10Q's are filed. These laws have a very wide scope of jurisdiction, and in particular, jurisdiction over US companies, especially those operating on the Internet.

Why? If you maintain an interactive site, you will be collecting information from the users who are located within jurisdictions and under their existing laws, that will give them competence to reach you. This is not atypical from what we see in the United States. We've seen a lot of -- more recently -- Internet trademark cases where the courts are finding that courts in distant states have jurisdiction where someone put up a web site and was availing themselves of the foreign forum. And the same thing is going to happen here. American sites collecting and processing information that they're obtaining from Europe will be subject to European laws.

In addition, each of these laws has an existing transport of data flow clause which says that they either can or must -- depending on the national law -- restrict flows of personal information to countries that do not satisfactorily protect privacy. And in general, they look to seek legislative, legal protections to the citizens.

A couple of tendencies that we see emerging from the European national commissions are a strong push towards anonymization and encouraging processors of personal information to anoynomize the data, segment the data. We also see a heightened attention to the cookies technology on the Internet and ways of dealing with it. In fact, the new German teleservices law that went into effect this summer has a whole special clause on cookies, focused on the particular technology.

The directives that have been mentioned, the European directives -- there are actually two. Most Americans are focused only on the first which is a directive 95-46-EC. That's known as the framework directive, the data protection directive.

The second directive, which few -- at least from what I've heard in the United States -- have paid much attention to is 97/99/EC adopted at the end of last year, which is otherwise known as the ISDN directive. It is purported to be a sectoral application of the first, of the framework for the telecommunications sector.

Part of the reasons for the directives which you'll hear more about tomorrow, was to harmonize the laws across Europe, so that you wouldn't see many divergences -- and I'm going to talk a little bit about what we find within Europe that the directive, in fact, won't focus on.

A colleague, Professor Schwartz, and I just completed this winter, a study for DG15, which is the European commission directly responsible for the protection, that we understand will be released by DG15 this summer through the office of official publications of the commission. And in our study, we looked at a set of issues to see how the national laws across four member states diverged. And I've listed a couple of them here that we looked at -- jurisdictional issues.

We looked at, what did the member states mean by personal information? And unsurprisingly perhaps, there's a difference of views. Something as simple as an IP address, or more particular, a dynamic IP address in several member states, that would be treated as personal information. The consequence is in some member states, data protection laws apply. In others, they would not.

The territorial reach of the national laws was also somewhat divergent. The transparency requirements, the types of notice that sites would have to give individuals when they collect information and who has to give the information? Specifically, if I am only collecting indirectly, do I have to tell the individual? Some member states say yes, others say no.

Consent for putting or collecting information specifically on the Internet. Two member states have specific rules on this. The others do not. Profiling -- the conditions by which one can profile. And this goes frequently to the notice and consent forms.

Treatment of sensitive information. We've heard a lot -- and there's great reliance in the United States -- that notice and consent is the basis for everything. Market solutions rely on notice and consent. In Europe, that concept will not be accepted entirely and in particular, in the context of sensitive information. They will treat data relating, for example, to race or religion as sensitive information. And you can't waive certain rights to how that gets treated. There's an inconsistency if we say it's a fundamental right, but then we allow people by contract to deviate from that.

In no other field where we talk about fundamental rights do we let people contract out of their fundamental rights. And that's something that we see very important in Europe, especially with the use of quick stream information coming from net transactions.

And in security, in each of the member states, we see this typical split that we find here between law enforcement and the data protection authorities, who interestingly are a source of opposition to law enforcement in their efforts to control cryptography.

Now, how will the directives help in these divergences? Our conclusions were that in many ways, they will not. The directives are not specific enough, nor should they be. But they simply are not going to deal with some of these divergences at the margin that have fundamental consequences for online services and net transactions.

What it means is that the directives pose a very important challenge. Because while they will harmonize certainly many of the national laws, they're not going to be a complete harmonization for electronic commerce for the purposes of electronic commerce. Consequently, we will find differences in the application of privacy rules to transactions and to actors, depending on which country we're dealing with.

Now, where do we go from here? The corporate solution, technical protections, is also going to get us into a question. I'm sure you've all asked, why am I using a browser through my presentation. One of the things that we find -- the use of the browser will illustrate this -- is that the technological rules are just that -- they're just rules. Technological choices, technological infrastructure establishes rules for how we treat personal information. And we can use those rules to protect privacy.

Whether the infrastructure permits the transfer of identity information or not, can be modified. And that's what we have to start thinking about today.

