The European Union Data Privacy Directive and International Relations

Salbu, Steven R., Vanderbilt Journal of Transnational Law

ABSTRACT

This Article explores the European Union Data Privacy Directive and its impact upon international relations. Part II provides a background upon which the Privacy Directive is built. In Part III, the Article confronts the differences between how the United States and its European counterparts address privacy issues generally. Part IV analyzes the Privacy Directive in detail, while Part V explores possible effects that the Privacy Directive might have on international relations.

I. INTRODUCTION

Recently, the European Union passed the Data Privacy Directive (Directive), under which Member States are required to enact implementing legislation. (1) The Directive is the world's most ambitious and far-reaching data privacy initiative of the high-technology era. Its global pervasiveness, and therefore its extraterritorial effects, raise interesting questions regarding tension between the goal of uniform Internet policies and the importance of respecting sovereignty and national autonomy. The resolution of this tension may ultimately affect international relations in the new century.

This Article examines these dynamics. Part II is a primer on contemporary data privacy issues, the foundation upon which the EU Directive is built. Part III briefly discusses differences between U.S. and European approaches to these privacy issues, highlighting a present lack of global uniformity, even among two Western, developed, regional economies. Part IV analyzes the EU Directive and includes some critical observations, highlighting potential pitfalls and shortcomings. Part V looks at the relationship between the EU approach and international relations, examining possible effects on the furtherance or hindrance of a harmonious and cohesive world community.

II. A PRIMER ON CONTEMPORARY DATA PRIVACY ISSUES

Privacy is a concern that obviously predates modern technology. (2) It is also easily taken for granted. As one scholar observes, privacy is a lot like freedom: people do not appreciate its value and importance until it is threatened or lost. (3) In an era of burgeoning information technology, privacy also can become an afterthought, a secondary consideration in the race to find and exploit the next cutting-edge development. (4)

Since the 1980s, but prior to public diffusion of developing Internet technology, legal scholars recognized how seriously computers can threaten privacy. (5) The advantages of technology come at a price: one person's "enhanced information" can invade another person's privacy. (6) This double-edged sword naturally creates conflict, based on both self-interest and ideology. (7)

Reasons for concern have escalated, and they continue to grow. Privacy is becoming increasingly susceptible to ever more sophisticated technologies. Electronic identification cards, wiretaps, biometrics, and video surveillance cameras all have the potential to erode privacy. (8) Digital interactive television technology soon may tell advertisers exactly which programs people view in their homes, refining target advertising (9) in ways that are potentially both beneficial and frightening. (10)

No modern technology poses a greater threat to privacy than the Internet. (11) Interactive computer technology allows researchers to collect data more cheaply and efficiently. (12) Conversion of data into binary form enables the common person to store, use, and misuse data in powerful new ways. (13) Computer technology also allows commercial and other entities (14) to accomplish data collection tasks more quickly and inexpensively. (15) What once took days of manual labor now can be accomplished with a keystroke; what once required substantial capital now can be achieved by anyone with a computer and a modem. (16)

By the late 1990s, the potential had become a reality, as a Federal Trade Commission (FTC) survey analyzed 1402 websites and concluded that ninety-two percent collected personal data, and that the majority did so without posting privacy disclosure statements. (17) More anecdotally, Professor Sovern describes modern media as "filled with horror stories about the use of personal information." (18)

Lack of disclosure is a serious problem. Internet-enhanced invasion of privacy can be especially insidious because the technology facilitates the collection of personal data without the knowledge of the subject. (19) Among the more disturbing concerns is the collection of identifying information, such as address, social security number, medical information, financial information, and credit card information. (20)

Some critics of the non-consensual flow of personal information posit property arguments in support of the electronic privacy movement. (21) They contend that the subjects of personal information have the right to control its use, including the right to sell it. (22) Some property-based discussions appear to be based on conceptions of fairness. (23) Others have focused on the purported externalities pertaining to uncompensated use of private data. (24) Still others have discussed property-related policy approaches to privacy issues, such as the possibility of licensing private information. (25) In a world where companies pay or otherwise compensate consumers for personal information with increasing frequency, (26) expectations regarding information rights are likely to shift.

