WHAT THE U.S. SHOULD (AND
SHOULDN'T) LEARN FROM EUROPE
H. Jeff Smith
few years ago, I spent a week in Sweden meeting with various individuals who were interested in issues of information privacy. After
talking for a number of hours with employees at the Data Inspection Board (DIB), Sweden's federal regulatory agency for privacy, I interviewed several executives in the country's private sector. I soon realized that at least half of each discussion was spent in trying to narrow the gap in our collective understanding of one another's privacy environment. The Swedes simply could not identify with my American tales of data collection regarding consumers' backgrounds, purchases, and histories; the compilation of these data into various sorts of profiles; and the trading of this information between various entities. That most of this was done with little or no governmental oversight was perplexing to them. On more than one occasion, my Swedish compatriot responded along the lines of "you Americans just don't seem to care about privacy, do you?"
At the same time, it was almost impossible for me to identify with the Swedish approach to privacy regulation, which requires corporations and other entities to register all databases containing personal information with the DIB and to secure advance permission from the DIB before using certain data.' Furthermore, while the frequency with which it has done so has varied greatly over the years, the DIB has the right to inspect the data processing operations of any Swedish entity to ensure its compliance with privacy regulations. If the DIB
I am grateful to Mark Keil, Sandra Milberg, and the reviewers and editors of California Management Review for their helpful connments on earlier versions of this article.This research v/as supported by the Babcock Graduate School of Management, Wake Forest University, Research Fellowship Program. I am indebted to Bob Hebert for his research assistance and to Rick Harris and Mike Lord for their assistance in interpreting the European legislative process.
CAUFORNIA MANAGEMENT REVIEW VOL 43, NO. 2 WINTER 2001
Information Privacy and Marketing: What the U.S. Should (and Shouldn't) Leam from Europe
becomes convinced that any entity has violated its license or any of the DIB's policies, the DIB can revoke its license. Although I tried to avoid saying it out loud, my knee-jerk American response was "I don't see how any business ever gets done in this country!" When I occasionally tell American executives about the regulatory environment for privacy in Sweden, I often notice their jaws dropping.
The privacy-related differences between the U.S. and Sweden are perhaps the most pronounced of any developed countries in terms of their implementation. However, the principles underlying the Swedish system are generally in line with those in most countries in Europe. It has become apparent in the last five years that U.S.-European assumptions about privacy rights, societal approaches to its regulation, and managerial responses differ in kind and not just in degree. Privacy advocates often argue that the U.S. should shift to the European model, but a deeper analysis reveals that only some facets of the European approach make sense for the United States.
Definitions and Differences
It has been said that "much ink has been spilled"^ in attempts to define "privacy." So, to be clear from the outset and to avoid spilling additional ink, I note that our concern here is information privacy; that is, "the right to control information about oneself."' This is distinguished from physical privacy, which is concerned with physical access to a person. It also differs from trade secrecy, which addresses ownership of intellectual corporate assets, like a strategic plan or specialized know-how about a particular product. In addition, to simplify the discussion, I focus on privacy in the commercial, rather...