The first, the typical one, the anonymization which we see a push, in the countries that do regulate comprehensively, for fair information practices. They're pushing to say, let's anoynmize information so that we don't run into the privacy problems. We don't have to worry about whether citizens rights to control their personal information are being transgressed or not.

And this links I think to some of what we heard earlier, about the security mechanisms that are available. We need to start thinking about identity firewalls. If in a particular organization, they're collecting personal information, not everyone in the organization will need access to the identifiable aspects. Depends on what the uses are.

We have to start thinking about ways in which we can anonymize the data for different users within organizations and different uses of the data. Is it absolutely necessary for Mr. Smith or Mrs. Smith to know the identity? How much can you strip away?

We've heard of some of the anonyomizers -- the web sties that I go to and browse the net via an anonymizer to try to mask my identity. Well, there's another step we can take also. It's not there today but the private sector can certainly develop it. There's no reason why we couldn't for example develop a small reader that plugs into my computer and I plug in a chip card with anonymous cash on it that will log me into a service provider who has no idea who I am. So, my initial entry point into the net is anonymous.

We're beginning to see this in Europe, with the phones, the cell phones. Cards -- France doesn't allow it but, other countries do -- having essentially anonymous calling from a mobile phone. Well, these are the things we have to start thinking of for the Internet and for the kinds of transactions we're dealing with on the net.

The next key topic that I want to talk about is protocols, the labeling and filtering. We heard about picks and P3P and OPS, this morning. These are particularly robust mechanisms for protecting privacy on the net. They've got some pitfalls that I'll talk about. They're very important.

What exactly is it? When we talk about labeling and filtering, we're essentially talking about tagging techniques, tagging information according to some criteria that then let's us filter. It was initially designed as the content filtering for the picks platform for Internet content selection that enabled parents to filter pornography for kids.

The same protocol, though, can be used to identify sites -- privacy practices, corporate privacy practices and will enable users to have some choice on whether or not they want to visit a site and deal with the site that doesn't conform to a set of standards.

And I'm going to show you what this looks like. Here, for example, is a model code, to be able to rate sites for their satisfaction of the European directive standards. The directive has this adequacy clause that says that they block data to countries with inadequate privacy.

Well, here's a code that gives some examples of the different standards that are in the directive and ratings, how under this standard, a given site might rate in terms of the European Union's directive. And it starts here, I can move it here, which will change the rating of it. Sort of like, is it PG 13 or Triple X? And I can apply this mechanism to the sites that I visit. You'll note here in Microsoft Internet Explorer, it's appearing under Internet options, content advisor.

The protocol has an adaptation that's being developed that we heard about -- the P3P. What that's really referring to, if you go back for a moment, the choice of these labels -- what are the particular standards and how are we going to code a given site according to those standards? That's what P3P is focusing on. It's been focusing on the kinds of labels, the kinds of criteria for which sites will be rated.

OPS as we also heard -- the open profiling standard -- is something similar. It's a way of tagging information. Once information is tagged, then I can filter. So in this case, it's ironic, my web site is actually tagged using that directive. And ordinarily, Explorer ought to filter it. However, it's hidden in the cache, and I can't seem to delete it, so I couldn't show you that.

If, however, I try to go to the help files, what you'll find, it won't let me go because the help files are not rated for content for this selection. So my filter program, the way I've configured it, blocks anything that's not rated. And, here it has no rating. I have to put in the password to get at it. Since there's nothing very interesting there, I'm not going to go into it.

The third item of technological rules that I want to mention are trusted certifications. And here what we see are in part, standards -- there's a standards component. We need to know what the standard is against which we're certifying. There are a couple out there, the Canadian Standards Association has a privacy standard. ISO 9000 has at least in the past considered something like that. But it really hasn't moved forward.

We've heard about TRUSTe, and you'll hear more about that later. No, but that's essentially a trusted third party certification. We have some third party that we're going to trust, we'll put a seal of approval on a site, that gives us a technological badge if you will, of this site's performance.

Now, these technical protections -- the rules are out there. You can use them. But the key question is, how are they being implemented? The implementation capabilities are particularly significant.

On the one hand, we can use some of these tools to automate compliance with fair information and practice policies. The ratings process -- how we tag sites, how we put those, you know, PG13, kinds of labels, how we filter. Whose criteria are we going to use for filtering? These can be automated. We can have various forms. PC3 is essentially saying, we're a group of industry actors. We think this is a good set of labels and criteria to use the filter.