The property rights approach is appealing because it both recognizes and accommodates different preferences and priorities among consumers. Under this approach, those consumers who value their privacy highly need not sell the rights to personal data and information; those who place a lower value on privacy are free to sell their data and information. (27)

There are also good arguments in favor of maintaining the freest possible flow of information, including personal information. Society benefits from increased access to information. (28) Some commentators suggest that the free collection and use of information benefits not only businesses, but also consumers and society at large, (29) and that current pro-privacy trends may therefore more accurately be classified as "privacy panic." (30) Consumers ostensibly benefit by receiving more pertinent information, as companies better target their advertising to personal interests; (31) society ostensibly benefits as better, more efficient marketing supports e-commerce and a thriving economy. (32) In addition, all users benefit from free Internet services that are sponsored by advertisers. If Internet advertising fails to be effective, advertiser sponsorship will decline and the public could lose many useful sites. (33) Any means of improving advertising effectiveness is also a means of supporting a robust web of services, available without charge. (34)

Skeptics counter that, unless people are careful, the benefits will come at a serious cost to personal privacy. (35) The threat comes from the government as well as the private sector. (36) Although technology can be used to circumvent the privacy of consumer information, (37) policies can be established to protect these rights. (38) Companies can be required to notify people of their intent to collect, use, or distribute personal information, (39) as well as to provide consumers with meaningful control over whether--and if so, how--these processes occur.

Specifically, both opt-in and opt-out policies provide a measure of consumer privacy protection, although the former are stronger than the latter. (40) Opt-in policies prohibit businesses from collecting, using, or sharing (41) personal information unless the subject of that information has expressly agreed to these activities. (42) Under an opt-in policy, the default assumption is that every consumer expects privacy. (43) The assumption can be rebutted only through voluntary and affirmative consumer consent. Opt-out policies prohibit businesses from collecting, using, or sharing (44) personal information only after a consumer has taken the initiative to inform the appropriate person or entity of objections to the relevant activities. (45) In contrast to opt-in policies, the default assumption in opt-out policies is that a given consumer does not have privacy expectations regarding relevant activities, such as collecting, using, or sharing the data. (46) To trigger the privacy protections that are automatic under an opt-in policy, a consumer must take the initiative and follow the prescribed steps. (47)

In many instances, companies collecting data do not conspicuously inform individuals of their opt-out rights or provide them with instructions and contact information for exercising their rights. (48) In these cases, the consumer must be willing to investigate the procedure and the details of implementation in order to exercise their rights. It is likely that these dynamics impede the assertion of opt-out privileges in many cases. While consumers most concerned with privacy are more likely to go to the trouble, those who are moderately concerned are less likely to expend the resources necessary to exercise their opt-out rights. Even among consumers with high privacy-concern levels, some will be too busy or distracted to pursue an interest that they consider very important.

Some commercial interests and opponents of privacy advocates counter that opt-in and other aggressive policies add unnecessary or even prohibitive costs to doing business. (49) Anti-regulation arguments are bolstered by data suggesting that theoretical privacy concerns may not be very important to real consumers. For example, when New York Telephone enabled customers to opt out of a mailing list it intended to share with direct marketers, only 800,000 of 6.3 million customers exercised the option. (50)

Of course, privacy advocates can challenge the significance of this information on at least four grounds. First, 800,000 is a large number in absolute terms, and even as a proportion it is not a trivial percentage of offerees. Second, some of those who did not opt out in this case might do so in another case. For example, they might have considered the particular terms of the marketing practices proposed by New York Telephone to be either personally desirable or innocuous, yet would opt out under other circumstances. Third, the distribution of opt-out decisions may be a poor proxy for whether consumers consider the choice itself to be important. One may decide in a particular case not to opt out, but still view the right to make the decision as fundamental. Finally, privacy rights cannot be measured strictly quantitatively. A minority can consider their privacy to be a very precious thing. The possibility that some do not share the concerns of the minority should not detract from the legitimacy of that concern.

In short there are privacy advocates and there are opponents of privacy advocates--not surprising, given the tradeoffs between use of information and abuse of information. Privacy advocates emphasize the price of information-sharing; opponents emphasize the benefits of information sharing.

The "benefit-at-a-price" model of information processing applies to many of Internet innovations. For example, on-line medical data can be an enormous boon to individuals, who now can provide doctors around the world with instant access to their medical histories in the event of an emergency. (51) Globe-traveling patients also can communicate quickly and inexpensively with their own doctors via e-mail. (52) In the words of the M.D. Anderson Center's Chief Information Officer, "The Internet will fundamentally transform the way we conduct health care in this country and the world." (53)

When on-line personal medical information gets into the wrong hands, however, the intended beneficiary of data processing can become a casualty, as in employment or insurance discrimination. (54) On-line financial data bear similar benefits and risks, as desirable facilitation of financial transactions is countered by possible undesirable flow of information to unauthorized recipients. (55)

The down-side of the information revolution is troublesome both in its own right and because of its broader implications. Potential privacy violations are obviously disturbing in both their intrusiveness and their ability to harm individuals. (56) Moreover, the prospect of privacy violations can have negative economic effects, impeding the development of e-commerce if consumer mistrust undermines adoption of the Internet for commercial transactions. (57)

Like many other policy challenges posed by the Internet, (58) today's privacy concerns were not as compelling a decade ago, because the technology is so new and powerful, and is changing so quickly. (59) More than ever, the speed of innovation and attendant social change (60) deprives lawmakers and regulators around the world of time for careful, deliberate consideration of the implications of new technology and the best ways to address those implications. This pressure is exacerbated by the international character of globe-spanning technologies, which increase the number of stakeholders as well as the complexity of policy-making. (61) Despite these sub-optimal conditions for creating rules of the game, the modern proliferation of the media, largely fueled by Internet technology, heightens the pressures placed on lawmakers to respond, perhaps more quickly than ever before. (62)

No one has responded more quickly or more vigorously to modern privacy challenges than the European Union. The section that follows describes the philosophical differences between the European and U.S. approaches to contemporary privacy challenges.

