The European Commission (EC) thinks its privacy rules for US companies doing business in Europe are no big deal. "These concerns are unfounded," one EC official said last week. That's sort of like the guy who doesn't own a cell phone saying he thinks a law banning cell-phone use while driving is no big deal. He's not the one who'll have to change what he does.
In the US, where customer privacy is a joke, meeting tough European standards could require big changes - especially in how IT shops handle data.
And of course, we're not allowed to get ready for it.
Getting ready would be impolitic. Most big US companies are fighting the European privacy standards. Our corporate leaders insist the EC standards are impractical and expensive and maybe even a threat to our national sovereignty.
So it wouldn't look good for IT shops to be figuring out how to apply the standards to our systems, or calculating how much it'll actually cost. That might appear to run counter to the official corporate position.
Trouble is, if the political winds change and for legal or business or public relations reasons our bosses decide that customer privacy is a good idea after all, they'll want it done right now. And finding, filtering and giving customers access to all the data you hold about them is no overnight project. To do it right, we should be starting now.
So while politicians and bureaucrats and lobbyists and executives haggle and horse-trade over these privacy standards, we're stuck with what appears on the surface to be a very nasty choice: We can look bad today for breaking ranks, or we can look bad tomorrow for failing to think ahead.
Or we can be sneaky.
Suppose - just suppose, mind you - that we did a little stealth microproject to see how many foreign customers we've got, and what data we've got about them. That's just due diligence, really. In case our executive team wants to know that information on short notice.
And say we make it a point to track down where all that foreign customer data resides on our systems. That's really just good data-management practice, right? As we all found out from our Y2k projects, there's no such thing as a data inventory that's too up-to-date.
Then what if we ran a hypothetical? Something like this: How would we create a secure application so that, say, executives or sales reps on the road can access that customer information across the Web? That wouldn't be undercutting the company's official stand, would it? We're just making sure we're ready in case we want to give someone Web access to the data.
At least, that's our story - and it's one we can stick to.
In fact, with a little thought and creativity, we can come up with perfectly reasonable explanations for lots of very practical activities that, purely by coincidence, would come in very handy in case we have to reverse course and implement some kind of data privacy scheme that looks a lot like the EC requirements.
That may sound disingenuous, duplicitous, even dishonest. And, it is. But management won't thank us for honesty and openness on this one. And if the bosses change their minds, they won't thank us for having taken them at their word.
We've got to be ready. That's our job, to create the systems our business needs - even if today's official position is that we'll never need those particular systems.
And for now, when it comes to privacy, we've just got to do it in private.
Hayes, Computerworld's senior news columnist, has covered IT for more than 20 years. Contact him at frank_hayes@computerworld.com.