The technology, though, allows for several -- a multitude of competing systems to coexist. P3P has theirs. The European Commission may adopt a different one. The Direct Marketing Association may adopt yet another set of labels if they so desire. They can all coexist and users can have the facility of deciding whose criteria they want to follow.

The notice and consent process. Again, this is something that the technology can very easily automate. You can see a world where a website has a little icon that represents a privacy preference -- a standard privacy preference. And I click on it and it says I can use the information for any purpose, as an example. There are all sorts of things like that that the technology will allow us to do.

The technology will allow us I think in many ways to satisfy some of the global requirements. Because we can customize policy preferences, using configurations, it means we can conform to several different privacy standards at the same time. If my customer is in France, I can configure the system to comply with the French requirements. If my customer is in the UK, I can configure it to comply with the UK requirement.

How I do that may be a combination of server level -- maybe a client level. It may be a transmission protocol development. There are all sorts of different policy questions. We can talk about how you might implement this. But the point is, there are ways to do it.

There are issues that are going to come up. Tagging -- what I call tagging issues -- the vocabularies and the fairness. What are those criteria? How is it that we're rating it? Do we trust the quality of the labels? The example that I showed you for EU adequacy was something I had drafted. For some of you, that may be just fine. Others of you may decide I'm paranoid and it's not an application.

There are a lot of value judgments that go into defining the vocabulary. And how we make those will determine whether the particular code and the particular technology is fair -- whether it's fair to the consumers, whether it's fair to businesses.

The second, more troubling problem, is adoption. Once it's out there, people have to use it. Now, I ordinarily, I confess, surf the web use Netscape. The only time I typically use Explorer is to make presentations like this one because Netscape does not presently allow me to use the picks, labeling and the filtering.

The protocol is not implemented in Netscape. It is in Explorer. However, this later version of Explorer compared to what I used to do, apparently does some funny things in the cache so that once you've visited the site, put in a password to override a filter, you can't go backwards. So if Johnny gets onto the site once, the site is forever unblocked.

Those are going to be critical dimensions. Which comes to the last point. The corporate imperative -- privacy architecture. We need to start thinking about proactive privacy designs and here the infrastructure mechanisms. You have to have the mechanisms built into the infrastructure from the start.

If we want to satisfy fair information practices and we want to try to satisfy data protection requirements and obligations overseas, we have to start looking at combinations of what our legal obligations are -- our policy pressures and obligations are -- and what our technical rules are. Because it will only be through both that we're going to get satisfactory privacy solutions. The technical rules and the law and the policies have to work hand in hand.

In doing this, I think that we will be able to come up with ways to have infrastructure rules for international adequacy that address some of the problems that Ira Magaziner mentioned this morning. I think he is completely wrong when he says -- and he said this morning -- that we won't let the Europeans block data to the United States.

I don't think that recognizes how the national authorities in Europe will function and what they perceive their own legal obligations to be to their citizens. They will most certainly be looking very carefully at the United States. The lack of legal rules in the United States makes it much more difficult for them. Their goal is not to shut down business with the United States but rather to insure that personal information coming from Europe is treated in accordance with fair information practice standards. And I think that a significant and powerful way that American industry will be able to do that in the absence of law, is by showing that the infrastructure -- the architecture they have -- doesn't permit the kinds of privacy violations that the European laws are concerned with.

If the data for example gets purged immediately after use, then there's no fear that the United States doesn't have a storage duration limitation in law like Europe. It's irrelevant because the system purges the data.

So, again, you can look at this, if we make a concerted effort, there will be ways I think to show infrastructure rules can demonstrate aspects of adequacy.

The last point is the proactive privacy implementation. In looking at technological rules, we have to be very careful at how we implement what I'll call the fairness of the defaults. You have a technological rule, there's a default setting. We can customize it. The user can change the preferences. But it starts out with some default. And we have to be very careful how we define that.

Typically, and I'll give two examples of what I'll call internal myopia, it's very easy for a business, in looking at setting up the architecture, to think we'll give preferences to the users. But the way that's done may be very myopic.

If we look at cookies -- cookies is a great example of that. We're all familiar with the technology that places information on the user's hard drive. You know, initially it was done without any information being provided to the user. Now, it's done in a way that the user can disable it. But number one, the default is that the cookies are placed on the user's hard drive. And number two, the user has to know what a cookie is -- has to understand what it is to know whether or not they want to change that default setting.

