Use of the Internet has skyrocketed in recent years. Internet2, one thousand times faster than the existing Internet, is scheduled to be ready for everyday consumer use within five to 10 years. With this “Brave New World,” we have entered the age of seamless communications and commerce between individuals and institutions across national boundaries.
Or have we? The first major speedbump on the international Information Superhighway may occur as early as October 25 of this year, the date the European Directive on Data Privacy[1] (the “Directive”) is scheduled to take effect.
As of that date, it will become illegal for businesses within the European Union (EU) to “export” personal data that may be used for commercial purposes to countries that do not adequately protect this information. Even at this late date, it is not clear whether American law “adequately protects” personal information within the meaning of the EU Directive. Significant differences still exist between America and the EU on this issue, differences that could be “a potentially serious barrier to [the] creation of a global free market for commerce on the Internet.”[2] Should it be the determined by the EU that America’s protections are insufficient, and should the EU attempt to enforce its Directive, there could be major repercussions for businesses on both sides.
Examples already exist indicating how Europe might respond. In 1994 Citibank had reached a co-branding agreement with the German National Railway for the biggest credit card project in Germany. However, because personal data on millions of German citizens would be processed in the U.S., there was a public outcry, and the German data-protection authorities threatened to prohibit the arrangement unless the two companies could create an acceptable method of protecting the privacy of the German cardholders. It took six months of very intense negotiations for the two companies to agree on a contractual arrangement creating a broad array of privacy protections. The result was that Citibank had to significantly change the way it managed customer information.
Last year Sweden’s privacy watchdog required American Airlines to delete health and medical information on Swedish passengers after each flight unless American had obtained “explicit consent” from the Swedish passengers.[3] Under the Swedish order, American was not allowed to send this information to its SABRE central reservation system in the U.S. American has lost twice in the Swedish courts, and the case is now on appeal to Sweden’s Supreme Administrative Court. In the meantime, American cannot export the medical data of Swedish passengers to American’s reservation system in the U.S.[4]
Background on the Directive
The Directive is a comprehensive law enacted to establish common rules for the use of personal data. Passed by the European Commission in October, 1995, it gave member states of the EU three years to enact national legislation in harmony with its requirements or face having its citizens and businesses excluded from participating in electronic commerce across national boundaries. All EU member states have complied, although admittedly there is still work to be done to harmonize their different approaches.
More to the point for Americans, after October 25th the Directive also restricts any international data flows from Europe to a country outside the EU if that country does not provide an “adequate level of protection” for privacy of data about individuals. According to some analysts, this could mean that such things as the exchange of information from marketing databases that include personal information on customers would be barred, even between subsidiaries of the same international company. Market analysts could no longer send unlimited data about key European individuals to the U.S., and American consultants in the U.S. might not be able to receive a client’s records if those records contain personal information about European customers or employees.
Potentially, human resource records of transnational companies could no longer be centralized, and American auditors might not be able to examine records from Europe if they contain private data about any individual.[5]
While many Americans might, in fact, applaud such privacy protections, these restrictions would definitely impact how American and transnational companies would otherwise do business with Europeans.
General Provisions of the EU Directive
The Directive is a comprehensive all-encompassing law that sets very specific criteria for the use and transfer of personal data, with the objective of protecting the right to privacy in the processing of such data. It requires that any person or organization responsible for processing personal data must implement appropriate technical and organizational measures to protect the information from unauthorized disclosure, especially when that processing involves transmission over a network. It further establishes data protection principles and conditions that must be met before personal data may be processed.
To meet the Directive’s requirements, EU member states must ensure that personal data are:
- processed fairly and lawfully,
- collected for specified, explicit and legitimate purposes,
- adequate, relevant and not excessive in relation to the purposes for which they are collected,
- accurate and, where necessary, kept up to date, taking every reasonable step to ensure that data which is inaccurate or incomplete is erased or corrected, and kept in a form that permits identification of data subjects for no longer than necessary for the purposes for which the data was collected.
There are even more stringent conditions for the processing of “sensitive” data, such as information about racial or ethnic origin.
Furthermore, individuals about whom data are collected must be provided with certain information about the purpose of the processing and given the right to access their personal files and have inaccurate data amended. In fact, individuals may object even to the lawful processing of this information and to its being used for direct marketing purposes.
Those who suffer damages as a result of unlawful processing of personal data are entitled to seek damages, and sanctions are established for those who do not comply with the Directive’s terms. Any of Europe’s 350 million-plus citizens will be able to file a claim over abuse of personal data, and that claim may be taken all the way to the European Court of Human Rights – one of the highest courts in the European Union. During this process, business contracts can be suspended and injunctions can stop the transfer of data to non-EU countries.[6]
Transfers of Personal Data to Non-EU Countries
Although the EU has not yet developed specific criteria as to what “adequacy of protection” means with regard to the transfer of personal data transferred outside of the EU, it has delivered a policy paper to American officials that sets out tentative meanings of the phrase. The EU would determine which countries would be on an approved list for data transfers by considering both the privacy rules in place in that country and the means for enforcing those rules.[7] If a country does not ensure an adequate level of protection, the member states of the EU are required to prevent any transfer of data to the country in question. Given that provision, there can be no free Internet or any other data highway access to personal data in any system within the territory of the EU.
