Data protection is critical for consumers to realise the potential of global electronic commerce, but it is becoming ensnared in a web of international disputes.
The European Commission's directive on data protection comes into force on 25 October, but not all member states will meet the deadline. This, together with arguments over transferring data to countries with less stringent rules - notably the US - and the handling of sensitive data such as medical and banking details, continue to be issues of growing concern.
The EU believes it has tougher rules than the rest of the world yet, since its proposal was drafted in 1995, some member states have been slow to introduce legislation, and three are not prepared at all.
"Greece, Portugal, Sweden, the UK and Italy have implemented the directive from 23 October, although the latter three still need to adopt some additional rules. Implementing laws are under consideration by the Parliaments of all other member states except Germany, France and Luxembourg," said the Commission.
Looking across member states' preparations, Austria's main concern is with the transfer of data to a country outside of the EU. A key member of the working party for data protection believes that "most countries outside the EU don't have adequate protection to meet EU criteria".
A member of Belgium's working party for data protection believes that the new directive will clarify consumers' views about data protection and help reduce the number of unfounded complaints.
"Around 57 per cent of credit card fraud claims are unfounded. The concept of data protection is bigger for consumers than it is for legislators. Hopefully, the EU directive will bridge the gap between the two," he said.
France is lagging behind because it wants a single data protection act to cover the framework directive and the secondary directive relating to the telecomms sector, whereas other member states have prepared two acts.
Germany is in the process of preparing amendments to its current data protection legislation, but the government says the EU directive makes almost no differentiation between official and private sectors, an issue that Germans feel strongly about.
In the UK, the government says the country's latest legislation is very close to the existing law - at least 80 per cent of the directive is in line with the 1984 Data Protection Act, and it sees little difficulty in implementing the EU directive.
Causing more serious disputes is Article 25 of the framework directive, which prohibits the export of data to a third country that "does not ensure an adequate level of protection".
This includes the US, where data protection is left to self-regulation within each industry sector, with no enforced legislation in place. Many third countries have data protection law in the public sector, but not in the private.
Also, countries that have federal institutions, such as the US and Australia, have different laws in different states. The data protection working party for the member states has concluded that it seems unlikely "that many third countries could be considered to offer adequate protection across the board".
Talks between the US and the EU have focused on introducing model contract clauses, as a middle ground between self-regulation and enforced legislation. These contractual clauses would be one of the ways to provide the safeguards that would make a transfer of information possible to non-EU countries.
"We've reached the stage where we need to begin a real negotiation that would ensure that European customers and individuals are given the confidence to know their data is adequately protected. Our companies would feel safe, knowing they are doing what is required under the Act. I would hope that there is no data blocking when the directive comes into force," said David Aaron, US under-secretary for commerce.
Unice, the Union of Industrial and Employers Confederation of Europe, has produced guidelines that address the issue of transfer of data to a third country, and has urged the Commission to take a more flexible approach. These guidelines include the support of model contract clauses, but even these seem to be inspiring little confidence amongst industry, as the EC has not signalled a formal acceptance of such clauses.
For instance, Europay International, the financial clearing house for Mastercard, has over 10,000 members within Europe. It is now working on a code of conduct in line with the data protection directive, to protect customers travelling outside Europe.
"The code of conduct will grant customers the same level of protection in countries other than member states. The more we push for them, the more companies will be attracted by them. It would be the best approach for all industries to adopt this line," said Pascale Brien, senior manager of European and legal affairs at Europay International.
Eurobit, which represents the IT sector, prepared a common paper with many countries outside of the EU, such as Australia, Brazil, and the US, at an international industry congress last September.
"We decided to propose a content enforcement principle for worldwide data protection. The content principles relate to issues of transparency, security, and individual rights. We have proposed that they should be implemented under generic privacy laws in Europe, codes of conduct within the US, and under existing data protection laws in countries like Japan and Australia. This is the common IT industry view from around the world," said Andreas Rowold, an expert on data protection at Eurobit.
There is a separate telecomms directive that deals with issues of security and confidentiality over ISDN and other digital networks and can be applied to older analogue systems. Specific concern in the legislative debate has covered data collected for telephone billing, caller identification, monitoring of calls and unsolicited calls. Balancing the different needs of the subscriber, caller, called and the telephone operator continues to be a problem.
BT believes that customers have every right to receive an itemised bill, and as they are given on request, BT believes it is not infringing anyone's privacy.
Another outstanding issue concerns telephone directories. The directive enables customers to opt out of having their details in the telephone book, which amounts to going ex-directory. However, subscribers can also choose to be partially ex-directory, which could mean names and numbers printed without an address.
"This measure would be so unhelpful as to be practically useless. If you were trying to contact someone with a common name like John Smith, you could be faced with having to ring a dozen numbers before you got the right one. Wouldn't that amount to an invasion of privacy?" said Robert Dunnett, spokesman for BT.
Consumer protection is another hot potato. The marketing industry has established a system called the Robinson list, where the consumer can write to all worldwide direct marketing agencies to request not to be sent material. This works in practice, says Asuncion Caparros of FEDMA, the Federation for European Direct Marketing Associations, but unfortunately, not all companies subscribe to this list, and further measures are needed.
BEUC, the Bureau Europeen des Unions the Consummateurs, sees problems with legislation coping with the demands and development of electronic commerce.
"As far as we have heard, only five member states have transferred legislation, which is showing a big loophole with other member states," said Ursula Pachl, legal adviser for BEAC.
Pachl sees the way Web pages are presented as an ongoing problem. Consumers are not told what proportion of personal information they are giving will be used by the provider or enterprise they are using. She is doubtful that self-regulation will work in the US, because of the size of its market.
There is growing pressure, not only in the US but worldwide, to introduce a tougher stand on legislation with regard to data protection, from industry, consumer groups and other professional organisations. It remains to be seen whether the EU directive can fulfil its promise to create a single market within EU member states, without creating trade wars with other countries.
Dr Kuan Hon criticises GDPR consent emails that will only eviscerate marketing databases and 'media misinformation'
Apple squashes Steam Link app on 'business conflicts' grounds
Philip Hammond wants to forget rules that the UK agreed with the EU to ban non-European companies from the satellites
Instapaper to 'go dark' in Europe until it can work out GDPR compliance