So, for a typical user who is not technically sophisticated, it's going to in effect be a misnomer to say they have expressed a preference with respect to cookies. Because A, they have no idea what they are and have no clue what it means when it says, gee, I can disable the cookies. And if I disable the cookies, when I try to go visit a site, I'm told the site wants to place a cookie on my machine or cancel. And a typical user thinks, if I cancel, it means that I don't see the site, which frequently is not the case. So, we see a problem in that in terms of how it's implemented.

Content advisor I think is another example. You know, and in part this is the development of picks for other uses that took place after the various versions of software were written. But you see content advisor was how I set the security for labeling and filtering. You'd never guess that that's referring to privacy preferences. So, again, it's something that has to be very transparent for the user for it to have some basic elements of fairness.

There are consequence I think for businesses in developing technical rules as a way of approaching the privacy problem. The development process has to be open, and what do I mean by that? There are two components. The first is external advice would be particularly valuable for companies.

Since it's very difficult I think internally in a business development unit to get a good read on what the person on the street is going to think about this, whether you can tell your grandmother with a straight face, this is what I'm doing with the personal information -- the perspectives are different between what takes place inside the business and what takes place outside the business.

In that it becomes very helpful to have some kind of external reality check. The flip side of that is that once you have rules in place, you need some sort of external review to be sure that either the technical rules you've set in place do what you want them to do, and second, that the company is in fact adhering to these different technical policies -- that you don't have people within the company that have figured out ways to bypass some of the security procedures, that might be in place.

And, what I'd like to conclude with, is really two points. The first is that looking at the privacy architecture as a design imperative will give us I think better quality information. Which means that for your customers or for you, it's higher value information and you have much more satisfaction that customers have a great degree of confidence in what you're doing, what others are doing.

At the end of the day, however, I think confidence and trust are going to require a fair playing field for both business and citizens. It doesn't help if say only 75 big players are signed up to a TRUSTe program or something similar. That's great for those players, but unless it's widely permeated in the market, consumers are going to be very uncomfortable and will approach online transactions with great trepidation if they perceive the market as a whole isn't protecting their privacy.

It's the classic case of what they call network externalities. For it to really work, there has to be an extreme widespread adoption of privacy protection technologies.

My own personal view, which I think is the one that would be proactive to close on, is that I think it will be inevitable in establishing standards. Because as we've heard, I think that it will become a business competitiveness question. If we want the market place to be robust, there has to be some base line of protection for citizens to feel comfortable and for businesses to feel that they compete -- that they can compete fairly without unfair competition coming from the bad apples in the industry. Thank you.

STU FELDMAN

Thank you very much for a wide ranging and deeply challenging talk. It's interesting to inquire, how much liability most American e-commerce firms have already acquired by asking what country you're from. Let me open this up for questions, for Professor Reidenberg. Yes sir?

MAN

We've heard European standards mentioned a number of times this morning. What about Middle East, Africa and Asia Pacific?

JOEL REIDENBERG

Limited. You see a little bit more in Asia Pacific than you find certainly in the Middle East dealing with private sector, data privacy rules. They tend not to be as extensive yet as the European Union. However, one of the things that we do see is that the European Union's directive is being looked at more as the model than the US approach in many of these regions.

MAN

Joel, you predict that we're going to have legislation at some point in the United States. Is it going to be based on our tradition of legislating based on harmful use, or is it going to be based on the European tradition of legislation based on wrongful processing -- processing inconsistent with the notice?

JOEL REIDENBERG

Yes to both. I think that what we're going to see is increasing -- and we see this trend in American legislation. Our legislation has been very narrowly targeted, tends to focus on a number, though not all of the basic principles set out in the OAC guidelines. What we've seen, though, is the more recent laws have taken the position where certain uses of information are identified as primary uses. Other uses are then deemed to be secondary. Typically, it's the marketing use that's deemed as the secondary use, and the laws will give individuals opt-out rights.

We can cite as example the Bork Bill, the video privacy protection bill. The Telecommunications Act of '96 that imposed some restrictions on transaction data. The amendments -- the federal reporting act in '96. I mean, we've seen that trend. I think initially we're going to continue down our path of looking -- sectorially first, which is more the kind of European style. We will identify a harm in an industry, health records. But if we look at the health information proposals that sectoral people are worried about -- harm from the disclosure of health data.