There is a provision, however, whereby data may be transferred to a country which does not ensure an adequate level of protection if certain conditions are met. First, the person must unambiguously give his or her consent to the proposed transfer. Then, the transfer must be necessary for the performance of a contract, or legally required on important public interest grounds, or necessary to protect the vital interests of that person. Thus, transactions such as transferring money to a foreign bank, making hotel reservations or travel arrangements, or concluding an employment or insurance contract with an employer or insurer in a third country would probably be allowed under the new Directive.
The American Response
American law regarding information privacy is sporadic, piecemeal and sector-specific.[8] To the extent that privacy rights exist in the U.S., they are created by a myriad of constitutional doctrines and narrow-purpose federal and state laws.[9] There is no national law comparable to the EU Directive. Even under a liberal interpretation of the EU Directive, it is not clear that the American regulatory scheme qualifies.
In March of 1998, Ira Magaziner, the White House advisor on Internet matters, stated that he is optimistic that the U.S. and the EU will be able to agree on a data privacy policy before the Fall deadline.[10] However, neither the administration nor Congress seems to want national legislation, fearing that such legislation would be a negative influence on the development of Internet commerce.
Instead, Mr. Magaziner has urged American businesses to accelerate their self-policing efforts on privacy issues. In his view, EU officials have indicated that self-regulation would be acceptable, as long as an established system was put in place.
The Clinton administration has taken a hard line on the question of appointing a government privacy watchdog, stating that it does not recognize the validity of that approach. Instead, the Administration prefers to meet European demands through a combination of self-regulation schemes, privacy-friendly business-to-business contracts, and technology-based privacy-protection systems.[11] Vice-President Al Gore recently proposed a broad consumer privacy plan, including a “privacy czar” to coordinate policy, but adoption of such a plan is deemed unlikely.[12]
Self-Regulation Efforts of American Businesses
U.S. businesses are trying to find non-legislative solutions. For example, in December of 1997, a self-regulatory code of conduct for individual reference services, such as Metromail, CDB Infotek, and Lexis-Nexis’s P-Trak, was announced. This code of conduct limits the use and collection of personal information, while relying on independent auditors to monitor compliance.[13]
Another attempt at self-regulation in the private sector occurred in July of 1998 when the Online Privacy Alliance proposed an electronic seal of approval to enforce information collection and use policies.[14] Under this proposal, member companies would post a privacy seal on their Web sites clearly disclosing how they gather and use the marketing data of their online consumers. In addition, member companies would agree to work with the manager of the seal of approval program to resolve complaints. This alliance includes approximately 50 companies doing business on the Internet, including Xerox, Yahoo, AT&T, Microsoft and American Online.[15]
The problem with industry self-regulation is that is it difficult to get universal adherence to privacy protection policies and hard to craft an effective enforcement mechanism.
Possible Regulation by the Federal Trade Commission (FTC)
Although the FTC is still hopeful that self-regulation might work, the head of the agency said that additional government regulation may be necessary if private industry is not able to demonstrate that it has implemented an effective self-regulatory program by the end of the year.[16]
If self-regulation fails, the FTC legislative model to protect data privacy would require all commercial Web sites that collect personal information from or about consumers to: (a) provide consumers notice of their information practices, (b) offer consumers choices as to how their personal information is used beyond the purpose for which the information was provided, (c) offer consumers reasonable access to their information and an opportunity to correct inaccuracies, and (d) take reasonable steps to protect the security and integrity of personal information.[17]
The Reaction of Congress
Congress does not yet appear to take the issue of data privacy seriously. Lawmakers have consistently refused to pass legislation limiting the use of personal data. Even a bill to limit the use of Social Security numbers for identification purposes failed to pass this year.
Currently, there are about eighty privacy bills scheduled to be considered by Congress in 1998, but it appears Congress will not take action until it determines what action the private sector intends to take regarding data privacy.[18]
It is unclear what will happen this October. Both sides of the Atlantic seem ready to fight. The Clinton Administration has said that the United States will take its case to the World Trade Organization if necessary.
The Europeans, on the other hand, appear to be determined to pursue the privacy directive’s goals, and they have suggested that America must take the issue of data privacy much more seriously in order to have electronic access to the European Union’s consumers. The EU has warned that if the United States does not take adequate measures to provide similar data privacy protections as are contained in the European Directive, it would prevent any U.S.-based company from conducting electronic commerce in its member states via the Internet.[19]
It is unlikely that the United States will adopt a comprehensive data protection law like the EU Directive in the next few years. Changes in American policy may well depend on how serious the Europeans are about blocking data transfers to the U.S. If the Europeans truly intend to block data transfers to the U.S., this may focus concern about how private data are handled in the U.S. and provoke a change in approach.
