Bradner's column: Rough seas in safe harbours

Regular readers of this column know my general level of distrust of the US government's willingness to protect individual privacy in the face of some US businesses' desire to know everything about you and to sell that information to anyone with enough cash.

I've commented on the fundamental differences between the European and American approaches to privacy protection. The Europeans feel that the violation of privacy protection regulations should be made a crime. The US government claims that such laws offer false comfort, so there should not be any laws to compel protection. Instead, the US maintains we should trust that the companies in the data business will agree to protect your private information when threatened with no penalty other than bad publicity if they are caught lying.

We have now reached another turning point in the privacy saga. On October 25, the European Union's Directive on Data Protection became effective. This directive requires that the member states of the European Union must pass specific legislation to protect the privacy of information about individuals and to prohibit the transfer of data that can identify an individual to other countries that do not provide an "adequate" level of data protection. If the laws that are being adopted to comply with the directive were to be strictly enforced, no US-based business or individual would be able to import data, such as personnel files or credit card transaction logs, from Europe.

The US government is currently trying to deal with this issue. Because the government is unwilling to pass laws to protect personal information, it is trying to get the Europeans to agree to a "safe harbour" for US companies that want to import European data. The US proposal is to publish a list of companies that agree to abide by certain privacy protection principles. Visit to see the proposal.

There are many things wrong with the US government's idea, not the least of which is that no credible penalty is proposed for companies that agree to the principles and then proceed to ignore them. The principles are good ones, but they are expressed in generalities. It is easy to see many ways that a company could evade the privacy restrictions.

This proposal reminds me of an internal Boston Globe headline that was accidentally printed during the Carter administration. This proposal is "more mush from the wimp", the headline read. The US government is being a wimp in the whole area of privacy. It is using excuse after excuse to avoid confronting the fact that for far too many US businesses, personal information about you is just another commodity to sell to all, not just the highest bidders.

If there was serious concern about the privacy of individuals, a proposal of this type would have called for clear, unambiguous laws that would make the unauthorised disclosure of private data a felony. Without such laws, this is mush.

Disclaimer: A boathouse on the Charles River is Harvard's closest approximation to a harbour, so the above is my mush.

Scott Bradner is a consultant with Harvard University's University Information Systems. He can be reached at

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about BradnerECOMHarvard University

Show Comments