If we look at some of those proposals, some of the kinds of principles we see in there aren't that different from what you'll find in European law or the OECD guidelines. We can't forget that everyone agrees what the basic set of principles are. The US government adhered to the OECD guidelines in '77. The 250 largest companies at the time all signed on to it. So there isn't much of a difference there. It's in part, should we -- and how should we -- legislate? I think over time what we will find is that because the kinds of information uses, in an on-line environment, are cross sectoral, a sectoral approach becomes problematic.

The Bork Bill's a great example. If I rent a video, it's protected. If I watch it on the Internet, it's not. That's a problem we're going to grapple with more and more.

QUESTION

Joel, you mentioned where you had a slightly different feeling on whether there would be transborder data flow blockage occurring sometime in the next calendar year. What's your opinion, based upon the many people you've talked with in Europe, about the issue of the populous in Europe not being permitted to have access to certain areas or certain offers, or certain whatevers, that might go against the data protection law? Are they worried about that at all? Since we in America often put that up as an advantage of free flow of information?

JOEL REIDENBERG

I haven't sensed that that's the prime concern of the national data protection regulatory authorities. And it's not surprising either, because from the European point of view data protection is a fundamental human right. It is what they call in European law, a public order level right. And public order then frequently trumps everything. So in that sense, their concern is that these fundamental rights should be protected, and that the citizens expect the national authorities to protect the citizenry in their fundamental rights.

There are, of course, differences among the European countries. That is more pronounced, I think, clearly on the continent than it is in the UK. In Germany, it's a little more nuanced than that. The other, I think, point to keep in mind is that Europe right now is far less -- the European citizens are far less connected to the Internet than American citizens are. So it may be a little bit early for the national authorities to be getting pressure from the bottom up.

QUESTION

Let me set aside areas like medical information, or protection of minors. I wonder if we're all making some assumptions that, for companies to comply with protection of privacy, they have to incur costs that put them at the disadvantage. And as a result of that, unless there is legislation, certain companies will always be able to do better in competition. It's possible that's not the case at all, that market forces will so punish companies that do not follow privacy laws, and that the technological cost of obeying privacy laws are not all that high, that generally the right things will happen through market forces. Would you like to comment on that please?

JOEL REIDENBERG

Sure. I think it's going to be the reverse. I mean, it's certainly possible that the market will work perfectly, and companies adopting privacy technologies, privacy policies will function. But, on the other hand, Pix for example has been around for three years. The original protocol was designed at least three years ago. Using it for privacy preferences has been on the table since the summer of 1996. We still don't see the mechanisms there.

TRUSTe has been around for at least, Susan can correct me if I'm wrong, but at least, I think, a year and a half now. And how many companies across the Internet have subscribed to it as a percentage of the companies doing business on the Internet? Or something similar. So we've seen examples where some devices and tools are out there. But it's not happening yet. I think it is very difficult, and we heard numerous references to it this morning, that a company says, gee, this is great. But I don't want to do it until somebody else does it.

It's hard -- if I'm out there -- out front, saying I've got great privacy, so come and do business with me. That's terrific. But the problem is, how does the consumer know who doesn't have great privacy? There's a tremendous lack of transparency. So the sort of value added of coming out and saying, I've got great privacy, is diminished by the surreptitious nature of processing elsewhere. So a consumer doesn't necessarily know that they ought to only do business with you, because the guy down the domain block is trafficking in personal information.

And I don't see there that it will be easy and efficient for the market place to solve that problem.

QUESTION

To what extent are the rules consistent across these various domains? To what extent are they inconsistent? You know, so for example, there are purposes where American companies and German companies need to keep track of religion and race, to follow certain rules, and yet you point out in another context, it's absolutely forbidden to manage that information. Are there other cases where the delicacy is even worse?

JOEL REIDENBERG

I guess it's probably going to come up most in the employment relationship context. The kinds of records that need to be kept for employees and employment data across different countries, as opposed to some of the privacy rules that might exist. Particularly where companies are talking about managing their employment records globally. There'll be different rules on distance selling. I suspect also some instances where the kind of information you need to keep for distance selling rules and contract recision in some countries may potentially conflict with the privacy rules in others.

Again, this I think is all the more reason why it's such a design imperative. Because the one way in which I think companies can manage these potential inconsistencies, or divergences -- depending on which way you want to look at it -- is by an architecture that segments it. So that, if, for example, the race information is required by US government authorities for a US corporation, but the collection and use of it in Germany is prohibited. Then if the technology blocks access to that information for the managers in Germany, you're not likely to run into a problem with the German data protection law.

If your system isn't designed to be able to do that, then all of a sudden you've got a problem that you can't readily resolve between US law and the German law.