In the meantime, the United States appears to be on a collision course with the EU Directive. Operations could be disrupted, lawsuits could be filed and markets could be lost. Unless a way forward is found quickly, a huge chunk of business between the world’s two biggest economic blocs may hit a major roadblock. At stake is the future of banking, travel, credit card transactions, electronic commerce, and maybe even government business.
Since there has been some activity towards compliance on the American side, no one in Europe wants to talk openly about a trade war, but it appears that America has a long way to go towards protecting data privacy before the EU will be satisfied. The Europeans want America to adopt its comprehensive legislation regarding data privacy, complete with a separate governing body to hear and investigate complaints. The Americans so far have responded that they prefer piecemeal legislation and self-regulation because they fear that privacy rules that are too heavy-handed will stifle trade. They believe that voluntary codes of conduct and a “seal of approval” will be more effective since industry will have incentive to do this.
After all, American consumers also want to know their data are secure and will refuse to do business with companies that do not adequately protect them. From the American perspective, Europe would be unwise to isolate itself from worldwide Internet commerce by the strict enforcement of their data privacy policy.
“The European Union is launching the biggest privacy gambit in history. If the European plan succeeds, every country on Earth will soon adhere to a global privacy code. If it fails, the United States and Europe could end up in the throes of an ugly trade war over the international transfer of personal information.”[20]
[1] The official name is the “Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data,” Official Journal N. L 281, 23.1195, p.31. See, generally, Paul M. Schwartz and Joel Reidenberg, Data Privacy Law, (MICHIE 1996, ISBN 1-55834-377-6); Susan E. Gindin, As The Cyber-World Turns: The European Union’s Data Protection Directive and Trans-Border Flows of Personal Data, at http://www.info-law.com/eupriv.html, European Union Data Protection Directive (No. 95/46/EC), at http://www.open.gov.uk/dpr/insnet2.htm
[2] James Packard Love, Data Protection Laws Spark U.S. and E.U. Tussle, at https://gbr.pepperdine.edu/983/ (no longer accessible). Another commentator has also noted that the open structure of the Internet appears to be incompatible with these requirements. Frank A. Koch, European Data Protection – Against the Internet at http://www.privacy.org/pi/conference/copenhagen/koch.html (no longer accessible).
[3] Phil Agre, Wired Story on EU Privacy http://www.findmail.com/list/rre/812.html (no longer accessible).
[4]. Id. The information American Airlines was collecting was about allergies, asthma notification, dietary needs, etc.
[5] Peter P. Swire, Intellectual Capitalism: The Great Wall of Europe, CIO ENTERPRISE MAGAZINE, Feb. 15, 1998.
[6] Simon Davies, Europe to us: No Privacy, No Trade, on the Phil Agre egroups website under the title “Wired Story on EU Privacy” at http://www.egroups.com/list/rre/ Once at the website, click “date” in the navigation bar, then “previous” to get back to the 5/05 to 7/10 date, then scroll down to “Wired Story.”
[7] EC Privacy Working Group Tentatively Defines ‘Adequate Protection” of Data Privacy Rights, 2 BNA 784 (1997).
[8] Joel R. Reidenberg, The Movement Toward Obligatory Standards for Fair Information Practices in the United States, VISIONS FOR PRIVACY IN THE 21ST CENTURY (ed. Colin Bennet & Rebecca Grant, forthcoming Univ. of Toronto Press), at http://home.sprynet.com/sprynet/reidenberg/oblig_dp.htm. See generally, Data Privacy Law, supra note 2, for a full discussion of the American approach to protecting privacy.
[9] Data Privacy Law, supra note 1.
[10] Mo Krochmal, United States, Europe Look For Common Ground On Privacy, TECHWEB, at http://www.techweb.com/wire/story/TWB19980304S0007
[11] Simon Davies, supra Note 6.
[12] Dana Hawkins, Politics of Privacy: Gore, Congress talk but will they act? U.S. News & World Report, August 10, 1998, p. 30,
[13] Simon Davies, supra, Note 6.
[14] Ken Magill, New Privacy Efforts Get Temporary Thumbs Up, DIRECT MARKETING NEWS, at (password required)
[15] Id. It is instructive to note that this plan only came about after the FTC revealed only 14% of the Websites reviewed by the FTC made “even a passable attempt” at publishing their information collection and practices online.
[16] Id.
[17] Id.
[18] Mo Krochmal, supra note 10.
[19] EU Threatens to Bar Transborder Data Flows Unless U.S. Legislates Data Privacy Rules, 2 BNA 746 (July 18. 1997).
[20] Simon Davies, supra, Note 6.