III. EUROPEAN VERSUS U.S. PHILOSOPHIES AND APPROACHES TO PRIVACY

Protection of personal data is an issue throughout the world, and all nations face similar challenges to some degree. The drama that has played out in Europe and the United States, while the most prominent example of the struggle between commercial interests and privacy interests, is far from the only one. In addition to nations grappling with legislative responses, non-governmental organizations such as the Organisation for Economic Cooperation and Development (OECD) have addressed data privacy issues. (63) What follows is a discussion of the most highly publicized international engagement with data privacy issues to date--discussions and negotiations between Europe and the United States.

Privacy is considered a fundamental right in both Europe and the United States. (64) Beyond this generalization, however, European and U.S. approaches to privacy have differed historically. (65) According to policy analyst Ari Schwartz, European nations have a "vision" regarding privacy rights that is absent in the United States. (66) Privacy considerations that may be considered negligible in the United States are taken very seriously by the European Union. (67)

The European emphasis on personal privacy rights (68) may be attributable in part to Third Reich abuses in tracking its target groups with invasive data-collection methods. (69) Today, European nations are more likely to erect broad, prophylactic legislative protections, whereas the United States tends to protect privacy by reacting to crises. (70) The statutory privacy protections that do exist in the United States have historically focused on the public sector, (71) while the EU Data Privacy Directive extends to both public and private sectors alike. (72)

Much of the modern debate over data privacy has focused on sell regulation and technological solutions, rather than legal and regulatory responses. (73) Where the United States has favored self-regulation by business, Europe has preferred strict consumer-protection legislation that is capable of guarding privacy rights across international borders. (74) Not surprisingly, U.S. commentators are also more likely than European commentators to recommend market-based alternatives to legislation and regulation. (75) When the United States does decide to address privacy through laws, it usually applies a "sectoral approach," (76) passing laws to cover particular industries or areas such as credit reporting, (77) education, (78) financial privacy, (79) telephony, (80) cable, (81) and video. (82) In contrast, Europe and nations such as Canada, Australia, and New Zealand have enacted omnibus data privacy laws, "covering the full spectrum of uses of personally identifiable information." (83) The legislation is broad and comprehensive, applying to both public and private sectors. (84) And unlike the United States, some European countries expressly guarantee privacy in their constitutions. (85)

Because Europe has taken the lead in the formation of ambitious, serious privacy legislation, EU law in this field is a fascinating subject for examination and analysis. The following section looks at the centerpiece of modern European privacy controls: the EU Data Privacy Directive.

IV. THE EU DATA PRIVACY DIRECTIVE

The EU Data Privacy Directive is built on a tradition of serious privacy protections. Comprehensive European data privacy legislation dates as far back as 1973, when Sweden passed early, groundbreaking legislation. (86) Trans-European initiatives began as early as 1981, when the Council of Europe solicited signatories to the Convention for the Protection of Individuals With Regard to Automatic Processing of Personal Data. (87) Because this Convention was not self-executing, signature and subsequent ratification varied among European nations so that privacy assurances varied from one country to another. (88)

The European Union set a high global standard in data privacy protection when it forged its Data Privacy Directive, (89) which became effective in October 1998 (90) and created a global model of a rigorous legislative approach to privacy. (91) More specifically, it has been described as "a top-down, mandated ... approach to the issue of data privacy," in contrast to the U.S. "mix of legislation, regulation, and self-regulation." (92) Like all EU Directives, it is not in itself a law; rather, it directs each of the fifteen members of the European Union to enact its own implementing legislation, which need not be identical across Member States in many of its specifics. (93)

The Directive's origins may seem ironic today, considering the threat it poses to the flow of information from the European Union to nations deemed to be non-conforming. (94) According to its preamble, …

Questia, a part of Gale, Cengage Learning. www.questia.com
Publication information: Article title: The European Union Data Privacy Directive and International Relations. Contributors: Salbu, Steven R. - Author. Journal title: Vanderbilt Journal of Transnational Law. Volume: 35. Issue: 2 Publication date: March 2002. Page number: 655+. © 1999 Vanderbilt University, School of Law. COPYRIGHT 2002 Gale Group.

This material is protected by copyright and, with the exception of fair use, may not be further copied, distributed or transmitted in any form or by any means.