Privacy on the Internet: Europe and the US Converge; the Days When Companies Could Do Pretty Much as They Pleased over Privacy Are Disappearing. Pressure from Governments and Customers to Comply with New Rules Is Intensifying

Article excerpt

The internet and e-commerce have transformed the way many companies look at how they conduct business. But the relative ease with which enterprises have been able to move into this arena--in large part because the internet has been essentially unregulated and untaxed--is no longer something executives can take for granted. The United States Congress is moving toward increasing oversight, and the European Union (EU) has already adopted a regulation that will have an impact far beyond European shores.

At the heart of the problem is a fundamental difference in philosophy between Europe and the US over privacy and the role of government regulation. Europeans tend to regard privacy as a fundamental right and that right is enshrined in many of their national constitutions. The United States has always emphasised a market approach and a minimum of government regulation. This difference has now become the focus of a major international law and trade dispute.

European privacy law

The current move to provide greater privacy protection in Europe goes back to the first international effort to protect the privacy of data transmissions. In 1980, the Organisation for Economic Cooperation and Development issued guidelines for regulating transborder information flows which were subsequently signed by most European nations and the US. While not binding on member states, the OECD Guidelines call for national laws protecting privacy and permit restriction of data transmissions if the receiving country does not provide "equivalent" protection for privacy rights.

The culmination of this effort came in 1995 when the EU passed the European Data Privacy Directive (Council Directive 95/46, 1995). The scope of the directive is quite broad. It protects all "personal data" and allows its collection for specific, explicit and identifiable purposes, but does not allow any further processing.

Data collectors must inform the individual of the specific purpose for the recorded information and must keep the information accurate and up to date. Data subjects are guaranteed access to review personal information and they must be given the right to refuse to have their personal data transferred to a third party. In addition, if data is collected for one purpose and is later used for another, the data subject must be notified and given an opportunity to opt out of the second use.

Merely restricting these provisions to companies with a substantial presence in the EU would not have generated the level of concern that the Privacy Directive has produced. Chapter IV of the Directive, however, applies these provisions to any individuals and businesses in the United States who are receiving transfers of personal information from Europe. Data being transferred to a non-EU country must be subject to an "adequate level of protection." The European position has been that "adequate" means equivalent (the same level of) protection. In short, unless other countries adopt the same kind of privacy protection regime, personal data could not be transferred from Europe to those countries.

Implementation of the Privacy Directive will rest primarily with the individual countries within the EU. Each individual nation is under an obligation to pass implementing legislation and enforce these laws against their own citizens and against data controllers in other countries. Each country is required to create or designate at least one public authority to monitor and enforce its privacy laws. As this is written, at least eight of the EU countries have adopted the implementing legislation.

Perhaps even more important is that the EU Directive may define the de facto standards for the rest of the world. The size of the European market may force companies everywhere to meet those standards. To preclude the possibility of a trade war over privacy, other countries such as Canada and Japan have begun to adapt their laws to provide comparable levels of protection. …